Bluebox Security Discovers Enterprises Are Losing Revenue Without Self-Defending Mobile Apps

SAN FRANCISCO, CA--(Marketwired - Feb 9, 2016) - Bluebox Security®, the mobile app security and analytics company first to pioneer self-defending apps for consumers, BYOD employees and the extended enterprise, today released a study revealing that underinvestment in mobile app security puts enterprise revenue at risk. The study examined three popular mobile apps -- Hulu, Tinder and the Kylie Jenner Official App -- all examples of apps lacking self-defense capabilities that protect against tampering, resigning and redistribution. The results demonstrated that attackers can easily defraud enterprises of app revenue by disabling advertising, accessing premium features for free, and bypassing subscription payments.

The app economy is booming, with its total app revenue expected to hit upwards of $140 billion this year.¹ Developers for iOS apps alone are already generating more revenue than the film industry.² "The growth shows no sign of slowing, especially as features behind paywalls become the norm in the app economy and continue generating revenue," said Andrew Blaich, lead security analyst at Bluebox Security. "Unfortunately, our research indicates enterprises are creating apps with poor security and development practices, ultimately compromising their revenue."

The implications of insufficient app security extend beyond a single user disabling advertising, accessing premium features or bypassing subscription payments at no cost. Altered apps can be distributed via unsanctioned third-party app stores that lack the security review of the Apple App and Google Play stores. According to Bluebox research, 42 percent of consumers already download apps from somewhere other than Apple or Google app stores. This means that altered apps distributed across hundreds or thousands of people via these illicit app stores can exponentially worsen the effect of the compromised apps on organizations' revenue.

Advertisement Removal
On-demand video platform Hulu recently announced a commercial-free option for an additional $4.00 per month atop its regular $7.99 subscription fee, with revenue estimates of up to $1.5 billion.³ Bluebox researched whether it was possible to access the commercial-free content via the mobile app without paying the additional fee -- it was. Bluebox determined how the app managed video playback ads and altered the function so these ads could be removed cost-free, completely shutting down Hulu's revenue stream for the commercial-free option.

Although the implications do not go beyond each instance of the altered app, it can lead to greater loss as more users become willing to download altered versions of the app from third-party sources. The vulnerability also exemplifies how ads, the lifeblood of many mobile apps, can be eliminated with ease, resulting in significant daily revenue loss.

Premium Feature Access
The popular dating app Tinder offers its core services for free and generates additional revenue with premium features like unlimited swipes through Tinder Plus. When the "Plus" subscription became available, Tinder quickly jumped hundreds of spots to rank near the top for overall app revenue rankings.⁴ Bluebox determined that some of the "Plus" features are managed and controlled, unprotected, in the mobile app code, leaving them exposed to hackers. Altering the app code granted at least half of the premium features to the user, but did not grant the account full "Plus" status.

This modification results in a loss of revenue as users gain access to some of the premium features at no cost. Like Hulu, the modification only applies to the app, not the user's account, but can have wider-reaching effects if the altered version becomes available in unsanctioned app stores. Enterprises that offer premium features for their apps are at risk of falling victim to the same loss if they don't take precautions to secure their premium code features.

Subscription Payment Bypass
Upon review of the Android version of the Kylie Jenner app, which saw amazing download numbers its first week topping out the Kardashian and Jenner sisters' competitive apps,⁵ Bluebox found that rewriting pieces of the app's subscription handling code could trick the app into thinking users have successfully paid for premium content when they have not. Once the users gain initial access to the premium content, they receive a valid authentication token that allows the account to log in and access premium account features from any device or platform (iOS or Android), even on unmodified versions of the app.

This flaw is not unique to the Kylie Jenner App and demonstrates how security that fails to protect server-app communication can lead to loss of dollars by perceived legitimate users. Without self-defense app security, any app built on a subscription-based model could be easily altered for the benefit of an attacker. If subscriptions are the main source of revenue for an enterprise app, such an attack could leave an enterprise in the red.

Advice for Enterprises
Enterprises should not rely on the device manufacturers, the app stores, or even app developers to ensure mobile apps are secure. In order to protect corporate revenue and brand, enterprises must create mobile apps that can defend themselves. Bluebox routinely examines the state of security for popular mobile apps,⁶ and the results consistently show that mobile app security is almost non-existent. Mobile apps that contain even basic security measures, such as anti-tampering controls and encryption of app data, are few and far between.

To assist enterprises with accelerating mobile app security, Bluebox transforms any app into a self-defending app with just one click. Bluebox provides consistent, enterprise-grade protection for any app, regardless of developer or operating system. Enabled with self-defensive measures, Bluebox-secured apps can intelligently detect and respond in real-time to a range of mobile app threats, such as attempts to bypass paywalled features, thereby protecting the app revenue stream. Bluebox also provides mobile threat intelligence for visibility into threat incidents and attack patterns, allowing enterprises to know exactly when and how their revenue is being attacked -- all while being completely invisible to the end user to preserve the native experience.

For further information, read the Bluebox blog on the results or view the white paper here.

Additional Resources

• Follow Bluebox on Twitter @BlueboxSec
• Subscribe to the Bluebox blog
• Learn more at http://www.bluebox.com

About Bluebox Security
Founded in 2012 by a team of security experts, Bluebox Security provides the leading mobile app security and analytics solution. Pairing deep mobile security expertise with comprehensive analytics, Bluebox ensures consistent enterprise-grade app security moves at the speed of mobile. The cloud-based solution helps enterprises securely enable mobile by protecting apps, detecting threats, and responding quickly to keep data secure while providing actionable threat intelligence for mobile assets. With Bluebox Security, companies obtain security and visibility into the new enterprise endpoint -- the mobile app.

¹ http://rewrite.ca.com/us/articles/application-economy/by-the-numbers-sizing-up-the-app-economy-in-2015.html
² http://www.theatlantic.com/technology/archive/2015/01/the-app-economy-is-now-bigger-than-hollywood/384842/
³ http://www.marketwatch.com/story/can-hulu-compete-with-netflix-by-the-numbers-2016-01-15
⁴ http://techcrunch.com/2015/05/01/tinder-sees-huge-jump-in-app-revenue-rankings-courtesy-of-tinder-plus/#.7r8jpe:9IXR
⁵ http://techcrunch.com/2015/09/28/even-for-the-kardashians-app-store-fame-can-be-fleeting/
⁶ https://bluebox.com/articles/bluebox-security-reveals-inadequate-security-in-todays-most-popular-travel-apps/
https://bluebox.com/articles/bluebox-security-reveals-todays-most-popular-mobile-payment-apps-leave-consumer-dollars-and-enterprise-revenue-exposed/