September 26, 2025 • 12 mins
Google's Legal Gauntlet: Antitrust Battles and the Future of the App Ecosystem
This week on Upwardly Mobile, we dissect the flurry of major legal decisions facing Google in September 2025, from its desperate plea to the Supreme Court to halt the Epic Games injunction to the final ruling in the federal search monopoly case. We explore the massive shifts coming to the Android app ecosystem and Google's mandated business practice changes. Episode Notes September 2025: A Critical Month for Google's Antitrust Defense Google is challenging two massive antitrust rulings simultaneously, initiating what the sources describe as its "last hope" to maintain control over core business functions. Part 1: The Epic Games Showdown at the Supreme Court Google has asked the U.S. Supreme Court to intervene and pause the injunction it received following a major legal loss to Epic Games in October 2024. The company is seeking a decision on the stay by October 17, just days before the injunction is scheduled to take effect around October 20 or 22. The injunction, upheld by the Ninth Circuit Court of Appeals, requires Google to make several fundamental changes to the Google Play Store and the Android app ecosystem:
🛡️ Sponsored by Approov
As discussions around third-party app stores and sideloading intensify due to the Epic v. Google injunction, the need for robust mobile app security is paramount. Approov provides essential security solutions for developers navigating these new challenges. Approov offers mobile app attestation solutions that allow developers to safely distribute mobile apps through third-party app stores by significantly mitigating the primary risks associated with sideloading, such as malware, app tampering, and fraudulent API use. Approov verifies both the integrity of the app and the device environment, ensuring that only genuine, unmodified app instances—regardless of installation source—can communicate with backend APIs. Approov's system works across Android, iOS, and HarmonyOS. Learn how Approov secures your APIs and mobile apps against evolving threats related to sideloading and third-party distribution: [approov.io] Relevant Links (Source Material)
This week on Upwardly Mobile, we dissect the flurry of major legal decisions facing Google in September 2025, from its desperate plea to the Supreme Court to halt the Epic Games injunction to the final ruling in the federal search monopoly case. We explore the massive shifts coming to the Android app ecosystem and Google's mandated business practice changes. Episode Notes September 2025: A Critical Month for Google's Antitrust Defense Google is challenging two massive antitrust rulings simultaneously, initiating what the sources describe as its "last hope" to maintain control over core business functions. Part 1: The Epic Games Showdown at the Supreme Court Google has asked the U.S. Supreme Court to intervene and pause the injunction it received following a major legal loss to Epic Games in October 2024. The company is seeking a decision on the stay by October 17, just days before the injunction is scheduled to take effect around October 20 or 22. The injunction, upheld by the Ninth Circuit Court of Appeals, requires Google to make several fundamental changes to the Google Play Store and the Android app ecosystem:
- Open the Play Store: Google must allow users to download and use third-party app stores for a period of three years.
- External Billing: Google is no longer allowed to force developers to use its billing system; developers must be allowed to include external links in apps, enabling users to bypass Google’s billing system.
- End Pre-Install Deals: Google can no longer make deals around pre-installing the Play Store on phones.
- No Divestiture of Chrome/Android: The judge denied the Department of Justice's proposal to force Google to sell its Chrome browser or divest the Android operating system, ruling that the government had "overreached".
- End Exclusive Deals: Google is no longer permitted to strike exclusive deals around the distribution of search, Google Assistant, Gemini, or Chrome. For example, Google cannot require device makers to pre-load its apps in order to gain access to the Play Store.
- Data Sharing: Google must share some of its search data with competitors going forward to narrow the "scale gap" created by exclusive distribution agreements. (Google is not required to share data related to its ads).
🛡️ Sponsored by Approov
As discussions around third-party app stores and sideloading intensify due to the Epic v. Google injunction, the need for robust mobile app security is paramount. Approov provides essential security solutions for developers navigating these new challenges. Approov offers mobile app attestation solutions that allow developers to safely distribute mobile apps through third-party app stores by significantly mitigating the primary risks associated with sideloading, such as malware, app tampering, and fraudulent API use. Approov verifies both the integrity of the app and the device environment, ensuring that only genuine, unmodified app instances—regardless of installation source—can communicate with backend APIs. Approov's system works across Android, iOS, and HarmonyOS. Learn how Approov secures your APIs and mobile apps against evolving threats related to sideloading and third-party distribution: [approov.io] Relevant Links (Source Material)
- Epic Games Lawsuit: Coverage regarding Google’s request for a Supreme Court stay and the opening of the Play Store (as reported by Engadget, Thurrott.com, The Verge, and Reuters).
