How are sideloading on iOS and app repackaging vulnerabilities shifting the mobile security landscape? An objective analysis of Android vs. iOS security in 2024—based on the latest research findings.
For years, there’s been a prevailing belief that iOS is leagues ahead of Android when it comes to mobile security. Apple has cultivated an image of their devices being virtually “impenetrable fortresses,” protecting users from the malware and security vulnerabilities that seem to plague the more open Android ecosystem.
However, recent developments and new research findings are questioning that assumption. With the introduction of sideloading on iOS to comply with regulations like the Digital Markets Act, and eye-opening vulnerability data around app repackaging attacks, it's becoming clear that iOS's security may not be as bulletproof as we've believed.
So, which mobile platform will be more secure in 2024? In this article, we'll explore the sentiments around iOS and Android security and try our hand at an objective assessment.
Apple has long positioned iOS as the more secure, enterprise-friendly mobile operating system. There are a few key factors contributing to this perception:
One of the core differences between iOS and Android is how closed or open their ecosystems are. iOS devices are very restricted in terms of what users can do to modify the software and operating system. In contrast, Android users have greater freedom to customize their devices, root them, sideload apps to remove restrictions, and more.
Another perceived security advantage of iOS has been Apple's strict control over app distribution through the official Apple App Store. All iOS apps had to undergo an intensive review process by Apple before being approved for distribution. Compare that to Android, which allows sideloading and app installs from third-party sources right out of the box. Sure, the Google Play Store has its vetting process, but the permissive nature of Android means apps can more easily bypass those checks and filters.
Apple's silicon-level security, like the Secure Enclave, seemed to provide encryption and protection capabilities at the deepest system levels on iOS devices. However, since Android 4.3 JellyBean, Google’s trusted execution environment (TEE) provides hardware-secured code execution using CPU features like TrustZone, similar to Secure Enclave.
So, while Apple put a great deal of thought and effort into security while designing iOS and the surrounding ecosystem, new findings poke holes in the belief that iOS is significantly more secure than Android.
One of the biggest potential disruptions to the iOS security model is the requirement to allow third-party app stores and sideloading to comply with the Digital Markets Act (DMA), which came into force for designated "gatekeepers" like Apple on March 7th, 2024. Here’s how the DMA is impacting iOS sideloading and app security.
Before the DMA took effect, the only way to install apps on an iOS device was through Apple's official App Store, which allowed Apple to vet apps before distribution — serving as a chokepoint to filter out malware and malicious apps. With sideloading allowed, users can download and install apps from third-party sources without Apple's oversight.
This could provide new avenues for malware to spread on the iOS ecosystem in ways it hasn't been able to before. However, Apple is implementing measures to maintain control and security. Here’s how:
One of the ways Apple plans to secure sideloaded apps is through a "notarization" process for any apps deployed outside the official App Store. This will be done by running some form of automated security checks and reviews. Any app that fails the notarization process will be blocked from being sideloaded and installed on iOS devices.
Of course, we have no idea how thorough and effective this notarization process will be in practice. If it's stringent enough, it could mitigate many of the security risks associated with sideloading. But if it has flaws or blindspots that malware authors can exploit, sideloading introduces a new iOS attack vector.
Apple is relying on its app sandboxing controls. The idea is that even if a malicious app makes it through notarization and gets sideloaded onto an iOS device, the harm it can actually do will be restricted due to sandboxing.
iOS has had sandboxing rules in place for isolating apps and preventing them from accessing data outside of their contained environment. And with each new version, Apple continues to enhance and harden these controls. But sandboxing on any platform is never perfect. Security researchers routinely find sandbox escape exploits for both iOS and Android that allow malware to bypass these controls. This means even the most advanced sandboxing implementation isn't an ironclad guaranteed defense.
Finally, Apple still maintains its requirements around code signing and integrations with hardware security capabilities like the Secure Enclave. Any sideloaded apps will need to be properly code-signed to run on iOS devices. And remember, the sandboxing, encryption, and other protections derived from Apple's proprietary silicon are still in place.
The short version is that Apple is trying to extend many of the existing security controls that provided its historical advantage to the new sideloading reality. How effective this is remains to be seen.
While not widely known, even before sideloading policy changes, there were already methods to load apps on iOS outside of the App Store using Enterprise certificates or ad-hoc distribution provisioning. This process requires an active Apple developer account and providing information to Apple—acting as a deterrent for malicious actors.
To bypass this, a "black market" emerged, not just for leaked or stolen enterprise certificates but also for legitimate certificates being misused. Some companies obtained legitimate enterprise certificates from Apple but then illicitly allowed anyone to use these certificates to install arbitrary apps on iOS devices for a fee. Of course, this violates Apple's policies and is considered malicious behavior.
Regardless of whether the certificates were stolen or legitimately obtained but misused, this black market enabled loading any app on iOS devices outside of Apple's oversight. Apple tried to combat this by revoking certificates from accounts exhibiting such malicious activity. But with sideloading now officially allowed, policing and distinguishing legitimate from illegitimate sideloading attempts will likely become even more difficult.
