Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Mobile App Sec Will Move Beyond Jailbreak and Root Detection in 2023
By Ryan Lloyd, Chief Product Officer, Guardsquare
Jailbreaking (iOS) and rooting (Android)
devices have long been strategies that tech-savvy end users have implemented to
gain higher administrative privileges, allowing them greater control over their
phone or tablet. With that control, they can customize nearly every aspect of
the device's user interface (UI), sideload, or install apps that aren't
approved by Google Play or the Apple App Store, add new features to older devices,
test mobile apps for weaknesses, and more. Unfortunately, this also disables
many of the built-in protections provided by the operating system (OS).
While both Apple
and Google take a strong stance against this
practice, it technically isn't illegal. However, its popularity with
attackers has caused many mobile app developers to rely heavily on this threat
indicator as a security precaution, programming their apps to limit the user or
crash the app when a jailbroken or rooted state is detected.
For several reasons, developers are
recognizing that jailbreaking and rooting are difficult to prevent, and
centering your mobile app security strategy around them won't be sufficient
moving forward.
Three Reasons Mobile App Security
Will Move Away from Jailbreak and Root Detection
#1
Inconclusive indicator of intent to reverse engineer or tamper an app
While Android users can download many apps
from sources other than Google Play, iOS restricts users to only those provided
within the Apple App store. If an iPhone owner wants greater freedom in how
they use their phone, they may choose to jailbreak the device. There are many reasons for jailbreaking and rooting devices
that don't automatically imply malicious activity.
For example, someone may download a mobile
gaming app from an unofficial, third-party app store, in order to avoid in-game
ads, freely access paid features, and implement cheat codes. These games are
not made or approved by the device's manufacturer and must be sought elsewhere,
requiring that the device be jailbroken/rooted.
Unfortunately, users such as these often
trigger a false indication of intent within jailbreak detection mechanisms.
While they may have correctly flagged a potentially risky device, they lack the
capability to differentiate between real threat actors and users who are simply
seeking gaming advantages or to unlock paid features. Booting the latter from
your mobile banking or mHealth app, for example, could be incredibly
inconvenient and lead to a poor UX overall.
#2
Evasive techniques are constantly being developed
While some users jailbreak or root their
mobile device without the intent to cause harm, there are many who do so for
malicious purposes, such as pirating apps, music, and software or accessing a
broader and more powerful array of hacking tools.
Historically, the wide net cast by a mobile
app's jailbreak or root detection process could swiftly identify and block
these threat actors. However, in recent years, more sophisticated jailbreak
detection bypass tools have come into play, allowing them to conceal their
jailbroken state or circumvent a mobile app's detection mechanisms.
Without additional protections, these
malicious users can (and do) continue to function outside the usual OS
functionality. From there, they can reverse engineer or clone your app and
utilize other tools to gain access to sensitive data.
#3
Trollstore makes it easier than ever for users to install modded apps
With the launch of each new version of their
operating systems, iOS and Android have done their best to make their devices
more difficult to jailbreak or root, but new privilege escalation exploits
continue to emerge.
One example is Trollstore, the new iOS tool that came onto
the market in September of this year. Trollstore makes downloading cloned or
modded mobile apps easier than ever without requiring that a user jailbreak
their device. This enables them to bypass both repackaging prevention and
jailbreak detection.
For these reasons, developers will need more
sophisticated mechanisms beyond jailbreak detection mechanisms when
establishing the security posture of their mobile app.
Mobile App Sec Will Shift in a
New Direction in 2023
Moving into 2023, we'll see growing awareness
in the mobile app development community about the true nature of jailbroken and
rooted devices. With increasingly sophisticated jailbreaking and cloaking
mechanisms, developers cannot assume that jailbreak detection can also
determine malicious intent or that malicious intent requires a jailbroken
device. Developers need to ensure their apps have more thorough and
sophisticated protection mechanisms.
Developers will increasingly implement a
multi-layered protection strategy, based on a three-pronged approach that
includes:
- Integrating
security testing earlier in the development lifecycle, ensuring
vulnerabilities are mitigated and more difficult to compromise even if
running on a compromised mobile device.
- Layering
protection measures, such as code hardening and robust runtime application
self-protection (RASP) with an appropriate set of protections for the
threat model.
- Continuously
monitoring the app after launch to identify threat actors and security
gaps.
One thing is certain: developers can no longer
rely on jailbreak/root detection as a holistic prevention mechanism. They need
more robust, layered security measures or their mobile applications may fall
prey to threat actors taking advantage of vulnerabilities.
##
ABOUT THE AUTHOR
Ryan Lloyd, Chief Product
Officer, Guardsquare
Ryan
leads the product team at Guardsquare. In his role, he is responsible for
overseeing the product vision and strategy. As an experienced, strategic
product management executive with a background in software engineering Ryan is
focused on ongoing innovation, partnering with the world's leading enterprises
and finding innovative ways to shine a light on the challenges and
opportunities in mobile application security. Prior to joining Guardsquare,
Ryan led product management teams at Veracode, SmartBear, PTC and MKS.