The effects of unauthorised software modifications on smartphone users and developers

Abstract

The market leading smartphone operating systems, Android and iOS, allow users to install apps through official pre-installed markets. Android also supports app installation from third-party sources, fostering competition and enabling open source app markets. However, this also enables the proliferation of markets distributing pirated and modded apps: apps whose features and functionality have been altered by a third-party. Modded apps typically claim to offer users premium or subscription features for free, no ads, free in-app purchases, additional in-game resources, etc. We present the results of the first large-scale study of Android modded app markets covering over 146,000 modded apps from the 13 most popular modded app markets. Despite the common belief that sideloading requires a jailbroken iPhone, we show this is not the case and present the first study of the iOS modded app ecosystem, covering over 40,000 apps from the 9 most popular modded markets. Original app developers lose significant potential revenue from modded apps due to the free provision of paid apps; the free availability of premium features that require payment in the official app; and changes to advertising identifiers, which took place in 21% of the Android apps with ad IDs. While users benefit from increased competition and free pirated and modded apps, these apps pose risks to user privacy and security. Modded apps are significantly riskier than their official versions: modded Android and iOS apps are 10 and 33 times more likely to be malicious, respectively. We survey modded app market operators and 717 app developers affected by modded apps. Modded market operators have economic incentives to break copyright law and make it difficult to file complaints. They perform little to no security testing of the apps they host and benefit from app developers’ intellectual property. Meanwhile, original developers suffer losses from missed purchases, reduced advertising revenue, additional support requests, and reputational damage. Unfortunately, developers find legal protections are ineffective at preventing modded versions of their apps appearing on third-party stores. Developers are unaware of, or find it hard to use the security features and technical tools which can make the production and use of modded apps much harder. We conclude with a review of the technical and legal methods hardware and OS vendors, developers and regulators can use to tackle modded apps with the aim of better protecting developers’ intellectual property and revenue as well as user security and privacy.