Approov Identifies and Addresses Apple Watch Security Issues

Approov, the leader in mobile security, today revealed new data indicating that watches, wearables and new devices are now the weakest link in the mobile app threat landscape.

Key findings include:

• Watches and other wearables now communicate directly with backend APIs and services.
• An Apple Watch "zero-day" vulnerability was uncovered in September 2023.
• Unless protected, watches and wearables will become a rich attack vector for hackers.
• Approov extends its mobile RASP to Watch OS to prevent exploitation of any new zero-day vulnerabilities.

The findings were released in today's Approov blog "Approov Addresses Apple Watch Security Issues" at this link: https://approov.io/blog/apple-watch-security-issues

Apple and MIT recently published a study indicating that 2.6 billion personal records were exposed through data breaches over the last two years. These findings underscore the need for protecting data in the cloud through mobile attestations and improved API security.

Approov, a trailblazer in mobile app and API security, addresses this threat directly with Release 3.2. The release introduces groundbreaking features, including the first commercially available App Attestation Solution for Apple WatchOS to provide API Protection against emerging threats.

The release also includes Harmony OS support and deployment of extended global Points of Presence (PoPs), and improved ease of deployment and administration.

Approov's Runtime Application Self Protection (RASP) defenses are also strengthened by extending threat detections to include the latest versions of tools used by hackers to attack apps and APIs.

"The newly released Apple Watch Series 9 and Ultra 2 will certainly be the gift of choice this Christmas. However, as watches and wearables proliferate and communicate directly with backend APIs, attack surfaces are exposed on these devices," said Approov CEO Ted Miracco. "You are as strong as your weakest link and taking care of mobile app security is worthless if an attacker finds a path from a wearable to your APIs and exposes you to potential data loss, malware injection, Man-in-the-Middle attacks, credential stuffing or DDoS attacks."

The danger is real: In September, Citizen Lab found an actively exploited zero-click Apple vulnerability which was used to deliver NSO Group's Pegasus mercenary spyware. Apple acknowledged the threat to all their devices, issuing a specific WatchOS Security briefing (https://support.apple.com/en-mide/106360) on November 9 concerning a vulnerability in Apple Wallet on WatchOS. Apple quickly released a fix but acknowledged that "A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited".

Approov now extends all the protections available on mobile apps to WatchOS. Approov support of WatchOS allows direct registration of WatchOS apps and ensures API protection against malicious traffic that is communicating directly from the watch to the cloud. WatchOS support is added to the existing support for Android Wearable Devices (which has been available since Version 3.0)

Approov Adds Huawei HarmonyOS Support: A Global Imperative

As a widely adopted operating system in regions such as China, India, the Middle East, and Africa, HarmonyOS plays a crucial role in the global mobile ecosystem. Recognizing the prevalence of this platform, Approov now ensures that mobile applications operating on Huawei devices are seamlessly integrated into our attestation services.

Approov attestation services traditionally supported Android and iOS devices, but the inclusion of Huawei HarmonyOS significantly broadens our platform coverage. This expansion is vital to offering a truly global solution, as any unattested mobile application poses a potential risk to API security, regardless of its geographical origin.

In collaboration with Cylab-Africa, Approov reinforces its commitment to a global solution for mobile app security. Version 3.2 extends support for Huawei app store deployments, catering to developers worldwide.

Enhanced High-Performance Worldwide Coverage

Approov expands its global network with new Points of Presence in São Paulo, Brazil and Singapore. These additions, coupled with existing points of presence (PoPs) in Europe (Dublin) and North America (California), create a worldwide low-latency mobile attestation network.

"At Approov, we understand that our global customer base requires the highest-performing mobile attestation network. Our expanding customer base in South America and the Asia Pacific region demands not just security but performance. Our commitment to providing superior security solutions wherever our customers operate is essential to protection against an evolving mobile threat landscape." - Theodore A. Miracco, CEO, Approov Inc.

This move bolsters Approov's commitment to achieving new levels of security by mitigating bot attacks, Man-in-the-Middle (MitM) attacks, account takeover (ATO) and other threats to mobile APIs, thus ensuring optimal performance and reducing fraud and data breaches.

New Threats are Addressed

The new release also boosts Approov's RASP feature set to include new countermeasures against emerging and evolving threats. This includes significant hardening improvements to the SDK, including static and dynamic anti-tamper measures. Additionally, Approov's ThreatLabs have developed further Android based detections for DobbyHook, Magisk, Zygisk, and Zygisk-Frida to fortify defenses against these advanced hacker tools. These changes augment the comprehensive suite of detections that are already implemented. In addition, the dynamic security-policy update facility will be used to improve the detection capabilities of existing deployed apps that currently use Approov's previous SDKs.

Increased Ease of Use for DevOps/Developers

Approov continues to focus on easing the security burden for developers, DevOps and DevSecOps teams. New features simplify app registration and management, providing an automated and streamlined integration experience. The elimination of the need for individual app registrations and the introduction of tools for managing different app versions reduce complexity. Approov also enhances the registration of developer devices for testing, ensuring a secure and efficient device farm testing process.

Approov Mobile App and API Security Software Release 3.2 reaffirms the Company's commitment to continued innovation in order to ensure there are no weak links for its customers.

Upgrades to Approov Version 3.2 will be included as part of Approov's Software-as-a-Service Mobile Security platform. New customers can embrace the future of mobile app and API security by starting a free 30-day trial by registering at Approov.io. For more information, visit Approov.io or follow on X.com @approov_io.