(standard), or strong. Of most interest here is strong integrity which is awarded to devices that have
            hardware-backed proof of boot integrity. This indicates that the device is running a legitimate, unrooted
            version of the OS issued by the device manufacturer. Lower levels of integrity are less interesting as they
            lose the assertion that the device is unrooted, and mechanisms to use a rooted device to bypass the
            checks have been available since Q4 2023. To obtain, or keep, a strong integrity result, an Android
            attacker must completely change their approach; instead of installing a custom, rooted version of the OS,
            they must find and exploit vulnerabilities to gain the permissions and access they require. This shift in
            attack  strategy  aligns  more  closely  with  the  tactics  employed  to  target  iOS  than  with  traditional
            approaches for rooting on Android.

            The history of iOS jailbreaks, and the discovery of privilege escalation bugs in both platforms, suggests
            that such vulnerabilities will continue to be exposed, however, it may take time for them to come to light.
            CVE-2024-20015,  CVE-2024-20278,  CVE-2023-20963,  CVE-2023-42824  are  recent  examples  from
            both platforms. Once available, vulnerabilities such as these can survive for quite a while in the Android
            space as  many manufacturers  work  to  tight  margins  and  there  is no  financial  incentive  to  distribute
            updates. Apple typically fairs a little better in this regard as their devices receive updates up to 5 years
            after the end of production. Another quote from Andeer at the workshop, talking about the number of
            APIs available to developers since the first release of iPhone, shows why I am confident that there are
            plenty more vulnerabilities to be found: “we’ve gone from 10,000 to more than 250,000 today.”

            In addition to damaging independent mobile app security vendors' commercial prospects, statements like
            Andeer’s, often made by Apple in relation to the iPhone, are harmful to the whole app security ecosystem.
            This  marketplace  is  populated  by  organizations  that  recognize  the  need  for  app  security  despite
            statements made by Apple and they struggle to educate app developers on the threats that need to be
            addressed when their messages are wrongfully undermined by platform providers. To emphasize the
            need for app attestation, the argument is clear: the number of disclosed API breaches seems to be rising
            exponentially,  as  shown  by  the  following  Statista  chart  for  the  US.  App  attestation,  done  properly,
            significantly  reduces  the  API  attack  surface  available  to  bad  actors  and  additionally  limits  breach
            automation options as the legitimate app is required for API access.


































                                                                                                            145