SEWORKS-blog_banner.png

App Security Insights

The History of Backloading and Its Evolution to Present Time

Aug 17, 2017 7:00:00 AM / by Sung Cho

The-History-of-Backloading-and-its-Evolution-to-Present-Time-Blog-IMG.png

We use them every single day, and yet, despite the pervasive role that mobile applications play in our lives, we offer our trust to this technology oftentimes without question. Well, regardless of how incredibly convenient it is to play a round of Candy Crush or check your Facebook page on your smartphone or mobile device, the fact remains that every action a user takes on these devices could potentially leave them vulnerable to hackers waiting for the right moment to pounce.

As mobile technology has evolved, so too has the means in which hackers have managed to successfully exploit sensitive user data and, in many instances, the apps themselves. Yet, with the tools we have at our disposal, there’s little excuse for why an app shouldn’t be equipped to defend against the most common tactics employed by hackers.

Now more than ever before, developers need to recognize the invaluable ways in which mobile application security can protect both the safety of their customers as well as the extraordinary accomplishment of getting their apps on the market in the first place. The mobile space has only become more competitive in recent years, but without the right security measures in place to keep hackers and other malicious users at bay, the entire existence of your app may be compromised. After all, some startling trends have begun to emerge that only intensify the need for a sound security plan. Backloading is one such phenomena that may greatly compromise your app.

The Troubling Tale of Backloading

What is Backloading?

Though it has grown into a threat all its own, backloading actually derives from another well-known concept involving app piracy: sideloading. Sideloading is a blanket term often attributed to any method of installing a mobile app through alternative sources outside the mainstream. For instance, the Apple App Store and Google Play are probably the ones you use the most -- especially given their increasing dominance within the industry they helped popularize --  but these official app stores aren’t the ones we’re discussing here. Rather, more suspicious, third-party app stores may qualify, and in that case, users downloading an app are likely engaged in sideloading in order to receive access to this less reputable alternative.

backloading-history.pngIn recent years, some consumers have tracked down free pirated versions of popular iOS and Android apps and opted for this alternative. But this trend has only opened them up to a world of vulnerability.

Sure, a pirated version of a paid iOS app may appear to be everything a user could want, but often there is always a price to be paid from shopping on rogue iOS app stores. That’s where backloading comes in, since this term specifically refers to sideloading that allows users to download illegal, pirated or otherwise illicit apps without having to first jailbreak their smart phone in order to do so.

To really have a thorough understanding of backloading, you mustfirst start from the very beginning of this strategy. Let’s investigate how backloading began.

Where Backloading Began

While it has since become a worldwide concern, the first known instance of backloading -- so named because of how it exploits back channels to perform its dirty work -- can be traced back to popular pirate site 7659.com in China back in 2013. Like many sites in the nation, this one was liable to a variety of restrictions, and in this particular case, the site was only accessible to Chinese IP addresses, an effective way to make it more difficult for Apple itself to intervene.

Naturally, the hackers involved also signed each of their pirated apps with an enterprise certificate that enabled them to make their apps available to interested consumers. Under the guise of offering testing capabilities for their apps to their native Chinese users, the site and those behind it expertly shrouded the darker side of their business model, all the while claiming to be interested in providing region-free apps to the people of China.

Months later, it was discovered that online instructions were made available to interested consumers, and software specifically designed to enable the downloading of pirated (and largely unsafe) materials soon went mainstream. Piracy exploded in a manner of months, with the initially Chinese trend soon making its way across the globe. The foundation for the rogue app stores we now face was readily apparent, and today, the user base for such sites is estimated to be at least 10 million strong. Of course, that growth didn’t happen overnight. Next, we’ll look into the intermediate steps that took backloading to its current peak.

Backloading Through the Years

Even though only a few years have passed since backloading became such a prevalent force in the mobile application space, there has certainly been a lot of change. In fact, hackers have become increasingly adept at staying one step ahead of Apple in its development of backloading tactics. Perhaps the leader of the bunch is vShare. The site takes advantage of Apple’s own enterprise certificate system -- a move lifted directly from 7659.com -- in its creation of pirated apps. Typically, this process takes one of three forms:

  • backloading-threat.pngHackers create a fake company: Sometimes, the easiest way to go undetected is for hackers to “create” a new fake company, thereby eluding suspicion and any connection to a pre-existing entity.
  • Hackers impersonate a real company: Another popular option is to go under the guise of an existing company, though this could be more trouble than it’s worth. Reverse-engineering comes in handy here, as it allows malicious users to recreate other apps’ design and therefore success.
  • Hackers would steal an existing certificate: Lastly, some hackers simply choose to steal a certificate by decrypting and decoding a target app and applying it themselves. This way, their false nature is often discovered too late, allowing them to masquerade their true purpose more effectively.

