I Love Free Wifi, But So Do Hackers
January 12, 2016
‘Netflix & Chill’ Sessions Interrupted Now That VPN Bans Are in Effect
January 23, 2016
Show all

Nearly All Your Mobile Apps Have Been Hacked

File photo date 01/07/08 of an Apple iPhone as three-quarters of parents with smartphones share apps with their children and more than a third consider them to be an 'integral' part of family life, according to a study.

If you own a smartphone, the usage of mobile applications are undoubtedly an integral part of your every day life. Be it for the productivity tools, financial transactions, social networking, or entertainment, you probably access at least two or three of these apps in a day.

According to Forbes, the number of app downloads by 2017 is expected to rise to over almost 270 billion. Additionally, mobile device users were observed to have transitioned from spending more time on mobile apps (86% of time spent on mobile apps) as compared to spending time on the web (14% of time spent on web).

While the global mobile app revenue can be in an economy worth hundreds of billions, it can also leave many mobile app frontiers vulnerable to be exploited. Research by security firm Arxan Technologies in 2014 revealed that 97% of the top 100 paid Android apps and 87% of the top 100 paid Apple iOS apps have been hacked at least once.


Where the mobile threats are

Both Kaspersky Lab and McAfee have reported the rise of mobile threats. Mobile malware has increased for five straight quarters, with a total mobile malware growth of 167% recorded in 2014. Security researchers say mobile apps are at more risk of failing to secure users’ data than apps running on desktop or laptop computers, partly due to the reason implementing stronger security is harder on apps, and because the developers are often in a rush to release their apps. Flaws in the way thousands of these popular mobile apps store data online lies in the way those who write and sell the apps authenticate users when storing their data in online databases. This has left users’ passwords, addresses, door codes and location data vulnerable to hackers. Other weaknesses lie in the way apps transmit data, whereby FireEye, an internet security company, found developers to be regularly sending users’ names and passwords unencrypted, which leaves it to no surprise to find these sensitive information to be stored insecurely.


“I Accept” the T&C, now get on with it…

The majority of us upon downloading an app probably will not bother to read the Terms and Conditions of using it. Most of us will probably just click “I Accept” as though it’s second nature and get on with it anyway. And even if anyone had read through these Terms and Conditions, not many may have the knowledge to fully understand them (or care) to cancel their download.

i accept

Source: Memecollection

That is where hidden gems like these Terms of Service Agreement for Tumblr, the popular blogging platform, were born:

tumblr1 tumblr2

Rightly, app users ought to be more careful when granting app permission requests, and giving external services permission to access our personal information such as our photos, contacts and location. Some apps may even be constantly monitoring your location or information while you are not actively using it.

When Spotify released their new privacy policy which saw Spotify seeking permission for users’ sensors, photos, contacts, GPS trackers, and other personal information, many users were left disgruntled because many believed Spotify does not really require the level of personal information they claim is necessary and are in fact on-selling user data to other companies.

Before deciding to download an app, especially an app which is seeking all kinds of permissions to your personal information, ask yourself these questions:

– Does the app look safe?

– Is the app from a reputable developer?

– Does the developer explain why they need these permissions?

– Does the app have plenty of good reviews?

If you answer “No” to most of these questions, your best option is to abort the download, and do not hesitate to press Delete on it.


The case of the Flappy Bird clone apps

After the time of the Flappy Bird gold rush when this number one app was pulled from the app stores, developers have scrambled to meet soaring demands of the app with ‘Flappy Bird clones’. At the time, on average there were sixty Flappy Bird clones uploaded to the Apple iOS app store in one day alone, ranging from Flappy Wings, Flappy Crocodile, Fly Bird, Flappy Penguin, and Tiny Flying Drizzy.

When McAfee Labs sampled 300 of these Flappy Bird clones, it was discovered that 79% of the apps contained malware. These malicious clones may appear as a normal gaming app to the average user, but these apps can damage and invade a user’s mobile device in a number of ways when downloaded. The malware could be used to make calls, install additional apps, send and receive SMS messages, extract contact data, track geo-location, and establish root access, which would allow uninhibited control of the mobile app.


Mobile apps in 2016


According to a highly-quoted report by Arxan, a security protection firm, mobile apps for health and finance could be prime targets to security risks in the next six months due to their growing number of use. Arxan found that of the 126 most popular mobile health and finance apps, 90 percent had crucial security vulnerabilities when the majority of them failed security tests and could easily be hacked.


Source: Arxan

While the majority of 1083 consumers app users and IT executives surveyed indicated that they truly believed their apps to be secure, nearly all the apps assessed (including popular banking and payment apps and FDA-approved health apps), proved to be vulnerable to at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks. To be precise, a lack of binary protection (96%) and insufficient transport layer protection (79%) were discovered to be the most common risks among the apps surveyed. Both of those vulnerabilities can result in reverse engineering, data theft, privacy violations, and the tampering of application code.


A worrying thought is that many companies do not have the resources or allocate means to manage those risks. Based on Arxan, 50% of those organizations have zero budget allocated for mobile app security. This means that the vulnerable apps could continue to jeopardize users’ privacy and information well into the future.

For further reading on solutions Arxan offers to protect your software running on mobile devices, desktops, servers, and embedded platforms, head on to their page to learn more on how to protect your devices better.



[1] Daily Mail

[2] McAfee

[3] Graham Cluley

[4] Business Insider

[5] Arxan

[6] Mobi Health News

Leave a Reply

Your email address will not be published. Required fields are marked *