- DOJ Monopoly Case: Reporting on Judge Amit Mehta’s final ruling, which denied the divestiture of Chrome but mandated changes to Google’s search distri
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to upwardly Mobile, where we explore securing your apps
and APIs.
Speaker 2 (00:04):
I'm Sky and I'm George. Today we're looking at something
huge shaking up the mobile world.
Speaker 1 (00:10):
Yeah, the ground has definitely shifted. If you're building for Android, iOS, HarmonyOS,
using Flutter, React Native, you really need to lean in
on this one.
Speaker 2 (00:19):
Absolutely a massive legal loss for a major player. Google
is forcing changes that ripple out to basically every mobile
developer's security strategy.
Speaker 1 (00:30):
We've got a stack of sources covering the fallout from
the Epic v Google anti trust case. The big takeaway
the Android ecosystems opening up.
Speaker 2 (00:38):
Which sounds great for competition, right, But and this is
the crucial part. It suddenly puts a heavy security burden
directly onto developers, a burden the platforms well they used
to handle more of exactly.
Speaker 1 (00:48):
So this isn't just legal news, it's practical, it's technical.
We need to figure out what these mandates mean for
your app security, specifically at the API layer.
Speaker 2 (00:57):
Right because that's centralized safety net kind of disappearing. We
need to look at the technical fixes developers need well
right now, Okay, so let's start with the catalyst itself.
The Epic v. Google case. The jury sided very clearly
with Epic decisively. Yeah, on the antitrust claims about the
play store, things like billing, distribution controls, basically saying Google's
(01:21):
practices were anti competitive.
Speaker 1 (01:23):
And the courts agreed.
Speaker 2 (01:24):
Uh huh. The Ninth Circuit Court of Appeals backed up
a permanent injunction. Google's lost at pretty much every step.
Speaker 1 (01:29):
So far, and the timing makes this urgent. Our sources
show Google's scrambling. Aren't they trying to get the Supreme
Court to pause things?
Speaker 2 (01:36):
That's right. They asked for a stay by October seventeenth,
twenty twenty five. The injunction itself was set to kick
in just what three days later, around October twentieth or
twenty second.
Speaker 1 (01:45):
Wow, that's cutting it fine. It's not just about money, then,
it's structural.
Speaker 2 (01:49):
Completely structural. Google's being ordered to change how Android app
distribution fundamentally works.
Speaker 1 (01:54):
So what are those key changes the points where things
really break open and force developers to, you know, rethink security.
Speaker 2 (02:01):
Okay, three main things jump out from the sources. First,
Google has to allow third party app stores inside the
Google play.
Speaker 1 (02:10):
Store inside play really.
Speaker 2 (02:12):
Yeah, directly accessible with in play for at least three years.
That's instant decentralization right there.
Speaker 1 (02:17):
Okay, what's number two?
Speaker 2 (02:18):
Number two? They can't force developers to use Google Play
billing anymore. You have to be allowed to use other
payment systems.
Speaker 1 (02:25):
And didn't they mention something about linking out exactly?
Speaker 2 (02:28):
That's part of it. Developers need to be allowed to
implement link out provisions let users pay outside the Google ecosystem.
Speaker 1 (02:36):
Wait, unpack link out for me. What does that mean
practically for an app?
Speaker 2 (02:40):
It means your app can have, say a button that
takes the user to your website or a partner site
to finish buying something.
Speaker 1 (02:46):
Ah. Okay, which platforms used to heavily restrict right to
keep their cut of the fees.
Speaker 2 (02:51):
Precisely, Now the app has to be allowed to clearly
direct the user elsewhere for payment. Got it?
Speaker 1 (02:57):
And the third point.
Speaker 2 (02:58):
The third point is ending those exc deals where phonemakers
had to pre install the Play Store to get other
Google apps.
