The State of Application Security & Piracy

When Arxan Technologies shared its research findings on the state of application security and how piracy is adversely affecting vendor sales and success, my interest was piqued and I asked if I could interview someone on the team about the findings. Here’s my interview with Chief Marketing Officer Patrick Kehoe about piracy, mobile platforms, and related.

Read on, you’ll be surprised:

piracy key on keyboardQ: Your research report states “41% of pirated software was Android apps”. That’s a huge number! What can Google as the creators of the Android operating system do to reduce this figure?

Research reports from leading academic and industry experts have also shown the rise in Android piracy. Trend Micro research revealed 77% of Google Play sample Apps had fake version, and 51% of which were malicious in nature. Columbia university research study found quarter of all Google Play Apps had fake/cloned version.

Google has been a strong proponent of “Openness”. Android is a truly open ecosystem, and that makes it risky. Android app developers must realize secure coding and traditional app security practices alone will not mitigate the security vulnerabilities of Android. The key challenge facing app developers is that Android Java apps are quite simple for hackers to tamper with, repackage and republish. So app developers must embed the appropriate security measures in their apps so it becomes extremely difficult for the adversary to directly access, compromise, and exploit application’s code.

Q: The research also points out that “17% of pirated software are key makers or generators”. That’s intriguing, as the software keys I’ve had to enter over the years seem to all be long and random. How could hackers be gaining access to the algorithms that vendors are using for license keys?

Hackers can reverse engineer the algorithm used to generate valid keys or verify valid keys, and develop key generation exploits that generate, on demand, keys to unlock the software. Instructions to build key generators are freely available on the internet, and keygen exploits are widely traded on P2P (peer-to-peer) networks. Hackers can also spoof the presence of valid license by cloning a license server.


Q: The report states that “The cost or un-monetized value of these pirated materials in 2014 is estimated to be more than $800 billion”. I want to challenge that, because isn’t it true that a lot of people who download pirated software and video content would never have paid for the content if that was the only option? That is, not every pirated download costs the company because that’s only true if the alternative were a legitimate license fee or purchase. If a teen grabs a copy of Photoshop, for example, they might launch it, be overwhelmed, and delete it. Thoughts?

That’s the total un-monetized value of english language content alone, as a result of piracy. Note that it does not include Japanese games, Chinese pop and Bollywood movies.

It is simply the market value of content exchanged on peer-to-peer networks. For each piece of content shared, a value is assigned based on actual retail price or subscription fee. Note that un-monetized value reflects the value of the content itself – it does not capture advertising revenue or other content-related monetization streams.

Q: The amount of pirated content is directly related to the openness of the platform. But Windows and Mac OS X are both fairly closed when compared to Linux. Which has more pirated software available online, and why?

We think that piracy is this case correlates with popularity of OS (than “openness”) — far fewer linus/unix appellations vs Windows applications Our approach collects pirate release information by software product name and by company name to find evidence of pirate release of software titles intended for use on Mac and PC systems.

Interesting stuff indeed. My thanks to Patrick Kehoe for answering my questions…

Leave a Reply

Your email address will not be published. Required fields are marked *