November 10, 2015 11:00 ET

SEWORKS Data Finds Vast Majority of Top Google Play Android Apps Vulnerable to Malicious Hacking -- Launches @AppCaution Program to Help Developers Stay up to Date on All Mobile App Security Issues

85% of Google Play's Top 200 Free Android Apps Left Unprotected Against Decompiling and Reverse Engineering, Study by Qualcomm-Backed Security Firm Reveals

SAN FRANCISCO, CA--(Marketwired - Nov 10, 2015) - SEWORKS, developer of advanced security solutions for mobile applications, today released the results of its recent analysis of Google Play's top apps, revealing that 85% of the 200 most popular free apps and 83% of the top 100 paid apps are decompilable -- a process which reverse engineers an app to expose its source code, making it an easy target for malicious hacking exploits, including piracy, malware injection, and ad fraud. Some of the world's most popular retail, messaging, photo sharing, and video/music streaming services are among these highly vulnerable apps, as are highly profitable puzzle, sandbox, and real-time strategy games.

"We are publicizing our findings to warn the industry at large of the dangers they are currently exposed to, which app developers can still fix through relatively simple precautions," said SEWORKS founder and CEO Min-Pyo Hong, who leads a team of five-time DEFCON finalist security experts at the firm. "Until these protections are put in place, over a billion Android owners are vulnerable due to these decompilable apps."

Recent malicious attacks on Android, including against the popular Snapchat and WeChat apps, likely stemmed from decompiling or reverse engineering. Android consumers are particularly at risk during the holiday season, when in-app payments and app-based credit card transactions substantially increase, and developers race to publish their apps in time for the gift-giving rush. (Unlike Apple's App Store, in which all apps are automatically encrypted by the platform itself, Google Play gives publishers the option of encrypting their apps if they choose.)

Using an SaaS-based scanner service, Hong and his team searched for Google Play Android apps which can have their code reverse engineered through the apps' shared object library and DEX file through malicious hacker tools widely available on the Internet. SEWORKS discovered the following:

  • 85% of top 200 free apps on Google Play are decompilable, including top messaging/photo sharing services, casual games, music/video streaming services, and ironically, several antivirus apps.
  • 83% of top 100 paid apps on Google Play are decompilable, including dozens of blockbuster sandbox/simulation and puzzle/adventure games.
  • 87% of top 100 free game apps on Google Play are decompilable, including popular multiplayer, match-3, and real-time strategy titles, along with several games based on recent hit movies.
  • 80% of top 100 free non-game apps on Google Play are decompilable, including a leading VOIP communication service and the app for a major online retail service.
  • Overall, 95% of top 200 free Google Play apps can be reverse engineered, while 82% of the top 100 Google Play paid apps can be reverse engineered.

SEWORKS is publishing a series of Medium blog posts as a service to Android developers and the industry at large, explaining how malicious hackers use decompiling and reverse engineering techniques on apps -- and outlining best practices for protecting against these exploits. In addition, SEWORKS is also launching @AppCaution and the #AppCaution hashtag as an education program to empower developers with knowledge and updates about issues and precautions they should take as they build apps on various platforms.

Mobile apps are forecast to be a $100 billion industry with a market of 3.4 billion shipped units by 2020. However, the loss from malicious hacking and other security threats is currently estimated to be $400 billion a year, according to Lloyd's, much of that stemming from mobile apps. Gartner estimates that by 2017, up to 25% of applications will include runtime self-protection features.

Founded by five-time DEFCON finalists, SEWORKS develops advanced security solutions for the mobile era -- cloud-powered, easy-to-use, zero-integration services that protect developers and their customers through the entire lifecycle of their apps. Backed by Qualcomm and SoftBank Ventures Korea, SEWORKS is headquartered in San Francisco. Visit us online at and follow us on Twitter @seworks_twt.

Contact Information

  • Media Inquiries
    Vanessa Camones
    Tatiana Junqueira
    theMIX agency for SEWORKS
    Email Contact