Speaker 1 (03:04):
Ah. So that opens the door for rival stores to
get onto devices more easily too. Right.
Speaker 2 (03:10):
It all feeds into decentralization, and the legal folks we
read noted this was a huge win for Epic. They
got almost everything they wanted from Google.
Speaker 1 (03:18):
Unlike the Apple case.
Speaker 2 (03:19):
Yeah, the epic of the Apple outcome was much smaller.
This Google ruling impacts what over one hundred million users
in the US alone, plus all the developers targeting them.
It's a massive shift.
Speaker 1 (03:30):
Okay, so the mandate is clear, open up. But Google's
fighting this and their main weapons seems to be security concerns.
Is this genuine worry or just you know, corporate spin
to protect their business model.
Speaker 2 (03:44):
Well, it's probably a bit of both, let's be honest,
but their legal filings lean heavily on the risk angle.
Their argument for pausing the injunction is that it creates
and I'm quoting here, enormous security and safety risks.
Speaker 1 (03:56):
How so, what's the specific fear they claim?
Speaker 2 (03:59):
Allowing rivals stores means these stores could just proliferate their
word and Google can't guarantee the safety of the content,
leading to more malicious, deceptive, or pirated content.
Speaker 1 (04:08):
And they seemed really worried about those payment link outs
we mentioned.
Speaker 2 (04:11):
Absolutely, they argue those make it much easier for malicious
actors like scammers, even foreign adversaries, they say, to trick
users into giving up sensitive info.
Speaker 1 (04:23):
Classic fishing fears basically, but potentially supercharged by this court
order pretty much.
Speaker 2 (04:28):
And they also raised a point about the burden on
developers having to monitor potentially dozens or hundreds of stores
that might pop up carrying their apps, maybe without even
telling them.
Speaker 1 (04:39):
Yeah, that sounds like a nightmare. An instant, unmanageable expansion
of your tech surface, especially if your app's API handles
anything valuable.
Speaker 2 (04:47):
It is a real concern for anyone publishing an app. Now,
Epic's response, naturally, is that these are flawed security claims.
They argue, the jury already rejected these points, and it's
just Google trying to keep control.
Speaker 1 (04:58):
Okay, so we have the legal arguments, it's the actual
takeaway for a developer listening right now, So.
Speaker 2 (05:03):
What the crucial So what is this? Regardless of Google's motivation,
the risk itself is now a market wide reality.
Speaker 1 (05:11):
Right. It doesn't matter if it's court mandated decentralization or
just you know, the existence of alternative stores. If your
app can end up on some untrusted third party.
Speaker 2 (05:21):
Site, then you developer can no longer just assume that
Google or Apple or Huawei has checked the integrity of
the app file. Your user actually downloaded. The platform's initial
check isn't enough anymore.
Speaker 1 (05:33):
The burden shifts. It moves away from relying on the
store to securing the API access itself exactly.
Speaker 2 (05:39):
Think about apps handling sensitive stuff finance, health data, even
valuable game items. If someone downloads a tampered version from
a dodgy store.
Speaker 1 (05:48):
That fake app could be scraping credentials, redirecting API calls,
causing all sorts of havoc.
Speaker 2 (05:54):
Right, the risk moves from maybe a platform flaw to
direct run time tampering of your app. Soopers now face
this immediate need to defend against really sophisticated attacks things
like API abuse credential theft enabled by these potentially compromised
side loaded app versions.
Speaker 1 (06:11):
The built in platform security just isn't designed for that
scenario once the app is outside the official walled garden.
Speaker 2 (06:16):
And that leads us straight to the technical solution developers
need to look at. Security has to move from trusting
the distribution channel which is now fragmented.
Speaker 1 (06:24):
To verifying the actual app instance trying to talk to
your back end precisely.
Speaker 2 (06:30):
And for developers working across Android iOS HarmonyOS, this really
pushes mobile app attestation forward as well, almost a required defense.
It's key for managing the risks of sideloading and third
party distribution safely.
Speaker 1 (06:44):
Okay, So if I'm a developer, what's the big advantage here?
Why is app attestation better than the checks Google or
Apple already do? What's the core difference?
