December 19, 2023 Apple Watch Security Issues Identified, Addressed

New release fortifies mobile app security with WatchOS support, global presence, and enhanced user experience.

By Peter R. Kelley

Mobile security experts with Approov have published new data indicating that watches, wearables and new devices are a “weakest link” –  key findings include:

– Watches and other wearables now communicate directly with backend APIs and services.

– An Apple Watch “zero-day” vulnerability was uncovered in September 2023.

– Unless protected, watches and wearables will become a rich attack vector for hackers.

– The Company extends its mobile RASP in response to Watch OS, to prevent zero-day exploitations.

The findings were released in today’s Approov blog “Approov Addresses Apple Watch Security Issues” at this link: https://approov.io/blog/apple-watch-security-issues

Apple and MIT recently published a study indicating that 2.6 billion personal records were exposed through data breaches over the last two years. These findings underscore the need for protecting data in the cloud through mobile attestations and improved API security.

The danger is real: In September, Citizen Lab found an actively exploited zero-click Apple vulnerability which was used to deliver NSO Group’s Pegasus mercenary spyware. Apple acknowledged the threat to all their devices, issuing a specific WatchOS Security briefing (https://support.apple.com/en-mide/106360) on November 9 concerning a vulnerability in Apple Wallet on WatchOS.  Apple quickly released a fix but acknowledged that “A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited”.

Approov addresses the threat with Release 3.2, providing the first commercially available App Attestation Solution for Apple WatchOS to provide API Protection against emerging threats.

“The newly released Apple Watch Series 9 and Ultra 2 will certainly be the gift of choice this Christmas. However, as watches and wearables proliferate and communicate directly with backend APIs, attack surfaces are exposed on these devices,” said Approov CEO Ted Miracco. “You are as strong as your weakest link and taking care of mobile app security is worthless if an attacker finds a path from a wearable to your APIs and exposes you to potential data loss, malware injection, Man-in-the-Middle attacks, credential stuffing or DDoS attacks.”

Approov’s move extends all the protections available on mobile apps to WatchOS.  Direct registration of WatchOS apps ensures API protection against malicious traffic that is communicating directly from the watch to the cloud. WatchOS support is added to previously existing support for Android Wearable Devices.

Also Announced: Approov Release 3.2

The Approov Release 3.2 release also includes Huawei Harmony OS support and deployment of extended global Points of Presence (PoPs), and improved ease of deployment and administration. São Paulo, Brazil and Singapore points of presence (PoPs), coupled with existing PoPs in Europe (Dublin) and North America (California), create a worldwide low-latency mobile attestation network.

Approov’s Runtime Application Self Protection (RASP) defenses are also strengthened by extending threat detections to include the latest versions of tools used by hackers to attack apps and APIs.

Subscribe to Industry Today