The app market is booming, with revenues expected to top $140 billion this year, but lack of investment in security could be putting these revenues at risk.
A new study by Bluebox Security has examined three popular mobile apps -- Hulu, Tinder and the Kylie Jenner Official App - all examples of apps that lack self-defense capabilities to protect against tampering, resigning and redistribution. It shows that attackers can easily defraud enterprises of app revenue by disabling advertising, accessing premium features for free, and bypassing subscription payments.
The implications of poor app security go beyond this, however, it could allow altered apps to be distributed via unsanctioned third-party app stores that lack the security review process of the Apple App and Google Play stores.
"Bluebox discovered it was possible to access the commercial-free content from the on-demand video platform Hulu via the mobile app without paying the additional fee," says lead security analyst Andrew Blaich writing on the Bluebox blog. "Once the app is altered, it could be distributed via third-party app stores, which would lead to greater loss as more users become willing to download apps from third-party sources. The vulnerability also exemplifies how ads, the lifeblood of many mobile apps, can be eliminated with ease, resulting in significant daily revenue loss".
Similarly, Bluebox discovered that some of popular dating app Tinder's 'Plus' features are managed and controlled unprotected in the mobile app code, leaving them exposed to hackers. Altering the code could allow users access to around half the features without paying.
The Kylie Jenner app, for fans of the reality TV sleb, could be tricked into thinking users had successfully paid for premium content when they hadn't. The flaw isn't unique to this app and demonstrates how security that fails to protect server-app communication can lead to loss of revenue.
Blaich concludes, "These findings demonstrate that enterprises can not rely on the device manufacturers, the app stores, or even app developers to ensure mobile apps are secure. In order to protect corporate revenue and brand, enterprises must create mobile apps that can defend themselves".