Application security practitioners are embracing a new truth about application security: mobile apps require new protections beyond the use of traditional secure coding techniques. A new approach incorporating binary protection countermeasures is required to effectively prevent hackers from pirating or compromising the confidentiality and integrity of applications. Unprotected binary code results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in a matter of minutes! As per a recent article, “Number of mobile malware samples is growing at a rapid clip, increasing by 20-fold in 2013 … It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application”.
To give you a sense of the pervasive nature of mobile risk, Arxan’s research determined that amongst top 100 paid applications: 100% of apps on the Google Android platform had been hacked, and 56% of apps on Apple iOS had been hacked. Amongst popular free applications, 73% on Android had been hacked, 53% on Apple iOS had been hacked. Among financial apps, 53% of Android financial apps they reviewed had been “cracked” while 23% of iOS financial apps were hacked variants. Some of the hacked versions have been downloaded over half a million times. For android Cybercriminals usually insert Trojan code into some popular apps, and then distribute the repacked malicious apps in third-party app stores. For iOS, Cybercriminals get users to buy Trojanised apps by app rank boosting services (creating several dummy accounts to download and write good user reviews for it).
OWASP (The Open Web Application Security Project) has identified “Lack of Binary Protection” as a “Mobile Top 10 Risk for 2014” that must be addressed in order to safeguard applications — and leading industry analysts are recommending the protection of binary code, as well. In Gartner’s recent report, it was recommended “For critical applications, such as transactional ones and sensitive enterprise applications, hardening should be used”.
Arxan offers a unique approach (no source code changes, no additional agent or SaaS) to protecting binary code that works on any platform and has been deployed on over 250 million devices. IBM and Arxan are joining forces to enable enterprises to build secure apps and keep them secure across the mobile app lifecycle. Customers can protect their brand, revenue, IP, and data from hackers and malicious exploits, by seamlessly adding app hardening and tamper proofing defenses in their mobile apps.
Arxan looks forward to meeting you at its booth in the Solution EXPO during Impact 2014 to tell you more about how to keep your mobile apps secure. You can also receive Arxan’s latest white paper, Threats to Mobile Apps in the Wild, which outlines the business and technical risks of unprotected apps and how to address them, if you stop by.Tweet