A few weeks ago, a story about scammy iOS apps got a bit of attention from Techmeme and Daring Fireball, titled: "How to Make $80,000 Per Month on the Apple App Store: It’s far easier than you think. No luck or perseverance necessary."
The answer is very scammy “security” apps with expensive in-app subscriptions. The app featured in the article had an in-app subscription for a “virus scanner,” costing $100 per week, and apparently people were actually falling for it. This app and others mentioned in the article are no longer in the App Store, but we’ve all seen plenty of questionable apps before. Most of the time they aren’t actually exploiting any technical vulnerabilities, but they’re sure as heck not legitimate.
I first heard about this incident through Daring Fireball. John Gruber noted:
“There should be no “virus and malware” scanners in the App Store. None. iOS does not need anti-virus software. The App Store sandboxing rules mean that anti-virus software couldn’t really do anything useful anyway. And by allowing them to be listed on the store, it creates the false impression that Apple thinks you might need anti-virus software.”
I like and generally agree with John Gruber, but not here—I think this illustrates exactly why third-party mobile threat defense exists.
This brings up a few relevant points:
It’s true that generally, the vast majority iOS users have been extremely safe from malware. That’s truly makes our lives better compared to the days when average users were befuddled by desktop antivirus updates and even at times afraid of their computers or the Internet.
But iOS vulnerabilities do crop up and have been exploited—for example, just look at the latest on the NSO group from the New York Times. And with 2.2 million iOS apps in the Apple App Store, they’re not all going to be great. Some legitimate apps can put your enterprise data at risk, too.
Despite iOS app sandboxing, there are still things agent apps—with the same privileges as any other app—can do to check device and network integrity. The one caveat is that checking for app-based threats directly on the device is more difficult, since to get a list of installed apps you either have to use an agent that’s distributed as an enterprise-signed app or enroll devices in MDM.
Some very security-conscious organizations are going to want these protections, and they can choose from plenty of legitimate third-party mobile threat defense vendors. Examples I’ve spoken to recently include Lookout, Skycure, Zimperium, and Appthority.
Certainly today, the number of companies that go for this approach is very low. For example, in March MobileIron told me that only 0.6% of their customers use some sort of third-party mobile threat defense products. But the other hand, the conversation around mobile threat defense is getting much more nuanced than it used to be, and there are many EMM and mobile threat defense partnerships and integrations out there.
I spoke about mobile threat defense at Synergy, and device attestation has been coming up frequently this week at the Cloud Identity Summit. Unfortunately, my Synergy presentation wasn’t recorded, but I’ll have an extensive 3-part article version ready sometime in the next few weeks.