Apple Security Features Won’t Protect Your App. Here’s What Will.

iOS apps have serious supply chain issues. Here’s how to protect yours.

We’ve covered the perceived superiority of Apple’s security features before. In fact, when it comes to mobile app security, the Android vs. iOS debate often begins and ends with iOS adherents invoking the “walled garden” metaphor. The danger of this perception for iOS app developers is that they’ll forgo building and implementing a robust security strategy in favor of relying on Apple’s security measures. This leaves their iOS apps open to serious security vulnerabilities.

Recently, researchers at Symantec’s Threat Hunting Team analyzed public apps and identified over 1,800 in the sample with vulnerabilities leading to exposed, hard-coded AWS credentials. Of these 1,859 apps, 1,822 were iOS apps. Researchers found that developers were failing to properly check their third-party software development kits (SDKs) and libraries. They also found evidence that proper code review was omitted from the development process.

The mobile app supply chain issue

These security gaps are viewed as supply chain issues in the software and technology infrastructure. Similar to supply chain issues in other industries, the mobile app vulnerabilities introduced in the development process caused major security issues farther down the chain. For example, insecure AWS credentials can be stolen, which could lead to the exposure of PII and other confidential data. Additionally, threat actors can sell pilfered data on the dark web, use the data to blackmail organizations, and leverage it to cause irreparable brand damage. And beyond brand reputation, companies in highly regulated industries may also face potential fines for privacy act violations.

In a newly published survey by Statista, the company found that 45% of global mobile consumers (both iOS and Android users) would not continue to use a mobile app that failed to protect, “them, their data, and their use.” It’s worth noting that these stats were slightly higher for iOS apps.

It's time to strengthen your iOS apps’ supply chains

The large number of iOS apps with these supply chain vulnerabilities lend credence to the fact that iOS app developers need to rely less on Apple security features and instead implement proper security measures around the third-party components they use. Let’s take a closer look at the supply chain vulnerabilities revealed by the Symantec study and the steps you can take to better protect your iOS apps.

Approaching your iOS apps with a stronger security mindset

Better protection for your iOS apps begins with an understanding of where the supply chain vulnerabilities start. In the case of the Symantec study, the researchers identified that mobile app developers weren’t following best practices for sharing and using resources from their cloud storage provider. According to a post in DevPro Journal, mobile app developers rely on third-party tools like these because they “don’t want to reinvent the wheel every time they work on a new project.”

This is understandable, but the same third-party libraries used to speed up the development process are often the most insecure part of an application. Gartner warns that these open-source libraries can be out of date or use a compromised compiler.

Shared keys and access tokens

Other shortcuts in the mobile app development supply chain include the use of shared keys and AWS access tokens. In a Symantec piece on mobile threat defense, researchers found that mobile app developers weren’t implementing proper access controls to cloud data. This included developers unknowingly using insecure shared keys obtained from corporate IT and using shared keys without establishing proper role-based account controls. As for AWS tokens, the same Symantec research on mobile supply chain issues found that 53% of apps with insecure AWS credentials were using the same valid AWS tokens that granted access to millions of private files via the Amazon Simple Storage Service.

In most of the instances above, the vulnerabilities were tied back to developers unknowingly using vulnerable resources or intentionally omitting security best practices to save time and money. Overall, using SDKs, shared keys, and other resources to speed up the development process and cut down on costs is common, but you’ll want to ensure that you have a security strategy to keep those same cost-effective measures from becoming costlier security vulnerabilities.

Implementing security recommendations for iOS apps

1. Adopt a security checklist for your iOS apps

   A good security strategy begins with a great checklist. Often, in the rush of developing and publishing an app, security checklists fall by wayside. Earlier we mentioned that Symantec found evidence that proper code review was omitted from the development process. Using a comprehensive checklist can help you build important security tasks code like code review into the development process. We recommend the OWASP Mobile Application Security (MAS) Checklist; this list works in concert with the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG) to cover security at every step of the development lifecycle.

   You can also use a security checklist that’s specific to cloud storage like Microsoft's Azure security baseline.

2. Perform security scans on your iOS apps

   Even with a security checklist in place, you’ll also want to scan your app during the development process and after publishing to identify logical flaws and other potential security vulnerabilities. In their research on the mobile supply chain issues, Symantec specifically recommends that app developers find a security scanning solution that not only scans SDKs and frameworks, but also identifies the source of vulnerabilities and unwanted behaviors. You’ll also want to make sure you’re scanning your app after each build/commit.

   When Guardsquare launched AppSweep, our security scanning tool that finds and fixes issues in your Android app’s code (coming soon for iOS apps), we found that AppSweep users were more likely to scan and test their apps for security vulnerabilities with each build. In general, developers are more likely to use unobtrusive tools, so we built AppSweep to fit seamlessly into the development process.

3. Carefully vet your SDK providers

   A scanning solution that checks your SDKs and frameworks is important, but the security process begins with iOS app developers carefully selecting their SDK providers. What does this look like? App publishers should do background research into each potential SDK’s permissions and data collection behaviors before adding them to their app. Additionally, you’ll also want to ensure that each SDK supports the latest API requirements for iOS apps. Not only will this help your app pass the platform’s submission requirements, but it will keep it up to date and compatible with the latest bug fixes and security features.

Final thoughts on your iOS apps’ mobile app supply chain

It’s important to remember that Apple security features alone aren’t enough to adequately protect your iOS apps. The overwhelming number of iOS apps using vulnerable third-party software libraries in the Symantec study sample reinforces the need for strong security measures in your mobile app supply chain.

Development components provided by third-party software libraries are ubiquitous. The question isn’t if you should continue to use these cost and time saving elements in your iOS app development process, but how to use them in a way that protects your data, the user’s PII, and your brand’s reputation. Implementing a comprehensive security checklist, scanning your apps during and after the development process, and carefully researching your SDK providers can help prevent malicious acts from exploiting security vulnerabilities.