Scam iOS apps illustrate the role of mobile threat defense

A few weeks ago, a story about scammy iOS apps got a bit of attention from Techmeme and Daring Fireball, titled: "How to Make $80,000 Per Month on the Apple App Store: It’s far easier than you think. No luck or perseverance necessary."

Download this free guide

Download: Our 17-Page Mobile Application Management Report

Inside this exclusive report, industry experts reveal commonly overlooked best practices for mobile application delivery and management to help you tackle the influx of mobile devices, new applications and data security demands in your enterprise.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The answer is very scammy “security” apps with expensive in-app subscriptions. The app featured in the article had an in-app subscription for a “virus scanner,” costing $100 per week, and apparently people were actually falling for it. This app and others mentioned in the article are no longer in the App Store, but we’ve all seen plenty of questionable apps before. Most of the time they aren’t actually exploiting any technical vulnerabilities, but they’re sure as heck not legitimate.

I first heard about this incident through Daring Fireball. John Gruber noted:

“There should be no “virus and malware” scanners in the App Store. None. iOS does not need anti-virus software. The App Store sandboxing rules mean that anti-virus software couldn’t really do anything useful anyway. And by allowing them to be listed on the store, it creates the false impression that Apple thinks you might need anti-virus software.”

I like and generally agree with John Gruber, but not here—I think this illustrates exactly why third-party mobile threat defense exists.

This brings up a few relevant points:

It’s true that generally, the vast majority iOS users have been extremely safe from malware. That’s truly makes our lives better compared to the days when average users were befuddled by desktop antivirus updates and even at times afraid of their computers or the Internet.

But iOS vulnerabilities do crop up and have been exploited—for example, just look at the latest on the NSO group from the New York Times. And with 2.2 million iOS apps in the Apple App Store, they’re not all going to be great. Some legitimate apps can put your enterprise data at risk, too.

Despite iOS app sandboxing, there are still things agent apps—with the same privileges as any other app—can do to check device and network integrity. The one caveat is that checking for app-based threats directly on the device is more difficult, since to get a list of installed apps you either have to use an agent that’s distributed as an enterprise-signed app or enroll devices in MDM.

Some very security-conscious organizations are going to want these protections, and they can choose from plenty of legitimate third-party mobile threat defense vendors. Examples I’ve spoken to recently include Lookout, Skycure, Zimperium, and Appthority.

Certainly today, the number of companies that go for this approach is very low. For example, in March MobileIron told me that only 0.6% of their customers use some sort of third-party mobile threat defense products. But the other hand, the conversation around mobile threat defense is getting much more nuanced than it used to be, and there are many EMM and mobile threat defense partnerships and integrations out there.

I spoke about mobile threat defense at Synergy, and device attestation has been coming up frequently this week at the Cloud Identity Summit. Unfortunately, my Synergy presentation wasn’t recorded, but I’ll have an extensive 3-part article version ready sometime in the next few weeks.