While some of the implications of sideloading on iOS security are still theoretical at this point, new vulnerability research is providing some objective data that challenges traditional assumptions about iOS being more secure than Android.
For our report on the state of iOS app security, we analyzed the top 100 most downloaded apps for both iOS and Android to test their vulnerability to repackaging attacks.
The results were surprising. A whopping 93% of the top iOS apps were vulnerable and could be successfully repackaged. Some of these repackaged iOS apps have been downloaded over 5 billion times in the past year. In contrast, only 62% of the top Android apps were vulnerable to repackaging under the same testing conditions.
Though distributing repackaged malicious iOS apps required jumping through additional hoops (like enterprise provisioning), which made widespread dissemination difficult, the high vulnerability rate is still concerning from a security research and intellectual property protection standpoint.
Repackaged iOS apps could expose app secrets, vulnerabilities, and proprietary code. And with sideloading now permitted, repackaged malicious iOS apps have a clearer path to installation on user devices. So, while the pre-DMA repackaging threat was more contained on iOS, it foreshadowed bigger risks once the platform opened up.
This research was conducted before Apple began allowing sideloading on iOS as part of the DMA. If anything, the security situation may be worse going forward. These findings only suggest that app developers have prioritized security measures and repackaging protections more diligently on the Android side, specifically because of the more hostile app environment. On iOS, there was a misplaced assumption of sufficient security provided by the App Store review and sandboxing alone.
This complacency on the part of iOS developers aligns with the app threat report polling carried out in our webinar on iOS vs. Android security, where most respondents said their mobile security efforts skew heavily toward prioritizing Android over iOS. The perception of an iOS security advantage has paradoxically opened the door to iOS apps having worse real-world vulnerabilities. Developers haven't invested equivalent resources into app hardening and anti-repackaging measures on iOS.
So, given all of these new variables and the rapidly shifting mobile security landscape, how does the overall security comparison between iOS and Android shake out in 2024?
If we look at a default, unmodified installation of the latest iOS and Android versions in 2024, iOS likely still has a slim security advantage at the OS level. Apple's long-standing security philosophies of data isolation, hardware integration, and heavy restriction of what's allowed create a very secure baseline. But Android has also been making strides in enhancing app sandboxing and data isolation capabilities with each new release.
The security gap between the two platforms at the operating system level is narrowing. New sideloading and notarization processes on iOS could open up fresh attack surfaces and reduce Apple's control within a couple of years. So this baseline iOS advantage may be relatively short-lived as Android continues fortifying its defenses and Apple is forced to loosen restrictions to comply with the DMA.
When we start looking at the security of individually installed apps and the app ecosystem, the advantage seems to flip in Android's favor based on our app threat report data. By prioritizing app shielding, obfuscation, anti-repackaging defenses, and other hardening techniques for Android apps out of necessity, those apps demonstrate considerably lower vulnerability rates than unprotected iOS apps. If iOS developers maintain their relatively lax security stance as sideloading proliferates, the third-party app threat level on iOS could skyrocket. Prudent investment in app shielding controls would mitigate this risk on iOS.
Both Apple's App Store and Google's Play Store have measures in place to review and vet apps before they are made available for download. The effectiveness of these measures can vary, and malware has occasionally slipped through the cracks on both platforms.
Apple's App Store review process is widely regarded as more stringent. But high-profile incidents—like the fake LastPass app that managed to slip through Apple's review process—highlight the limitations of even the most robust screening mechanisms. Google, on the other hand, has faced criticism for the prevalence of malware on the Play Store, despite the company's efforts to improve its detection and removal processes. Google Play Protect, Android's built-in malware scanner, has been instrumental in identifying and removing harmful apps, but it's not a foolproof solution.
From a user's perspective, one could argue that Android's transparent model is a net positive for security. Advanced users maintain more freedom, control, and visibility into what's actually running on their devices. Whereas iOS is essentially a "black box" where users need to have blind trust in Apple doing proper security vetting and enforcement. If there are flaws or lapses in Apple's processes, the user has no recourse.
We're seeing that the security dynamics between iOS and Android are far more nuanced and complex than conventional belief suggests. In 2024, neither iOS nor Android will clearly emerge as the definitive, more secure platform. It really depends on the specific context, use case, user profile, app requirements, and security posture of the device and app publishers.
Arguably, the most dangerous reality is if iOS developers and enterprises maintain the flawed assumption that they don't need to apply rigorous mobile app security controls on that platform. That line of thinking allowed 93% of top apps to be vulnerable to repackaging in the first place. If iOS users, developers, and enterprises become complacent as the platform opens up to sideloading, they'll validate Android's historical security reputation. But if they get ahead of the curve and implement appropriate shielding and anti-repackaging technology, it could re-establish iOS as the more hardened platform.