We're Hiring!

Rethinking Mobile App Security in Apple's Ecosystem


Apple has long maintained that the robust security measures built into its devices negate the need for additional protections. This confidence was highlighted by Kyle Andeer at a European Union workshop, where he asserted that third-party or even first-party security services were unnecessary thanks to Apple's integrated security. But is this assurance misleading, potentially leaving critical data at risk?

The Limitations of Built-In Security

While Apple's built-in security features such as sandboxing and system-level user controls are commendable, they primarily shield the device user rather than the applications themselves. This distinction is crucial as it overlooks a significant vulnerability: the security of backend data. Sophisticated cyber-attacks are often crafted by deciphering and exploiting the backend systems that support app frontends. These attacks can bypass even the most stringent device-focused security measures by targeting the data that apps interact with and store.

The Necessity of App Attestation

Effective defense against such vulnerabilities starts within the app through a process known as app attestation. This involves embedding security mechanisms directly into the app, ensuring interactions with backend systems are secure and authenticated. This proactive security measure is crucial for full app and API protection and mitigates risks associated with data breaches and unauthorized API access.

Apple's Approach and Its Shortcomings

Despite Apple's assurance of comprehensive security, their own app attestation service, App Attest, falls short when operated from a jailbroken device, highlighting a gap that could be exploited by malicious actors. This example underscores the need for a more layered approach to security, incorporating third-party services to bolster defenses against a wider array of threats.

Countermeasures and Market Impact

Security companies like Approov have developed advanced app attestation solutions that integrate dynamic API key delivery, certificate pinning, and defenses against runtime manipulation tools, offering a more robust security framework that Apple's ecosystem lacks. However, statements by Apple suggesting their built-in features are sufficient stifle the development and adoption of such innovative security solutions, potentially harming the broader app security market.

Conclusion: Embracing a Multi-Layered Security Approach

The rising number of disclosed API breaches and the increasingly sophisticated nature of cyber-attacks highlight the critical need for a multi-layered security approach. While Apple's built-in features provide a solid foundation, they are not foolproof. Developers and security professionals must look beyond these provisions and implement additional measures like app attestation to safeguard against evolving cyber threats. By embracing comprehensive security practices, the app development community can enhance protection for both users and data, ensuring trust and safety within the digital ecosystem.

Read the full Cyber Defense Magazine article.


Jae Hossell

- CTO of Approov
As an expert software architect and engineer, Jae brings a profound understanding of computer architecture, algorithms, data structures, and systems design. Over two decades of experience have allowed Jae to master a diverse range of technologies and skills including novel architectures, embedded and mobile operating systems, compilers, virtual machines, desktop applications, and comprehensive full-stack cloud-based services. Jae’s app-security expertise has evolved over the last 10 years, as he has immersed himself in the app-security space to continually advance and develop the Approov mobile security solution.