Approov publishes a New Whitepaper on Apple, Google and Huawei Mobile App Security
We have been quite vocal about the shortcomings of the proprietary approaches to mobile app security from Apple, Google and Huawei. See these previous blogs:
We thought it was time to put our thoughts into a longer whitepaper that takes a look at all three in one place.
All of these solutions only work with specific platform/appstore pairs (iOS and Apple App Store, Android and Google Play, or HarmonyOS and Huawei Gallery). This means that there is significant overhead for an app developer to deploy these divergent solutions across multiple platforms.
But there are even better reasons to evaluate alternative solutions.
Monopolistic behavior of Apple and Google has had a tendency to stifle innovation in the mobile security space: by bundling “good enough” security in a highly proprietary way and hiding the cost within the fees charged to developers to be part of the ecosystem. There is no evidence at this time that Huawei plans to behave differently. For these players, locking in developers (and maintaining the developer revenue stream) often seems to be an objective which is equal in importance to keeping users safe.
Of course Google and Apple have attracted the attention of legislators around the world.
Regulation such as the EU’s DMA (Digital Markets Act), the UK’s DMCC (Digital Markets, Competition and Consumers Act 2024), and Japan’s SSCPA (Smartphone Act) is forcing these tech giants to permit alternative app stores and sideloaded apps and challenging monopolistic behavior. The proprietary security solutions from Apple, Google and Huawei do not work for sideloaded apps or alternative app stores.
But these players are still up to their old tricks. The Apple passive-aggressive response to the EU DMA led to the EU finding them in breach of the act and subject to a large fine.
It's not just Apple either. Google got a bit of a pass with the EU DMA since they already allow sideloaded apps but a close look at Google Play Integrity API documentation is quite revealing. The documentation for Google Play Automatic Integrity Protection (GAIP) states that “Automatic integrity protection may not be compatible with other runtime anti-tamper solutions, and trying to use them together may result in user issues”.
This looks very much like Google saying if you use other security solutions there will be negative consequences… This kind of language will certainly attract the attention of the various regulatory authorities!
In any case, proprietary attestation solutions from Apple, Google and Huawei provide limited security in very restrictive use-cases. The limitations in ease of integration, regional applicability, dependency on proprietary infrastructure, performance impacts, and occasional detection inaccuracies must all be carefully considered by developers and security teams seeking to deploy robust but cost effective security for mobile apps and APIs.
So our recommendation is that you should navigate a course to stay clear of these solutions. Evaluate and implement security you can depend on, independently of these large players, and follow a path that applies zero trust guidelines with “best-in-class” solutions, rather than security solutions that lock developers into an expensive ecosystem. There are excellent solutions available.
Anyway, with that said, now you can find a feature-by-feature comparison of Apple, Google and Huawei mobile app security solutions in one place with our whitepaper. We will keep it up to date so please subscribe to our newsletter to keep up with the latest news on mobile app security.
Compared with the three proprietary solutions we have evaluated, Approov provides a more robust dynamic attestation method which is combined with robust cryptographic methods and dynamic API key protection. This is done in a way that is independent of how apps are developed or deployed.
Approov are experts on the security of mobile apps and their APIs and we can help you extend your Zero Trust Architecture to mobile apps and devices.
