Securing iOS Apps Post-DMA: Quick Steps for Enterprise Protection

The Digital Markets Act has changed the landscape for iPhone consumers in ways that are both good and bad. It also made the process of securing apps a bit more complicated for Global 2000 companies. For more on general implications for both consumers and enterprises who develop apps for the iPhone, check out our March blog post on the European Cathedral and Bazaar.
In what way did the DMA make life more complicated for enterprises? The DMA mandates that third parties (meaning someone other than the phone maker) can legally offer mobile apps for sale in their own (non-Apple) App Stores. This mandate essentially, and inadvertently, opens a door for threat actors to modify apps that they download from the Apple App Store and then attempt to redistribute those apps on a third-party app store. These threat actors engage in such activity to deceive end-users into believing that the redistributed app is the official version released by the owner, thus exacerbating the risk of unauthorized distribution and potential security breaches. This type of attack vector is not uncommon for Android apps because Google has historically allowed third-party app stores to exist.
It just so happens that Digital.ai Application Security is essentially designed to prevent the type of app modification that the DMA inadvertently allows. In fact, we’ve been preventing this threat vector for as long as third-party mobile app stores have existed. We achieve this through a combination of many obfuscations and our Signature Verification guard, which provides a specific and effective defense.
To fully grasp how Digital.ai helps enterprises prevent this type of attack, it is essential to first understand how threat actors perpetrate this type of attack: The threat actor must reverse engineer the app to understand its behavior, modify the app to harvest the credentials or perform other malicious actions, and re-sign the app before uploading to the third-party app store.
How does Digital.ai help? We provide tools to obfuscate app code. Using strong obfuscation helps frustrate reverse engineering, but we can apply additional security measures. You can use the Signature Verification guard to ensure that the digital signature on the app at runtime matches the secret digital signature that the author originally used to sign the app. If those signatures don’t match, your app can shut down before an unwitting user falls prey to the attack.
For specific guidance on better protecting your organization’s apps for your end customers, consider using the Signature Verification guard that is available with your Digital.ai Application Security for Mobile license. Read on for an overview of instructions on how to invoke the Signature Verification Guard, or (existing customers) can jump straight into our Technical Documentation for extended Signature Verification instructions.