Speaker 2 (06:52):
It fundamentally shifts where you enforce trust. Instead of relying
on the app Store, which might have distributed a compromised app,
you enforce trust at your own API gateway.
Speaker 1 (07:02):
Ah, so it's closer to the critical transaction exactly.
Speaker 2 (07:04):
Attestation verifies the integrity of the app while it's running,
right at the moment it tries to access your API.
It's not just checking a static file that was downloaded
potentially weeks ago.
Speaker 1 (07:14):
How does that specifically counter the risks Google brought up,
the malware tampering, fake apps hitting your api.
Speaker 2 (07:22):
It tackles them head on through layers of checks. It
looks at the app itself as it been modified, repackaged,
and it looks at the environment it's running in. Is
the device rooted, jail broken? Is there debugging or hooking
going on?
Speaker 1 (07:36):
Things that happen after installation? Which static checks miss?
Speaker 2 (07:40):
Right? It's designed to catch runtime attacks, reverse engineering instrumentation
frameworks trying to hook into your apps functions. Attestation provides
defenses against those you mentioned.
Speaker 1 (07:51):
Dynamic security features too, like dynamic certificate pinning and runtime
secrets management.
Speaker 2 (07:58):
Yes, let's break those down. Runtime secrets management, it's not
just about hiding passwords better in the code, because the
attackers can often find those with static analysis.
Speaker 1 (08:07):
Okay, So what is it then?
Speaker 2 (08:08):
It means critical secrets like API keys or encryption keys
aren't stored statically within the app package itself. Instead, they're
either generated on the fly or delivered securely during the
runtime session only when needed, and often tied to the attestation.
Result makes them much much harder for an attacker to
just extract.
Speaker 1 (08:25):
I see and dynamic certificate pinning. That sounds like it
stops men in the middle attacks.
Speaker 2 (08:30):
It does. It lets the app double check that it's
talking to the real server, not an imposter trying to
intercept the connection with a fake certificate. Doing it dynamically
means you're not hard coding certificate details that can become
outdated or compromised.
Speaker 1 (08:43):
It adapts okay, so the core mechanism ties this all
back to my API calls. Right, That's where the control
really happens.
Speaker 2 (08:49):
That's the key enforcement point. The attestation process results in
a secure token, often a JWT adjacent web token, but
this token is only issued if the app and the
device pass all those integrity.
Speaker 1 (09:01):
Checks and this token goes with the API call.
Speaker 2 (09:04):
Yes, it's like a passport. Yeah, your back end API
gateway looks for this valid, cryptographically signed token on every
single incoming call, so that.
Speaker 1 (09:13):
Check on my back end becomes the new security gate
doesn't matter if the app came from Google Play or
some shady third party store. If the API call arrives
without a valid fresh ADA station token.
Speaker 2 (09:25):
Access denied, your API gateway rejects the request before it
can touch sensitive data or execute critical.
Speaker 1 (09:31):
Functions, So the control stays with the app owner, with
the vendor exactly.
Speaker 2 (09:35):
It puts the power to protect your API and user
data back in your hands. Even in this more open,
legally mandated environment, it's becoming essential.
Speaker 1 (09:44):
But hang on, people root devices, They find ways around
platform security all the time. Google had built in jecks. Right,
how does adding another piece of code app adds station
running on that same potentially compromised device actually solve This
is it really robust.
Speaker 2 (10:00):
That's a really important question. It comes down to where
the trust anchor lies and when the check happens. Platform
checks are often static, done mostly in install time, and yeah,
they can be bypassed later using runtime tools. Okay, at
testation uses dynamic checks looking for those runtime manipulations. But crucially,
it often relies on cryptographic proofs, sometimes involving secure hardware elements,
(10:20):
if available, that are much harder to fake. And the
most critical part the final decision the verification of that
attestation token that happens on your server, your API gateway.
Speaker 1 (10:31):
Ah, So the app running on the potentially dodgy device
can't just lie about being secure. It has to present
this verifiable proof to the back end.
Speaker 2 (10:39):
Precisely, it needs an unforgeable token generated by a trusted
attestation service proving its current integrity. That server side verification
is the key difference and the source of its robustness.
Speaker 1 (10:51):
It sounds powerful, but you know, no magic bullets and.
