Most of the top 100 paid Android and iOS apps have been hacked

97% of the top 100 paid Android apps and 87% of the top 100 paid Apple iOS apps have been hacked, according to Arxan Technologies.

In addition to an increase in app hacks found for commonly downloaded popular free apps, their research also reveals evidence of widespread hacking of financial services, healthcare/medical, and retail/merchant apps; largely driven by hacks of Android apps.

Free app downloads are forecasted to increase at a rate of 99% to reach 253 billion downloads in 2017 and paid app downloads are projected to reach almost 15 billion, a 33% increase by 2017.

This explosion in app usage is seen across all verticals and lead by apps running on the Android mobile operating system, which continues to dominate with 85% market share.

Key findings include:

  • 97% of top 100 paid Android apps and 87% of top 100 paid iOS apps have been hacked – This finding of a high percentage for Android hacked apps is in line with results from prior years. However, the iOS percentage represents a sharp increase over 2013, when 56% of iOS apps were found to be hacked.
  • 80% of popular free Android apps have been hacked and 75% of the popular free iOS apps have been hacked. The percentage of popular iOS apps hacked has steadily increased over the last 3 years.
  • Mobile financial apps are still at risk – 95% of the Android financial apps reviewed were “cracked” while 70% of the iOS financial apps were hacked. This is an increase in both cases, with Android’s growing about 80%.
  • 90% of retail/merchant Android apps and 35% of retail/merchant iOS apps have been compromised. Hackers are targeting growth in B2C retail apps, as stores launch mobile payment/wallet services, and in B2B merchant point-of-sale apps. In both cases sensitive data, IP, and financial transactions are at risk.
  • 90% of Android healthcare/medical apps have been hacked, 22% of which are FDA approved.

Arxan recommends that:

  • Applications with high-risk profiles running on any mobile platform should be made tamper-resistant and capable of defending themselves and detecting threats at runtime.
  • All applications should be developed to maintain the confidentiality of the application/code.
  • The software that is used to enable mobile wallets/payment apps (e.g., Host Card emulation software) should be protected with secure crypto and app hardening.
  • Organizations should consider mobile app assessments to assess if existing apps are exposed to risks that are unique to mobile environments. Also, as part of the mobile app development lifecycle, organizations should conduct penetration tests that, among other things, should assess vulnerability to reverse engineering and tampering that can result from unprotected binary code.