The market leading smartphone operating systems, Android and iOS, allow users to install apps through official pre-installed markets. Android also supports app installation from third-party sources, known as sideloading. Sideloading fosters competition and enables open source app markets. However, it also enables the proliferation of markets distributing pirated and modded apps: apps whose features and functionality have been altered by a third-party. Modded apps typically claim to offer users premium or subscription features for free, no ads, free in-app purchases, additional in-game resources, etc.

We previously analysed hundreds of thousands of modded apps in the first large-scale study of Android modded app markets. We compiled a dataset of over 146,000 Android apps from 13 of the most popular modded app markets. Despite the common belief that sideloading in iOS requires a jailbroken iPhone, we have demonstrated this is not the case and compiled a dataset of over 40,000 apps from the 9 most popular iOS modded app markets for an ongoing study of the iOS modded app ecosystem. The datasets are available to academic researchers through the Cambridge Cybercrime Center’s data-sharing agreements.

Original app developers lose significant potential revenue from modded apps due to the free provision of paid apps; the free availability of premium features that require payment in the official app; and changes to advertising identifiers, which took place in 21% of the Android apps with advertising IDs. While users benefit from increased competition and free pirated and modded apps, these apps pose great risks to their privacy and security. Modded apps are significantly riskier than official versions: modded Android and iOS apps are 10 and 33 times more likely to be malicious than their official versions, respectively.

Having studied the modded app ecosystem technically, we wanted to hear directly from the modded market operators about their incentives and motivations, and from the original app developers affected by modded apps about their experience and any effects they noticed as a result of modded apps. In our latest paper, App-solutely Modded: Surveying Modded App Market Operators and Original App Developers, we survey modded app market operators and 717 app developers affected by modded apps. We used our updated Android modded apps dataset to contact 27,000 affected app developers with a personalised digest of our analysis results. 

We find modded market operators have economic incentives to break copyright law and make it difficult to file complaints. They perform little to no security testing of the apps they host and benefit from app developers’ intellectual property. Meanwhile, original developers suffer losses from missed purchases, reduced advertising revenue, additional support requests, and reputational damage. Unfortunately, developers find legal protections are ineffective at preventing modded versions of their apps appearing on third-party stores. Developers are unaware of, or find it hard to use the security features and technical tools which can make the production and use of modded apps much harder.

We also study DMCA compliance of the top 23 modded app markets and confirm our survey findings: DMCA copyright claims are unusable at scale. Our paper concludes with a review of the technical and legal methods hardware and OS vendors, developers and regulators can use to tackle modded apps with the aim of better protecting developers’ intellectual property and revenue as well as user security and privacy. A few weeks ago, Google went a step further than our recommendations and announced the end of sideloading unverified developers’ apps on certified Android devices starting next year.