Four in five top Android and iOS apps 'have been hacked'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.telegraph.co.uk/technology/internet-security/10512856/Four-in-five-top-Android-and-iOS-apps-have-been-hacked.html

78 percent of the top 100 paid Android and iOS apps have been hacked, with
100 per cent of the top paid Android apps and 56 per cent of the top 100
paid iOS apps found to be compromised.

While this number sounds extremely high, it represents a 36 percent
decrease from last year, according to software security Arxan Technologies'
second annual State of Security in the App Economy report.

Hackers also continue to target free apps, with 73 per cent of free Android
apps and 53 per cent of free iOS apps found to be hacked in 2013. In 2012,
Arxan found 80 per cent of Android apps and 40 per cent of iOS apps had
been compromised.

The widespread use of 'cracked' apps represents a real danger for both
individuals and companies, given the explosion of smartphone and tablet use
in the workplace and home, according to Arxan.

Cracked mobile apps create the potential for massive revenue loss,
unauthorised access to critical data, intellectual property theft, fraud,
altered user experience and brand damage.

“Not only is IP theft costing software stakeholders millions of dollars
every year, but unprotected apps are vulnerable to tampering: either
through installed malware or through decompiling and reverse engineering –
enabling hackers to analyse code and target core security or business logic
that is protecting or enabling access to sensitive corporate data,” said
Kevin Morgan, chief technology officer at Arxan.

Mobile financial apps were found to be particularly at-risk, because users
trust them with essential data such as bank account numbers and passwords.
Arxan discovered that 53 percent of the Android financial apps it reviewed
had been cracked while 23 percent of the iOS financial apps were hacked
variants.

“Pirated versions of popular software are available on numerous unofficial
app stores like Cydia, app distribution sites, hacker/cracker sites and
file download and torrent sites," said Morgan.

"During our research we discovered that some of the hacked versions have
been downloaded over half a million times which gives a sense of the
magnitude of the problem especially as we embark upon a season of high
consumer activity that will involve payment transactions, and consumption
of products and services via the mobile.”

Earlier this year, BlackBerry was forced to suspend the rollout of its
BlackBerry Messenger (BBM) to iPhone and Android platforms for almost a
month, after an unreleased version of the BBM for Android app was posted
online. This resulted in "volumes of data traffic orders of magnitude
higher than normal for each active user", according to BlackBerry.

The company attempted to address the problems while the rollout was still
underway, but eventually decided to pause the rollout for both Android and
iPhone, in order to completely block the unreleased version and ensure that
the system was reinforced to handle this kind of scenario in the future.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.