There’s a certain degree of trust we place on Apple and Google.
Whenever users download an app from one of those stores, it comes with the expectation that there will be a certain quality level that ensures malicious or poorly written software doesn’t make it onto our mobile devices.
But it is possible to bypass the Google Play Store. Samsung, Amazon, Huawei and others distribute software through their own channels. And Apple has systems in place that allow developers to distribute beta versions of applications without the full protection that comes from its App Store.
Despite the protections put in place by Apple and Google to protect their customers, it remains possible for malicious software to make its way to users. Recent data from IOActive found that 90% of mobile apps have security vulnerabilities and 90% of Android and 60% of iOS devices are running out of date operating systems. When you consider more than half the world’s internet traffic comes from those devices, it’s a major point of risk.
Both Apple and Google are vulnerable to supply chain attacks. In 2015, a tainted version of Xcode – the tool used to create iOS applications – was distributed through third-parties. It was used to create new apps – by the developers of some very popular apps. It resulted in a malicious payload being embedded in trusted apps without the developers even being aware.
While that issue was resolved there’s no telling if another attack won’t follow. And it’s possible the next attacker will be smarter and hide their tracks more effectively.
Although such attacks are rare, they are possible. While Apple and Google are aware that such attacks can take place and have put in place mitigations to prevent these from happening again, threat actors constantly look for new vulnerabilities to exploit. So, it remains inevitable that those app distribution points will be targeted again.
The other challenge Apple faces is that it’s strong hold over its tightly vertically integrated platform could come under threat by regulators. If regulators get their way, it’s possible that iOS would be opened to third-party app stores. If that happens, the opportunity for a malicious or vulnerable app to reach the market increases.
With the app stores grabbing up to 30% commission on every app that is sold, it’s a market ripe for disruption. Amazon’s Jeff Bezos has often said that his competitor’s margins are his opportunity. And that 30% looks like a lot of opportunity.
Some apps are now bypassing the app stores in order to avoid those commissions and either pass the savings on to customers or pocketing the margins themselves.
Despite the best intentions of the Google and Apple, and all the other companies that might enter this market, it comes back to the old Russian maxim; Trust, but verify.
You need to ensure your apps aren’t tampered with and weakened. And you need to be able to remotely manage apps that have been deployed to your customers and know if your app’s behaviour has been changed by third parties.
When an app is scanned, you don’t just want to know if there’s a problem. You also want some advice on what you can do to minimise the risks.
Many experts (Including Gartner) agree that application shielding, where the app’s source code is obfuscated so hackers can’t easily understand and modify it, is an important and effective defence.
And once an app is in the field, you need to be able to disable it, and collect intelligence so you know how an app is being used if there’s a problem.
All those actions can be achieved using Quixxi Security and its Scan, Shield and Supervise tools.