We're Hiring!

Cybersecurity Implications of the Digital Markets Act & Apple iOS 17.4

A hacker sneaking through a fence of a building that has 17.4 on top of it

The iOS mobile app environment is undergoing significant transformations, partly due to the European Union's introduction of the Digital Markets Act (DMA), which is effective starting in March 2024. This new EU law has prompted changes and updates in operating systems and app stores, which are now influencing the iOS development landscape. Specifically, the release of iOS 17.4 introduces substantial modifications to the App Store, sparking inquiries regarding its cybersecurity implications. In this article, we will delve into the core security concerns associated with iOS 17.4 alterations, particularly focusing on the issue of sideloading apps. Furthermore, we will explore the vital role that third-party attestation solutions can play in mitigating these risks and ensuring the security of sensitive user data, including payment information, in iOS apps that bypass Apple's payment system.

iOS 17.4 Changes and Security Implications

Apple made several changes to its App Store to comply with the EU law, including:

  • Allowing alternative app stores and sideloading, enabling users to install apps from sources other than Apple's App Store.
  • Allowing developers to use third-party payment processors in their apps, giving them more flexibility in processing app payments.
  • Allowing competing payment methods inside apps, enabling banks and shopping services to offer alternative payment options within their apps.
  • Providing new disclosures informing EU users of the risks associated with using alternative app stores and sideloading.

These alterations are a response to Apple's commitment to adhere to the Digital Markets Act (DMA) enforced in the European Union. The DMA's primary goal is to foster competition and enhance consumer options within the digital market. While several of these modifications intend to enhance the user experience and introduce flexibility, they bear significant consequences for app security. The introduction of more rigorous review processes necessitates app developers to adhere to stricter guidelines, potentially leading to the removal or delayed release of apps. However, a more pressing apprehension emerges in the context of sideloading, particularly concerning security.

Risks of Sideloading Apps

Sideloading, the practice of installing apps on an iOS device from sources other than the official App Store, has become more accessible with the introduction of iOS 17.4. While this newfound ease of sideloading may appear convenient, it raises significant security concerns on two fronts. Firstly, users might develop a false sense of security when downloading apps from sources other than the PlayStore, assuming they are safe merely because they are accessible through this method. Secondly, the APIs built to interact with these apps can unwittingly be built with a false sense of security by assuming that incoming requests are always originating from genuine mobile apps. These concerns become more pronounced as sideloaded apps bypass vital Apple security checks, such as DeviceCheck and AppAttest. Apple, although reluctantly adapting to the EU legislation mandating these changes, continues to voice substantial apprehensions regarding potential security risks. In this evolving landscape, mobile app developers must consider alternative solutions outside the confines of the App Store's walled garden. 

The Role of Approov in Mobile App Security

To counter the security risks posed by sideloading and other potential threats, organizations still need robust security measures. This is where third-party attestation solutions like Approov can come into play so that apps loaded through the App Store and sideloaded apps are both free of malware. Approov offers real-time app integrity checks, API protection, and threat prevention, making it a powerful tool in the fight against mobile app vulnerabilities, and is especially useful in cases where the app is sideloaded. When it comes to API security you are only as strong as your weakest link. Therefore all apps, even ones that are sideloaded, should be subjected to a rigorous set of checks for malware or illicit modifications or bundled spyware and malware. This will protect backend services from data breaches. It is important to recognize that this level of security protects all users, not just the ones utilizing the sideloaded apps. 

Advantages of Using Approov

  • Approov conducts real-time verification of mobile app integrity, guaranteeing that only approved and unaltered apps can engage with your APIs. This swift response mechanism plays a pivotal role in promptly identifying and halting any malicious activities.
  • Comprehensive API Safeguarding: Approov goes beyond app-level security to fortify your APIs, preventing any unauthorized access and thwarting potential data breaches effectively.
  • Proactive RASP Threat Mitigation: Approov RASP is well-equipped to detect and counteract emerging threats, including those that might not have been foreseen during the initial development and launch of an app. This proactive stance ensures a higher level of security in an ever-evolving threat landscape.

Approov's Role in Preventing Sideloaded Malicious Apps

One of the most significant benefits of Approov is its effectiveness in preventing malicious apps from infiltrating an organization's mobile ecosystem. By verifying the integrity of apps at runtime, Approov ensures that only genuine, unmodified apps can access your APIs and perform transactions. This capability is particularly crucial in countering the risks posed by sideloaded apps.

Safeguarding Payments Bypassing Apple's System

Choosing between Apple's payment system and third-party alternatives is a decision that demands careful consideration. While the risks associated with third-party systems are real, developers can mitigate them through thorough research, transparency, and a commitment to security. Ultimately, the goal is to develop secure apps that offer users a seamless and trustworthy payment experience, regardless of the chosen payment system. By striking the right balance between innovation and security, mobile developers can ensure their apps thrive in an ever-evolving digital landscape. With some iOS apps attempting to bypass Apple's payment system, Approov can provide that additional layer of security for protecting payments. It helps in preventing payment fraud, stopping bots from using stolen credentials, and ensures compliance with industry regulations. 

Conclusion

In a rapidly fragmenting mobile app landscape, security remains paramount. The iOS 17.4 changes, particularly those related to sideloading, bring new challenges to the forefront. Third-party attestation solutions like Approov offer a robust defense against these threats. By providing real-time security, API protection, and threat prevention, Approov can help organizations protect their mobile applications and APIs effectively. While there may be some considerations and costs associated with implementing Approov, the security benefits can far outweigh the disadvantages. In an era where mobile app security is non-negotiable, Approov emerges as a cornerstone solution for leading organizations, ensuring the safety and trustworthiness of their mobile ecosystems.

 



Ted Miracco

- CEO of Approov
Ted’s high-technology experience spans 30 years in cybersecurity, electronic design automation (EDA), RF/microwave circuit design, semiconductors, and defense electronics.