Even casual observers of the Android ecosystem know that piracy is a big issue for developers. But if a report from mobile security company Arxan is to be believed, app piracy and "hacking" is incredibly prevalent, or at least prevalent enough that most of the popular apps are available in a pirated or cracked form. According to the company's "State of Security in the App Economy" report for 2013 (PDF link), the top 100 paid Android apps have been "hacked."


We used "cracked" in the headline because Arxan doesn't mention the purpose behind these hacks, so we're assuming that in most cases they're free, pirated versions of paid apps. Arxan also doesn't define its methodology for deciding the "top 100 paid apps," but a relatively recent look at the Play Store's Top Paid Apps section would be a good bet. According to the report, the researchers identified and reviewed "hacked" apps from locations other than the Play Store, which probably includes some pirated versions of those apps that were simply uploaded in a non-modified form for illegal side-loading - not "hacked" in the traditional sense, but illegitimate and damaging to their creators all the same. In contrast, the report says that 56% of the top 100 paid apps on iOS have been hacked. That makes sense given the relative ease of installing non-vetted apps on Android and the difficulty of doing so on iOS.

Arxan also reports that 73% of popular free apps (no number given) have been "hacked," though again, the determination for both the popularity metric and the method of the "hack" was not divulged. From a purely economic standpoint, this probably includes apps that have been modified to run without ads or to open up premium content - illegally modified versions of popular streaming music apps are widely available, opening up paid options to non-paying users who side-load the APK. It should be noted that any time users go outside the Play Store to download apps, especially for APK files for popular apps, they run the risk of downloading a malicious app that seeks to obtain personal information or otherwise harm the user. Google has been making strides to combat this even among non-Play Store downloads, estimating that only .13% of apps from outside sources are installed after triggering a warning from Google's Verify Apps feature.

Arxan's conclusions should be taken with a grain of salt, since security companies have been known to overstate risk to make their own services seem more vital. The methodology and presentation of the data is somewhat alarmist, and fails to make a distinction between apps that are simply pirated or modified to work around ads or paid features, and those that are modified with intent to harm the user or collect data. That said, the conclusions from the report itself seem sensible enough for any developer: apps with access to sensitive user data should be protected against attack and reverse engineering, runtime analysis, and tampering. You can check out the full 12-page report covering Android and iOS below, along with the full infographic.

Source: Arxan.com (PDF), Arxan infographic (PDF) via InfoSecurity Magazine