We're Hiring!

Approov Addresses Apple Watch Security Issues

Close up of man looking at smartwatch

Apple and MIT recently published a study indicating that 2.6 billion personal records were exposed through data breaches over the last two years. These findings underscore the need for protecting data in the cloud through mobile attestations and improved API security.

Watches, wearables and other new types of mobile devices are now the weakest link in the mobile app threat landscape. Approov addresses this threat head on with Release 3.2 of the solution. While Release 3.2 includes other important enhancements (detailed in the Press Release), this blog specifically explores the crucial advancements made to enhance the security of the Apple Watch.

All I Want for Christmas is an Apple Watch

Apple launched both the Apple Watch Series 9 and the Apple Watch Ultra 2 in September 2023 to rave reviews and since Cyber Monday the deals for these new products have only been getting better. As early Apple Watch adopters upgrade to the new Apple Watch series and as new customers jump in, this will be the stocking stuffer of choice for Christmas 2023. 

The Security Challenge

However as new types of mobile devices such as watches and wearables proliferate and communicate directly with backend APIs well known mobile phone attack surfaces are exposed on these devices. You are only as strong as your weakest link and taking care of mobile app security will be worthless if an attacker finds a path from a wearable to your APIs. 

Mobile Threats Extend to Wearables

Well known issues with mobile apps apply to apps on wearables too: Apps can be reverse engineered, cloned and copied, even if attempts have been made to obfuscate code.  They also run in a client environment which can be hacked, rooted, instrumented and manipulated. 

If wearables are not secure, their operating systems can be manipulated and apps can be open to sensitive data loss and malware injection. Man-in-the-Middle (MitM) attacks can be executed. Cloned apps and automated tools and scripts can be used to exploit API vulnerabilities and threat actors can execute credential stuffing, brute force attacks and denial of service (DDoS) attacks.   

Hackers are Already Active

This is not just a theoretical risk.

In September, Citizen Lab announced that while checking the device of an individual employed by a Washington DC-based civil society, they found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware, one of the world's most invasive spying technologies.

Apple acknowledged the threat to their devices and issued an Apple WatchOS Security briefing on November 9 2023 concerning the security content of a watchOS 9.6.2 vulnerability in Apple Wallet on WatchOS in Apple Watch Series 4 and later. 

The vulnerability, when exploited, allowed for the execution of arbitrary code through a maliciously crafted attachment. This means that an attacker could create a specially designed file or document that, when opened or accessed by a user, could trigger the execution of code that could potentially compromise the device's security or steal sensitive information.

Apple took the matter seriously and acknowledged that there were reports suggesting that this vulnerability had already been actively exploited. This acknowledgment highlights the urgency with which Apple approached the situation, as they recognized the potential harm that could be caused by the exploitation of this vulnerability.

Apple responded promptly to the discovery of CVE-2023-41061, this vulnerability in the WatchOS software. The company acted promptly and efficiently and wasted no time in releasing a fix to address the issue. 

By promptly releasing a fix, Apple aimed to protect their users from any potential threats that could arise from this vulnerability. This action demonstrates their commitment to addressing security issues swiftly and efficiently, ensuring the safety and privacy of their customers.

It is worth noting that Apple's quick response and acknowledgment of the issue also serve as a reminder of the importance of regularly updating software and devices. Keeping software up to date with the latest patches and fixes is crucial in mitigating the risk of falling victim to such vulnerabilities. Users are encouraged to stay vigilant and promptly install any updates or patches provided by Apple or other software vendors to maintain the security of their devices.

However, the key takeaway from this example is that there are and will be “zero-day” vulnerabilities surfacing in Apple Watch and other wearables and device vendors and app providers must always be ahead of the hackers. An effective approach is to extend run time app attestation and device integrity checks to wearables as well as phones.

Protecting Your iOS device is Not Enough

You may feel you have taken care of iOS security, but if attackers can find vulnerabilities in your wearables, an Android device or a HarmonyOS device which touches your APIs, they will exploit it. The only way to combat this risk is to ensure that comprehensive real time app attestation and device integrity checks are applied systematically to all types of apps and devices which access your APIs.  

Approov is Your Partner as New Challenges Emerge

Approov has already proven to be a game-changer for clients. Real-world testimonials highlight tangible benefits, and quantifiable improvements in security measures underscore the effectiveness of the latest release.

Approov Mobile App and API Security Software Release 3.2 reaffirms our commitment to continued innovation in order to ensure there are no weak links for our customers.

This release is the first commercially available App Attestation Solution for Apple WatchOS to provide API Protection against emerging threats. 

In addition to the aforementioned features, the release also incorporates support for HarmonyOS, a highly anticipated mobile operating system developed by Huawei. This means that users can now seamlessly integrate their devices running on HarmonyOS with the Approov service, allowing for a more streamlined and efficient user experience.

Furthermore, the release introduces the deployment of extended global Points of Presence (PoPs). PoPs are strategically located data centers that help improve the performance and reliability of network services. By expanding the number of PoPs globally, the software can now offer enhanced connectivity and faster response times to users across different regions.

Additionally, the release focuses on improving the ease of deployment and administration of the software. This means that users will find it easier to install and set up the software on their devices, reducing the time and effort required for implementation. Moreover, the administration of the software has been enhanced, providing administrators with more intuitive and efficient tools to manage and monitor the system.

Overall, this release brings a range of new features and improvements, including support for HarmonyOS, extended global Points of Presence (PoP), and enhanced ease of deployment and administration. These updates aim to enhance the overall user experience, improve connectivity, and simplify the management of the software. Approov's Runtime Application Self Protection (RASP) defenses are also strengthened by extending threat detections to include the latest versions of tools used by hackers to attack apps and APIs.

The release from Approov serves as a significant step forward in our dedication to enhancing security measures. By addressing various threats such as bot attacks, mobile Man-in-the-Middle (MitM) attacks, account takeover (ATO), and other potential risks to mobile APIs, Approov aims to establish superior levels of protection. This comprehensive approach ensures that mobile applications can operate at their optimal performance while minimizing the occurrence of fraud and data breaches. Approov's commitment to mitigating these threats demonstrates our commitment to safeguarding sensitive data and maintaining the trust of their users.

We invite existing and potential users to upgrade to experience heightened security, global coverage, and an improved user experience. 

Upgrades to Approov Version 3.2 today are included as part of Approov’s Security-as-a-Service (SECaaS) Mobile Security platform. New customers can embrace the future of mobile app and API security by starting a free 30-day trial by registering at https://approov.io/signup/.

Subscribe to our monthly newsletter to get all the latest news in mobile security. 

Follow us on Linkedin to receive a weekly update. 

George McGregor

- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.