STATE OF
APPLICATION SECURITY VOL. 4, 2015
STATE OF PIRACY
1.6M 1.96M
ASSETS IS EXPECTED
NUMBER OF PIRATED
Pirated software found between Jan. 2012 and Mar. 2015
BREAKDOWN OF SOFTWARE PIRACY
Between 2012 and 2014 the average
Android Apps
Key Generators
Apple Software
Windows Desktop
Software
Apple Apps
number of pirated assets found per year
2012-2014
AVG./YR
2015*
was 1.6M. In 2015, the total number of
41%
17%
13%
9%
5%
KEY9,000
GENERATORS
FOUND
Software that generates
product licensing keys to
enable unauthorized access to
software or digital media releases.
What are they?
APPLICATION RISKS ENABLING PIRACY
DISTRIBUTION MODEL FOR
REVERSE-ENGINEERING APPLICATION TAMPERING
With readily available tools, hackers
can quickly convert unprotected
binary code back to source-code,
repackage and distribute.
VOLUME OF PIRATED RELEASES
SPEED OF ILLEGAL DISTRIBUTION
100’s 100,000’s
0 sec 33 mins
Scene
FTP Top
Sites
Private
Torrent
Sites
Public
Sites
Cyber-
lockers
Applications can be modified or
injected with malware at run-time
to steal keys, and alter execution in
line with hacker objectives.
23.76%
OF GLOBAL INTERNET BANDWIDTH
IS CONSUMED BY TRAFFIC INFRINGING
UPON COPYRIGHT.
ECONOMIC IMPLICATIONS OF PIRACY
2
pirated assets is expected to hit 1.96M.
(Source: iThreat Cyber Group & Arxan Technologies)
TO INCREASE 22%
PIRATED SOFTWARE
IN 2014, THE UNMONETIZED
VALUE OF PIRATED ASSETS
REACHED
$836,840,300,000$652 B
$74 B $73 B
$18 B $12 B $6 B
Software Games Movies TV Music Adult
Content
UNADDRESSED APPLICATION
VULNERABILITIES
M1 Weak Server Side Controls
M2 Insecure Data Storage
M3 Insufficient Transport Layer
M4 Unintended Data Leakage
M5 Poor Authorization
M7 Client Side Injection
M9 Improper Session Handling
M10 Lack of Binary Protections
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Jan-2015 June-2015
OWASP MOBILE TOP 10
97%
OF MOBILE APPS LACK THE PROPER
BINARY PROTECTIONS, LEAVING THEM
VULNERABLE TO PIRACY.
50%
OF ORGANIZATIONS HAVE
ZERO BUDGET ALLOCATED TO
PROTECTING MOBILE APPS.
(M6 and M8 not included in analysis)
A recent study analyzed over 96,000 Android apps to measure how well they
addressed the OWASP Mobile Top 10 vulnerabilities. The graph below shows
the percentage of apps that failed to address these vulnerabilities over time.
RECOMMENDATIONS TO MITIGATE
SOFTWARE PIRACY
35%
30%
25%
20%
15%
10%
5%
Application
Layer
Data
Layer
Network
Layer
RETHINK YOUR SECURITY
INVESTMENT APPROACH
Consider how much money is spent on
application security versus other areas.
BUILD RUN-TIME PROTECTIONS
INTO YOUR APPLICATIONS
Implementing run-time protection will enable
self-defense against tampering and malware attacks.
Security Risk Spending
A 2015 study from Ponemon Institute,
sponsored by IBM Security, found that
application security spending was not
PROTECT YOUR
CRYPTOGRAPHIC KEYS
White box cryptography solutions can
mask both static and dynamic keys.
SECURITY RISKS VS. SPEND
(Source: MetaIntelli, 2015 Research)
Sources:
1. iThreat Cyber Group & Arxan Technologies
2. Study by NetNames/Envisional, sponsored by NBC Universal
3. Tru Optik, 2014 Research
4. MetaIntelli, 2015 Research
5. Ponemon Institute study, sponsored by IBM Security, Mar 2015
3
4
5
SECURITY INVESTMENTS
NOT IN LINE WITH LEVEL OF RISK
in line with the level of application risk.
For additional details
& full report, visit Arxan.com