Should mobile app developers actively prevent apps from running on outdated devices/rooted devices/emulators for security purposes?
From personal experience many mobile apps that I've tested don't actively detect and discourage (with a warning) or even block the app from running on/in:
- a rooted/jailbroken Android/iOS device
- emulated environment
- an end-of-life iOS or end-of-life Android device
While this is great for security testing purposes, one could imagine that in general you'd want to prevent your app from running on such devices in the first place as it could pose additional risks to the data that is handled in the app. For devices that run outdated operating systems (OS) that don't receive security updates any longer, I'd apply the "assume breach" principle from the zero trust security model.
I could imagine that preferably hardware-backed attestation would be ideal for "root detection"1 and for preventing apps from running on rooted/jailbroken devices. For "emulation detection" the same or a similar emulation detection approach to Flutter can be used, although that doesn't seem very robust to me. For no longer supported outdated operating systems2 one could simple pull it from the Play and App store for certain mobile OS versions for new installations. Additionally and in a backwards compatible way (when introduced early enough) an active check could be introduced that puts an end date on the use of certain OS versions, or more foolproof call an API to be able to 'discontinue' (and perhaps wipe app data) on older versions of the app without the need for updating them first.
Should mobile app developers take active action against the three mentioned cases and should security auditors, penetration testers perhaps inform mobile app developers about the lack of such measures? Are there any known industry standards that require or advice such measures to be in place in mobile apps?
1: For example such as the RootBeer library for Android.
2: Which is also reported as an issue under the 'Manifest Analysis' section by Static Analysers like MobSF as: "App can be installed on a vulnerable Android version. This application can be installed on an older version of android that has multiple vulnerabilities. Support an Android version => 10, API 29 to receive reasonable security updates."
