Another big security risk is a code injection. Code injections happen when a piece of software is deliberately modified to insert a module of code, generally malicious, that performs an unintended operation. These unintended operations can range from data stealing, to user surveillance among others. Hence, in this particular case, it is particularly important that applications are signed. An application that has been signed from a trusted manufacturer will not contain injected code.

Georgie Casey, an Irish engineer, proved in an article in 2013 a scary proof of concept. He decompiled SwiftKey, the award-winning keyboard for Android, and injected a piece of code that logged all the keystrokes and sent them through a web service connected ...