SoK: Hardening Techniques in the Mobile Ecosystem - Are We There Yet?

Irrespective of the security and isolation guarantees offered by the mobile operating system, the Mobile Application Security Verification Standard (MASVS) recommends app developers to implement hardening techniques for self-protection - to prevent tampering and leakage, detect jailbreaks, etc. Despite regulations incentivize developers toward implementing self-protection, our understanding of the use of hardening techniques is still very limited - especially regarding differences, if any, between the two main mobile ecosystems. In this paper, we systematize knowledge on the use and analysis of hardening techniques, covering, for the first time, both Android and iOS apps.To this end, we present HALY, a framework to analyze the adoption of hardening techniques. Using HALY's static and dynamic analysis, we analyze 2,646 popular apps available on both Android and iOS, and measure the prevalence of hardening techniques. Contrary to expectation, apps on iOS underperform in self-protection, implementing only half of the recommended hardening techniques compared to their Android counterparts - challenging the long-held belief that iOS is simply 'more secure.' Equally surprising, while privacy-sensitive apps implement more self-protection, many apps implement hardening techniques on only one of the two OSes. Furthermore, as many common techniques are easy to individually bypass, the additional security is questionable. Overall, almost all apps implement some hardening techniques, but as many as 24.1% (Android) and 73.6% (iOS) implement fewer than half of the recommended ones, and we only found 26 apps on Android to implement all eight and only one app on iOS adopt all seven analyzed techniques.