Arxan Technologies recently released their third annual “State of Mobile App Security report” which states that “97% of the top 100 paid Android apps and 87% of the top 100 paid Apple apps have been hacked.” Mark James comments upon the apparent epidemic and specifically about the iOS security fallacy.
Mark answered a Q&A before about Mac Malware Myths if you’re interested in the desktop platform.You can find the full report here.
When / where do these “hacks” occur?
“Because of the very assumption that apple is safe and often mobile apps are overlooked as a security risk because of their nature we often fail to look at securing the app or indeed the ongoing security of the app.” Mark explains.
“When downloaded from their respective sources, google play and apple store, the apps themselves are fairly safe: both stores implement fairly rigorous testing.
“It’s mainly when apps are downloaded from third party locations that we see these “hacked” apps make an appearance.”
How can we protect ourselves from “hacked apps”?
“Investing in the right protection to keep an eye on apps already installed is as important as stopping them coming in from the start: often the good installed app is “updated” from a compromised source which then installs the hacked version.”
“Checking apps frequently after they have been installed should always be done: installing and forgetting is ok for some software but these days when data security is involved periodic checks must be done on a regular basis.
“Continuing development to ensure any exploits are monitored and patched quickly is as, if not more, important in mobile software.
“When it comes to any type of wallet/payment apps they should be secured by the highest forms of protection available to ensure the customer’s data is stored as safely as possible.”
How do attacks occur in the first place?
“The (non-jailbroken) IOS hacks we see at present rely on a process called enterprise provisioning: these are apps delivered via a profile sent to the phone that is signed and authorised by apple.
“Once the profile is installed it is then able to download and install the application file, when the app loads, it checks with Apple to make sure the certificate used to sign it is valid.
“As these apps are not directly downloaded from the app store they are open to a larger attack vector for infection.”