There is a common, widespread misconception that iOS devices are more secure than Android devices. The misconception likely stems from Apple’s “walled garden.” This metaphor (created by Apple) has allowed iOS devices to be positioned as having better security and privacy compliance than Android devices which are based on an open system.
While this perception is common, it is also incorrect and can bring dangerous risks. For example, in July 2021, Amnesty International discovered iPhones belonging to human rights lawyers and journalists had been infected with NSO Group’s Pegasus spyware.
The spyware provides the malicious actor with access to messages, emails, and the iPhone’s microphone and camera. But perhaps the most concerning part of the spyware is that infections can be executed through common applications that many users wouldn’t think twice about downloading. And as we’ve seen in recent months, iOS-based devices are not immune to the threats of zero-day vulnerabilities.
At the end of the day, iOS is not as secure as many think. To share some insights into how big of an issue iOS mobile app security is, here are the three most common misconceptions about iOS security and why developers should beware.
There is a general understanding that Apple’s app review process is strict enough to completely deter malicious actors from publishing dangerous malware onto the app store. However, multiple ways to get around these quality checks have been discovered, such as concealing private API through encrypting the endpoint names.
It points to the fact that Apple may embellish its iOS security capabilities. For example, in a court hearing during Epic Games’ antitrust fight with Apple, Microsoft researcher James Mickens claimed that Apple often exaggerates the security benefits of its app store model. Epic’s attorneys supported this claim by citing internal emails that showed Apple leaders dealing with a host of problematic apps that feature violence and sexual content.
Another example that shows how intense this misconception is, is the fact that many developers believe Apple’s app signing system is enough to prevent clones of their apps from being published. However, if you do a simple web search of “alternative iOS app store,” you’ll receive more than 200 million results, which illustrates how the number of potentially dangerous third-party app stores is only growing.
This is the result of the multiple ways to circumvent Apple’s security review and control process. For example, one of the most common ways to do this is to use enterprise certificates to set up online signing services, allowing for the distribution of patched apps through third-party stores.
If a fake, cheaper version of your app is accessible, users could mistakenly download it and possibly be at risk of having their private information, or even money, stolen. Although at the core, this is the fault of the user, this could still lead to loss of trust, customer loyalty, and revenue.
Similar to the misconception above, many people believe the Apple store is much more secure overall than the Google Play store. But this is far from the truth, as a recent analysis found that almost 2% of the 1,000 highest-grossing apps on the app store are scams. These scam apps have generated more than $48 million in revenue.
In addition to users falling victim to fake apps on the official app store, there is another way malicious actors can scam users into providing their personal information.
As a developer, you want your users to feel safe and secure when using an app downloaded from the official app store, where your apps are listed. So, when a user goes into their iPhone app settings and asks an app not to track their location or other app activity, they should be able to trust that it’s no longer tracking them, right? Well, the reality may be a bit upsetting.
Consider the popular gaming app Subway Surfers as an example. According to a recent investigation, when users ask the app not to track them, Subway Surfers starts sending 29 specific data points about their iPhone to an outside ad company. These data points include:
The reality of iOS security is that it has been largely overrated. And although these misconceptions seem overwhelming, it’s never too late to give your apps the protection they deserve.
In fact, when it comes to preventing bad actors from distributing modified or bad apps which can negatively impact brand reputation, and result in revenue loss, Guardsquare’s iXGuard provides the most comprehensive mobile app protection available against security risks, like tampering and reverse engineering, through multiple layers of code hardening and runtime application self-protection (RASP).