Speaker 2 (10:54):
Security absolutely correct attestation massively reduces the risk from this
forced centralization. It's way better than just relying on the
app store review process, but it's not foolproof on its own.
You still need layered defenses like what secure coding, input
validation rate limiting on your APIs, keeping an eye on
thread intelligence, ongoing risk assessment, the usual best practices, But
(11:17):
attestation provides that foundational layer of trust for the app
instance itself, which is critical now hashtag.
Speaker 1 (11:23):
Outro, So it really feels like developers are caught in
this vice. You know, anti trust laws are pushing for
openness for competition.
Speaker 2 (11:29):
Which is generally seen as good for users and innovation, but.
Speaker 1 (11:32):
It simultaneously shifts this huge security responsibility directly onto the
developer shoulders, largely independent of the app store itself.
Speaker 2 (11:40):
And if you zoom out a bit, this Google ruling
isn't happening in a vacuum. It's part of a bigger trend,
often driven by courts and regulators towards decentralizing these big
tech ecosystems. Google also had to stop some exclusive deals
share search data. The walled gardens are definitely getting cracks.
Speaker 1 (11:58):
So the future of mobile secure area it's not just
about writing secure code anymore.
Speaker 2 (12:03):
It's increasingly about maintaining cryptographic control over your API layer,
knowing verifiably that the thing calling your API is genuinely
your unmodified app running in a safe environment, especially when distribution, payments,
even discovery are becoming less centralized.
Speaker 1 (12:20):
Which puts the pressure squarely back on you, the developer.
The question really becomes, if your app could suddenly appear
on dozens of new, untrusted stores thanks to rulings like this,
how fast you need to implement something like attestation at
your API gateway.
Speaker 2 (12:33):
What's the real cost of waiting until after a breach
happens that exploits this new open environment. It's something every
mobile team needs to consider very seriously right now.
Speaker 1 (12:43):
We used human sources to put together this analysis of
the mobile security landscape today.
Speaker 2 (12:48):
And the process was also assisted by AI. We definitely
encourage you to keep digging into these topics as the
threats and the regulations are changing incredibly fast.
Welcome to upwardly Mobile, where we explore securing your apps
and APIs.
Speaker 2 (00:04):
I'm Sky and I'm George. Today we're looking at something
huge shaking up the mobile world.
Speaker 1 (00:10):
Yeah, the ground has definitely shifted. If you're building for Android, iOS, HarmonyOS,
using Flutter, React Native, you really need to lean in
on this one.
Speaker 2 (00:19):
Absolutely a massive legal loss for a major player. Google
is forcing changes that ripple out to basically every mobile
developer's security strategy.
Speaker 1 (00:30):
We've got a stack of sources covering the fallout from
the Epic v Google anti trust case. The big takeaway
the Android ecosystems opening up.
Speaker 2 (00:38):
Which sounds great for competition, right, But and this is
the crucial part. It suddenly puts a heavy security burden
directly onto developers, a burden the platforms well they used
to handle more of exactly.
Speaker 1 (00:48):
So this isn't just legal news, it's practical, it's technical.
We need to figure out what these mandates mean for
your app security, specifically at the API layer.
Speaker 2 (00:57):
Right because that's centralized safety net kind of disappearing. We
need to look at the technical fixes developers need well
right now, Okay, so let's start with the catalyst itself.
The Epic v. Google case. The jury sided very clearly
with Epic decisively. Yeah, on the antitrust claims about the
play store, things like billing, distribution controls, basically saying Google's
(01:21):
practices were anti competitive.
Speaker 1 (01:23):
And the courts agreed.
Speaker 2 (01:24):
Uh huh. The Ninth Circuit Court of Appeals backed up
a permanent injunction. Google's lost at pretty much every step.
Speaker 1 (01:29):
So far, and the timing makes this urgent. Our sources
show Google's scrambling. Aren't they trying to get the Supreme
Court to pause things?
Speaker 2 (01:36):
That's right. They asked for a stay by October seventeenth,
twenty twenty five. The injunction itself was set to kick
in just what three days later, around October twentieth or
twenty second.
