Wireless & Mobile Security · beginner · ~11 min

Mobile app security model (Android & iOS)

Explain the mobile sandbox model and how it differs from web/desktop.

Overview

Mobile apps run sandboxed (per-app user, private storage) with a runtime permission model and code signing. Android ships APKs (DEX bytecode + manifest), iOS ships IPAs (native, closed). Because isolation is strong, bugs cluster in local storage, transport security, auth, exposed components, and client-side trust (OWASP Mobile Top 10).

Why it matters

The mobile sandbox shifts the bug classes: not memory exploits but insecure storage, weak transport/auth, exposed components, and trusting the client. Knowing the model tells you where to look and how to assess Android vs iOS.

Core concepts

Sandbox. Per-app user + private data dir. Permissions. Runtime-granted; over-request is a finding. Code signing. iOS closed; Android verifies. APK vs IPA. DEX+manifest vs native. Bug clusters. Storage, transport, auth, exported components, client trust.

Lesson

Mobile platforms run apps in a sandbox with a permission model — a stronger default isolation than desktop, which shapes where the bugs are.

The model

  • App sandbox: each app runs as its own user with a private data directory other apps can't read. The OS mediates access to shared resources.
  • Permissions: access to camera, location, contacts, storage is granted per-permission (ideally at runtime). Over-requesting permissions is a finding.
  • Code signing: apps are signed; iOS only runs App-Store/enterprise-signed code; Android verifies signatures for updates.

Android vs iOS (briefly)

  • Android: apps are APK (or AAB) packages — essentially a zip of compiled DEX bytecode, resources, and a manifest (declares components & permissions). More open; sideloading and a larger malware surface.
  • iOS: IPA packages, compiled native code, a more closed ecosystem; jailbreak needed for deep inspection.

Where the bugs are

Because the sandbox is relatively strong, mobile findings concentrate in: insecure local storage of secrets, weak/absent transport security, weak authentication, exposed app components (Android exported activities/content providers), and client-side trust (secrets/logic in the app). These map to the OWASP Mobile Top 10 / MASTG (next lesson).

Testing posture

Mobile testing combines static analysis (decompile the app) and dynamic analysis (observe storage, logs, and API traffic at runtime) — covered next. Test only apps you're authorized to assess.

Summary

Mobile apps are sandboxed and signed, so their weaknesses are insecure local storage, weak transport/auth, exposed components, and client-side trust rather than memory bugs. Android (APK/DEX) and iOS (IPA/native) differ in openness and inspection.