Have you ever given thought to abandoned apps and what developers do when they decide to end-of-life their apps? Developers are able to remove apps from the app stores, but they don’t have the ability to remove those apps from your phone.

Think about app production like newspaper production. Just as a newspaper consists of paragraphs of words, apps are just bundles of code, and much like typos in newspapers, there’s always the possibility of mistakes in the code that can cause problems for app users. And much like insensitive or inappropriate newspaper advertisements can cause problems for publishers, mobile advertising can be dangerous when the content of the ads is not held to certain standards.

When problems arise, you can’t just go into people’s homes and take your old newspaper off their coffee table – the same goes for apps. Developers face a dilemma here. They can remove their abandoned apps from the app stores, but this might upset users that still run these apps frequently. The alternative is for the developers to continue offering updates to their apps that correct bugs or other issues with the code; unfortunately, this isn’t viable for those who have lost funding for a service or made a conscious business decision to deprecate a service. Considering the millions of app developers that face these decisions each year, the end result is a large number of applications that are installed on users’ devices and then simply abandoned by developers.

Users Find Workarounds

From an end-user perspective, abandoned apps can cause quite the upset. Imagine you had an app on your phone that you loved and relied on daily. Then, one day, you buy a new phone. You go to the app store to redownload it and realize it’s not available anymore. Even more frustrating when you’ve paid good money for it.

For Android and iOS users, backing up apps is pretty simple, so even if an app you’ve paid for and downloaded is pulled from the Google Play Store or Apple App Store, you can still restore that app from your previous phone’s backup. There’s no guarantee that the app will work optimally forever, but at least you’ll always have the version you own available.

An Analysis of Live Installs

According to our research, this phenomenon of abandoned apps with live installs is a frequent occurrence across app categories, with some being more prevalent than others. The apps identified in this analysis were part of a broader effort that Wandera has established to monitor popular app sources for changes in app availability. The subset of apps included here was determined by customer impact, and includes 6 months of apps that were removed from the app stores (with abandoned apps left on customer devices), along with apps that were installed on customer devices prior to the 6-month period and, subsequently, removed from the app store. What we do know is that these apps still exist on users’ devices. What we don’t know, however, is why they were removed from the app store. Are they malicious in intent or harmless in nature?

Abandoned apps by category (Nov ’19 – Apr ’20)

When it comes to the Productivity category, which accounts for 38.7% of abandoned apps in our analysis, a clear message emerges: users prize applications that provide them with value and functionality. The productivity space is a highly competitive one, ripe with abandoned apps. Take the flashlight tool for instance. Once a standalone app offered by various developers, the flashlight has since been bundled into the core of the Apple operating systems. More often than not, the tools users find most useful end up pre-installed on popular devices. More and more functionality is embedded on these tools, leading the various productivity apps first introduced as standalone tools to be abandoned on the app stores.

Gaming apps represent the second largest category of abandoned apps, right on the heels of the Productivity category with 30.3% of the total. This large percentage is likely due to the fact that gaming apps represent a category that is most frequently removed from app stores. Over a three month period, our research revealed 40% of monitored apps removed from the Play store for policy violations were in a single app category: gaming.

An analysis of the top 10 apps by number of devices with the abandoned app installed reveals productivity/tools apps are also the category with the highest volume of installations, accounting for 7 of the top 10.

Rankings

Topping the chart is the Samsung Keyboard, with 40 times the number of installs over the second most downloaded app (ie. flashlight). This app is of particular interest, as it’s one example where there is a known vulnerability and represents significant risk for users with it installed. The keyboard that comes pre-installed on some Samsung devices is vulnerable to remote code execution. While the version available in the Play store is distinctly different, it is also susceptible to a remote arbitrary file write.

Given we have no visibility into why or how these apps came to be downloaded on users’ phones, several questions arise: What’s wrong with these apps? Why were they pulled from the app store? Are they malicious or simply outdated? It would be incorrect to simply assume these are all bad apps with known vulnerabilities, but there is an inherent risk associated with abandoned apps.

Recommendations

Abandoned apps represent risk for enterprises and users. An abandoned app that is no longer available from the respective app store is an app that can no longer be updated to address bugs or vulnerabilities. This means they are now in a prime position to be exploited by hackers, offering fake updates or targeting known vulnerabilities that were never patched. These apps could continue being migrated over from device to device via iCloud or other backups long after they’ve been removed from the app stores.

We recommend the following measures to reduce the risk of abandoned apps:

  • Educate users on the risk of abandoned apps so they can keep an eye out for them
  • Encourage iPhone users to enable the ‘Offload Unused Apps’ setting to automatically remove apps that haven’t been used for some time. App data is still accessible when the app is downloaded
  • Use a security solution to audit apps installed in your fleet to check for signs of abandoned apps, such as latest version update
  • Activate network blocks for malicious network traffic (command & control, data exfiltration, botnet communication) that is often repurposed from one bad app to another from the same developer
  • Disable access to third-party app stores, preventing users from downloading what may be out-of-date code from an unmonitored hosting service
  • Enforce an acceptable use policy to support your users’ software requirements and understand what they’re downloading to ensure you keep them in check
  • Build security policies around all four categories of app risk:
    • Compliance / shadow IT
    • Malware
    • Potentially unwanted apps (apps that violate corporate security policy, but aren’t actually developed to be bad)
    • Vulnerable apps (those with security flaws).
  • Policies should take into account quarantined devices, user messaging and education, and access policies in coordination with your IDP)