May 3, 2022

    Why Are App Publishers Still Neglecting iOS Security?

    Despite evidence demonstrating that security for iOS is overrated, many developers still believe the Apple ecosystem is more secure than Android. This false sense of security puts app publishers at risk of attack, which could have a negative impact on revenue and reputation.

    In this blog, we’ll discuss why iOS is not more secure than Android, to help app publishers better understand the iOS threat landscape, and take proactive steps to more effectively protect their apps.

    Misconception #1: You can’t distribute or install modified apps on iOS

    There’s a commonly held belief that you can’t distribute modified iOS apps because the ecosystem restricts app installs to only those that are downloaded from the App Store. However, a quick search on Google reveals there are a lot of hacked apps available for download outside the App Store that users can (and do) install.

    Digging a little deeper, you’ll discover many possibilities to successfully bypass Apple’s complex code signing process and distribute modified iOS applications. It’s possible to resign applications using a developer certificate to install the app on a personal device. Furthermore, such resigned apps can be distributed through third-party app stores.

    You can also distribute modified versions of iOS apps through TestFlight. This platform allows developers to distribute apps to the rest of their team for testing purposes, but it’s easy for malicious actors to exploit this to distribute modified and repackaged iOS apps, too.

    The upcoming  Open App Markets Act will further increase the options for distributing apps, as well. This bill would allow users to install unvetted apps downloaded from outside Apple’s “walled garden” and the App Store, introducing new security risks for app publishers and users alike.

    It’s also worth noting the role of jailbroken devices in this context. Once a device is jailbroken, the user can easily circumvent the validation process to install modified apps. That’s why there are numerous alternative app stores to download modified or pirated apps.

    Misconception #2: Users are responsible for malware on jailbroken devices

    Another common misconception is that malware only works on jailbroken devices, so those users who choose to jailbreak their devices are at fault. However, it’s easy for iOS users to unknowingly fall victim to jailbreak attacks, as well.

    In fact, getting jailbroken can be as easy as visiting a web page. Malicious actors can trick users into visiting a web page, jailbreak their device, and then use this as an opening for further attacks. This introduces the potential for a significant impact on mobile app publishers; when developers assume there’s no malware on a device, they could make insecure app design decisions.

    For example, storing unencrypted data directly on a device quickly becomes a security issue if the device is infected with malware, because even the genuine iOS app could potentially leak data. By assuming iOS users are responsible for malware on their device, app developers may implement inadequate security that ultimately impacts the reputation of the app publisher.

    Misconception #3: Reverse engineering of iOS native code is much harder than Android Java code

    There is also a belief that iOS code is harder to reverse engineer than Android code. iOS code is compiled into low-level machine code, while Android code is compiled into higher-level bytecode that runs on the Java Virtual Machine (JVM). Since iOS code undergoes more transformations during compilation, many developers assume it’s more difficult to reverse engineer.

    The reality is that with modern tools like Ghidra, Hopper, or Frida professional hackers can easily inspect and modify iOS application code. These tools offer reverse engineers many advanced techniques, such as automated code analysis, which can successfully restore the higher-level code structure, making it significantly easier to read and understand machine code.

    The business implications of unsecure mobile apps

    By now, it should be clear that iOS isn’t any more secure than Android. So what does this mean for your mobile app? In short, your app can easily be reverse engineered or tampered with, which can have serious business implications.

    The first major impact is on revenue. Modified apps can bypass in-app purchases or disable ads, which can reduce the revenue your app generates. Malicious actors can also steal your intellectual property (IP) and distribute clones of your app, cutting into your revenue and market share.

    The second potential impact is on your company’s reputation. Through modified apps, malicious actors can intercept and steal private user data processed in your application. Users themselves could also choose to circumvent your service rules to cheat, bypass certain restrictions, and perform other actions that could negatively impact your business reputation.

    Mobile developers need to harden iOS apps

    From revenue loss to damage to your brand’s reputation, neglecting iOS security for your mobile apps just won’t cut it in today’s mobile-first world. The good news: the right tool makes implementing effective iOS security easier, so there’s no reason not to protect your app.

    iXGuard is Guardsquare’s developer-friendly app hardening solution for iOS. Using multiple layers of code hardening and runtime application self-protection (RASP), iXGuard can protect your iOS app from reverse engineering and tampering attempts. This is crucial for maintaining user trust over the long term.


    Want to learn more about protecting your iOS mobile apps?

    Watch the Video>

    Other posts you might be interested in