Huge numbers of apps in both Apple's and Google's app stores have been targeted for hacking, with financial apps on Android particularly vulnerable, according to new research.
In significant numbers of cases, apps have been hacked and uploaded to third-party stores or Google Play either to capture credentials from users, or to operate maliciously, or to defraud the app's creator by removing adware elements.
"Hacked apps are showing up in a lot of different storefronts, such as Cydia, in a decrypted state, so by definition the software has been hacked," said Kevin Morgan, chief technology officer of Arxan, an app security company. "There are multiple examples where there has been some tampering with the original code."
Financial apps are a particular concern because users trust them with essential data such as bank account numbers and passwords. Arxan says it found that 23% of its sample of iOS financial apps had been hacked and reposted - and 53% of Android financial apps.
Android users can download apps from third-party stores via setting on their device, whereas iOS users have to "jailbreak" their device - that is, use a hacking attack to give themselves the equivalent of "root" privileges for installing software. At present there are no jailbreaks for iOS 7, released in September.
But even Google's official Play store can be a source of malware and hacked apps. In September BlackBerry had to halt the rollout of its BBM app for Android because a hacked version placed in the Play store before the official one had been downloaded more than a million times.
Similarly, it is easy for people to put a "Bank of America" app onto Google Play which simply uses freely available information about the bank - and fool users, Morgan warned.
"Google Play isn't a vetted app store - it tends to have a lot of cruft," said Morgan. "Whereas in the Apple Store you're almost certain to see just legitimate apps. Hacked code isn't a significant problem in Apple's App Store." Apple vets all apps before allowing them onto its App Store, where Google will remove apps only after they appear if there are complaints about them or if they are detected as having malware. Both platforms have a "kill switch" which can retrospectively delete malicious installed apps from phones.
Arxan, based in Bethesda, Maryland, offers a security system for apps which makes it harder to tamper with them, and can enable them to try to detect tampering - and prevent execution if it is found.