Another step forward in backloading’s evolution occurred when Tongbu -- another third-party Apple app store -- emerged on the scene. Complete with its own assistant software, Tongbu is very much another example of a rogue app store, but this one provided the usual, legitimate updates for a given app to even the rogue version of the same software. This brought backloading one step closer to effectively impersonating their legitimate counterparts. With iTong, consumers could access a pirating system that could match Apple’s own setup.

In 2016, unauthorized app stores had their biggest year yet.  Here’s a quick list of some of the most popular one:

  • WireLurker
  • AppCake
  • iFUNBOX
  • YiSpecter
  • HipStore
  • KuaiYoung
  • Youmi
  • AppAddict

Additionally, two in particular became major players, thanks to their use of backloading:

  • Happy Day English: With its true purpose effectively masked outside China, this one seemed to teach Chinese citizens how to work on their English, but for those inside the nation, it contained hidden software that circumnavigated the Apple App Store to present pirated versions of official apps.
  • 25PP: This site gives users the chance to directly download pirated apps onto their phone, using a combination of three different icons and profiles to grant access to a global market of some of the world’s most well-known titles right on your smartphone.

The Threat that Persists

Nowadays, backloading easily remains among the most common ways that pirates can exploit the system for their own ends. Rogue app stores continue to spring into action, despite the efforts of Apple and others to quell this rising vulnerability to developers and the industry as a whole.

Tongbu, vShare, 25PP and Happy Day English have come to serve as templates for others to follow and have remained relevant themselves courtesy of rebranding efforts and increasingly surreptitious means of hiding their true nature. And, of course, iOS isn’t the only target of such activity.

Android has been facing similar trouble, with the fight against backloading an ever-changing struggle that seems to frustrate more than it succeeds. Yet, despite the intimidating scope of the battle against hackers, we must persist.

Sure, backloading may continue to exist for years to come, but only by aiming to continually regulate its spread can we hope to contain its effects and user base. Vulnerabilities are inevitable, and to think that we can ever completely eradicate such weaknesses is ultimately foolish.

Nevertheless, enough white hat hackers are engaged alongside Apple to fight back against the illegal and frankly immoral efforts that backloading propagates to make a real difference. While backloading continues to change with the times, so too must we be ready to face its reality.

Only through learning more about the enemy’s intentions can we hope to anticipate their next move, and only by fortifying your own apps can you prevent malicious users from exploiting your hard work to create pirated versions of your apps.

Guiding You to a More Secure Future

A-More-Secure-Future-2.png

Just because backloading is gaining steam doesn’t mean that it’s necessarily cause for alarm. In fact, the more useful way to view this scenario is as a very real opportunity to address the danger of hackers head-on.

If your initial reaction to learning the scope and history of backloading is that of panic, perhaps your app is in dire need of some retooling of its own. Truthfully, with backloading and other threats looming on the horizon, the time has never been better to expand your knowledge of mobile application security.

Seize this opportunity to bolster your defenses before any cyberattack even has a chance to emerge. However, doing just that might in and of itself seem like a tall order.

Thankfully, we’ve included everything you need to know about backloading in our handy new white paper, iOS Backloading and Rogue App Stores : A Major Threat to iOS Developers. Wonder no longer whether your app is effectively guarding against this formidable menace.

We’ll discuss the dangers of piracy and offer some must-have solutions that you can apply to your app today. We’re confident that you’ll find all the information you need right at your fingertips and be that much more prepared for anything that hackers may throw your way.

Today could either be the beginning of a more secure future or the beginning of the inevitable invasion of your users’ privacy that accompanies a vicious cyberattack. We think you’ll know what to do.

iOS-Backloading-and-Rogue-App-Stores-Big

Topics: Mobile App Security, Mobile App Security Testing

Sung Cho

Written by Sung Cho

Head of Marketing at SEWORKS Co., Ltd.