Scam iOS apps illustrate the role of mobile threat defense

iOS and the Apple App Store really are very safe, but they’re not perfect. Some companies will want some third-party verification.

A few weeks ago, a story about scammy iOS apps got a bit of attention from Techmeme and Daring Fireball, titled: "How to Make $80,000 Per Month on the Apple App Store: It’s far easier than you think. No luck or perseverance necessary."

The answer is very scammy “security” apps with expensive in-app subscriptions. The app featured in the article had an in-app subscription for a “virus scanner,” costing $100 per week, and apparently people were actually falling for it. This app and others mentioned in the article are no longer in the App Store, but we’ve all seen plenty of questionable apps before. Most of the time they aren’t actually exploiting any technical vulnerabilities, but they’re sure as heck not legitimate.

I first heard about this incident through Daring Fireball. John Gruber noted:

“There should be no “virus and malware” scanners in the App Store. None. iOS does not need anti-virus software. The App Store sandboxing rules mean that anti-virus software couldn’t really do anything useful anyway. And by allowing them to be listed on the store, it creates the false impression that Apple thinks you might need anti-virus software.”

I like and generally agree with John Gruber, but not here—I think this illustrates exactly why third-party mobile threat defense exists.

This brings up a few relevant points:

It’s true that generally, the vast majority iOS users have been extremely safe from malware. That’s truly makes our lives better compared to the days when average users were befuddled by desktop antivirus updates and even at times afraid of their computers or the Internet.

But iOS vulnerabilities do crop up and have been exploited—for example, just look at the latest on the NSO group from the New York Times. And with 2.2 million iOS apps in the Apple App Store, they’re not all going to be great. Some legitimate apps can put your enterprise data at risk, too.

Despite iOS app sandboxing, there are still things agent apps—with the same privileges as any other app—can do to check device and network integrity. The one caveat is that checking for app-based threats directly on the device is more difficult, since to get a list of installed apps you either have to use an agent that’s distributed as an enterprise-signed app or enroll devices in MDM.

Some very security-conscious organizations are going to want these protections, and they can choose from plenty of legitimate third-party mobile threat defense vendors. Examples I’ve spoken to recently include Lookout, Skycure, Zimperium, and Appthority.

Certainly today, the number of companies that go for this approach is very low. For example, in March MobileIron told me that only 0.6% of their customers use some sort of third-party mobile threat defense products. But the other hand, the conversation around mobile threat defense is getting much more nuanced than it used to be, and there are many EMM and mobile threat defense partnerships and integrations out there.

I spoke about mobile threat defense at Synergy, and device attestation has been coming up frequently this week at the Cloud Identity Summit. Unfortunately, my Synergy presentation wasn’t recorded, but I’ll have an extensive 3-part article version ready sometime in the next few weeks.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Unfortunately the reality of the MTP solutions limitations and their capabilities being truly needed all need to be based on enterprise review of understanding the risk; impact and probability. 

Recognising the sandboxing approaches and closed eco-system for Apple iOS; Google's Verify; Safety Net and verified boot the probability is Low across the main threat vectors (Malware Protection; OS Vulnerabilities; Web based threats and Network protection). Network protection is probably the highest with how easy you can initiate man in the middle attacks on both O/S's with e.g. Wifi Pineapple devices.  

There are of course further mitigations that can be introduced to reduce the probabilities with best practice MDM/EMM profiles to e.g. prevent side-loading etc. further reducing the likelihood and both Apple and Google share these best practice recommendations when configuring the EMM profiles.

Not least organisations need to be mindful that tech isn't the only answer to prevention - education of your employees can go a long way to mitigate the risks that can be exposed.