Security Alert: Android and iOS Apps Hacked
The Guardian published a report from Security Company Arxan stating that the majority of financial apps on Android, and almost a quarter on iOS have been hacked.
The report says the very foundation of smartphone apps development allows to fool users easily. Any developer can create a Bank of America app based on publicly available information about the bank, and put it on Google Play. Once users start downloading the app, the developer will have the access to their financial information, and unwise users would be willingly submitting it to a barely legitimate application with the Bank of America logo.
Arxan reports that huge numbers of apps on Google Play and iTunes are an easy target for hacking, especially Android financial apps.
The prevalent number of instances involved hacked legitimate apps being uploaded to Google Play and third-party app stores, with the aim of aggregating user data, or spread malware on devices, or directly harm the app’s developer by removing adware elements most developers profit from.
The greatest concern is in financial apps because users input their financial information with confidence in their security. Account numbers, passwords, credit card numbers – Arxan discovered that a breathtaking 53% of financial apps for Android and 23% of iOS financial apps have been hacked and re-uploaded.
It is easy for Android users to download an app from third-party providers by configuring their device’s settings, which is easy. For iOS users to be able to download apps from sites other than iTunes, it takes jailbreaking their device, a hacking attack to achieve the device capabilities equivalent to that of Android rooting. Users are gladly jailbreak and root their smartphones and enjoy the liberty of unrevoked devices. In many cases, though, they forget that they compromise on their security when they root their device.
Sadly, but unsurprisingly, Google Play contains malware programs and hacked apps, too. Blackberry had to halt the release of its BBM app for Android devices in September 2013 because the official version has been hacked and re-posted on Google Play, with installations amounting to more than one million times.
Kevin Morgan, chief technology officer at Arxan, says “Google Play isn’t a vetted app store – it tends to have a lot of cruft, whereas, in the Apple Store, you’re almost certain to see just legitimate apps. Hacked code isn’t a significant problem in Apple’s App Store.” Because Apple vets all applications developers submit to Apple Store, the number of illegitimate apps on iTunes is significantly less than on Google Play.
Google Play, on the other hand, only removes an app from the inventory if users file multiple complaints about a hacked app, or an app containing malware. Both Android and iOS platforms have a ‘kill switch’ users can use to delete malware from their devices retrospectively.
Google Is No Match to Apple in OS Security
Arxan has already released two yearly reports on the state of the security in the app economy, both of which state“Android is the most insecure operating system” currently available on the market.
Executives attending the Gartner symposium laughed out loud at Eric Schmidt’s claim that Android is more secure than iOS. Morgan says he does not intend to pick a fight with Eric Schmidt, “from the basis of the app marketplace; the fact remains that there’s a lot more modified code there than on Apple’s store. There are fraudulent, malware-infested apps on original code or built from scratch in Google Play.”
The report also notes that hackers can easily penetrate a “fragmented open Android ecosystem to insert malware on Google Play.” In addition, according to Google’s platform data, more than 50% of Android devices run on Gingerbread and Android 4.0x, released in 2010 and 2011 respectively.
Older Android OS Vulnerable to Known Threats
Since the majority of devices accessing Google Play run older versions of Android, they remain vulnerable to even known threats because they have no access to Android updates. “This lack of standardization leads to greater insecurity on this platform.” Google is releasing new security patches to the most recent and high-end devices, leaving the prevailing majority of users lagging behind.
“Hackers will always follow the flow of money and will focus on the platform with the most users. A recent mobile malware study by Juniper substantiates this by reporting that 92% of malware was created for Android, and malware on iOS was not noticeable.”
Third-party app stores spread hacked apps in large quantities. All top 100 paid Android apps and 56 of top 100 paid iOS apps have been hacked and are distributed via these sources.
Free applications are no exception, with a staggering 73% of free apps of Android apps hacked and reposted on Google Play and third-party app stores.