Developers: Are You Relying on OS Sandboxes for Security? Research Reveals Excessive Risk

By Neal Michie
Posted on October 15, 2020
Application Security

Mobile applications run within a sandbox. The sandbox is provided by the operating system (OS) and is intended to isolate each application, keepingthe code and data safe from prying eyes.

But what if the sandbox isn’t as secure as you think? Would that change your attitude when it comes to the security of your company’s apps?

A False Sense of Security

Verimatrix provides security solutions for some of the toughest industries, including Finance, Media and Entertainment, and Healthcare. From this unique view point, Verimatrix has been able to gather security data from awide range of mobile apps for a forthcoming security monitoring service.

Based on review and analysis of 75 million unique security events collected over the last 6 months*, it is clear that app developers cannot simply rely on operating system sandboxes for their app security. Putting too much trust in sandboxes can expose the apps running within them to excess risk.

Outdated Operating Systems

Security researchers regularly find vulnerabilities within Android and iOS. Google and Apple do a great job of quickly addresses these vulnerabilities and updating the operating systems – a process often known as “patching” – further hardening the sandboxes.

Actually, considering the complexity of a modern smartphone operating system, the number of vulnerabilities found is surprisingly low. A lot of credit goes to the developers and security teams at Apple and Google for that.

For a patch to be effective, it must be installed on the end user’s device.Though patches and updates are increasingly auto-installed, data still shows that 18.7% of devices are running an outdated OS version – which means that these are running with known vulnerabilities**.

For those familiar with Apple’s aggressive rollout of new versions of its Operating Systems, it should come as no surprise that Android devices are3 times more likely to be running an outdated OS version.

These rates are similar with little variation across the continents; though in Africa there is a slightly higher prevalence of older phones with older OS versions.

Rooted Devices

“Rooting” a phone is the act of giving applications and/or the user increased privileges. In effect, this means removing the sandboxes the operating systems puts around applications.

Attackers use rooting as a means to better understand how an app executes (which is known as “dynamic analysis”) or to modify an app’s behaviour while it is running (e.g. to cheat a game).

Rooting is not always carried out for malicious intent; many users root their phones to simply get more control over their device (e.g. to change the look-and-feel of the operating system). When users root their phone, they increase the risk of malware attacking legitimate apps.

Verimatrix’s data shows that globally, 36 out of every 1000 Android devices are rooted.

On iOS, “jailbreaking” is the term used; but the effect is the same rooting. While it is possible to jailbreak even the latest iPhones, the phenomenon is less popular than rooting Android devices.

There is a wide variation in prevalence of rooting around the world. In Europe, it is as low as 10.7 per 1000 Android devices, whereas in South America it is 83.7 per 1000.

A World on Fire

There was a substantial number Amazon Fire devices in the data set (which are excluded from the figures above).

Amazon’s Fire OS is based on Android.

Interestingly, rooting Amazon Fire devices is virtually non-existent with less than 1 per 1000 devices rooted. It’s not all good news though– 62% of Fire devices are running an Operating System based on Android 5, which was released in 2014.

Self-Defending Apps

At Verimatrix, we are fully aware how easy it is to lift an application off a phone, taking it out of its “secure” sandbox in preparation for reverse engineering. Even seasoned security professionals are often surprised when we demonstrate extracting and reverse engineering an app in a matter of minutes using freely available tools.

As such, we’ve long advocated the need for apps to protect themselves from reverse engineering using app hardening tools.

*5th March 2020 to 24th September 2020
**Outdated on iOS means OS version released before 24th September 2019; for Android it means running earlier than Android 8.

Do you have questions about applications and content security?

Book a call with one of our experts

Want to keep up with Verimatrix news?

View by Category

Recent Posts

Esports Through the Lens of Team 7am

The image of the gamer secluded in the solitude of his room, in front of his computer playing 24/7, may still be the norm for some, but certainly not for professional gamers and most definitely not if they play and work within an esports squad, such as Euro-American Team 7am.

Mobile Apps Are at Risk for Static and Dynamic Attacks

Mobile apps have become an ubiquitous presence in our lives. We use them to check our investment portfolios, order meals, and even find dating partners. But as we increasingly rely on these apps to manage our personal and professional lives, businesses struggle to prevent cyber attacks originating from within the app, and from the billions of app-connected devices.

Rock Concerts, Blind Spots and a Widening Attack Surface

We are living in a mobile-first world, and the explosion of mobile applications is nothing short of remarkable. We’re talking about 6-7 million apps on the Google Play and Apple App stores alone.

ChatGPT: Friend or Foe?

The reward of engaging with a loyal customer base doesn’t come without risk. Hackers, often highly resourced cybercriminal gangs, recognize that mobile apps provide a gateway into the enterprise. As awareness grows about this risk, enterprises are increasingly seeking solutions to secure and protect their mobile apps.