Speaker 1 (01:45):
Wow, that's cutting it fine. It's not just about money, then,
it's structural.
Speaker 2 (01:49):
Completely structural. Google's being ordered to change how Android app
distribution fundamentally works.
Speaker 1 (01:54):
So what are those key changes the points where things
really break open and force developers to, you know, rethink security.
Speaker 2 (02:01):
Okay, three main things jump out from the sources. First,
Google has to allow third party app stores inside the
Google play.
Speaker 1 (02:10):
Store inside play really.
Speaker 2 (02:12):
Yeah, directly accessible with in play for at least three years.
That's instant decentralization right there.
Speaker 1 (02:17):
Okay, what's number two?
Speaker 2 (02:18):
Number two? They can't force developers to use Google Play
billing anymore. You have to be allowed to use other
payment systems.
Speaker 1 (02:25):
And didn't they mention something about linking out exactly?
Speaker 2 (02:28):
That's part of it. Developers need to be allowed to
implement link out provisions let users pay outside the Google ecosystem.
Speaker 1 (02:36):
Wait, unpack link out for me. What does that mean
practically for an app?
Speaker 2 (02:40):
It means your app can have, say a button that
takes the user to your website or a partner site
to finish buying something.
Speaker 1 (02:46):
Ah. Okay, which platforms used to heavily restrict right to
keep their cut of the fees.
Speaker 2 (02:51):
Precisely, Now the app has to be allowed to clearly
direct the user elsewhere for payment. Got it?
Speaker 1 (02:57):
And the third point.
Speaker 2 (02:58):
The third point is ending those exc deals where phonemakers
had to pre install the Play Store to get other
Google apps.
Speaker 1 (03:04):
Ah. So that opens the door for rival stores to
get onto devices more easily too. Right.
Speaker 2 (03:10):
It all feeds into decentralization, and the legal folks we
read noted this was a huge win for Epic. They
got almost everything they wanted from Google.
Speaker 1 (03:18):
Unlike the Apple case.
Speaker 2 (03:19):
Yeah, the epic of the Apple outcome was much smaller.
This Google ruling impacts what over one hundred million users
in the US alone, plus all the developers targeting them.
It's a massive shift.
Speaker 1 (03:30):
Okay, so the mandate is clear, open up. But Google's
fighting this and their main weapons seems to be security concerns.
Is this genuine worry or just you know, corporate spin
to protect their business model.
Speaker 2 (03:44):
Well, it's probably a bit of both, let's be honest,
but their legal filings lean heavily on the risk angle.
Their argument for pausing the injunction is that it creates
and I'm quoting here, enormous security and safety risks.
Speaker 1 (03:56):
How so, what's the specific fear they claim?
Speaker 2 (03:59):
Allowing rivals stores means these stores could just proliferate their
word and Google can't guarantee the safety of the content,
leading to more malicious, deceptive, or pirated content.
Speaker 1 (04:08):
And they seemed really worried about those payment link outs
we mentioned.
Speaker 2 (04:11):
Absolutely, they argue those make it much easier for malicious
actors like scammers, even foreign adversaries, they say, to trick
users into giving up sensitive info.
Speaker 1 (04:23):
Classic fishing fears basically, but potentially supercharged by this court
order pretty much.
Speaker 2 (04:28):
And they also raised a point about the burden on
developers having to monitor potentially dozens or hundreds of stores
that might pop up carrying their apps, maybe without even
telling them.
Speaker 1 (04:39):
Yeah, that sounds like a nightmare. An instant, unmanageable expansion
of your tech surface, especially if your app's API handles
anything valuable.
Speaker 2 (04:47):
It is a real concern for anyone publishing an app. Now,
Epic's response, naturally, is that these are flawed security claims.
They argue, the jury already rejected these points, and it's
just Google trying to keep control.
Speaker 1 (04:58):
Okay, so we have the legal arguments, it's the actual
takeaway for a developer listening right now, So.
Speaker 2 (05:03):
What the crucial So what is this? Regardless of Google's motivation,
the risk itself is now a market wide reality.
Speaker 1 (05:11):
Right. It doesn't matter if it's court mandated decentralization or
just you know, the existence of alternative stores. If your
app can end up on some untrusted third party.
Speaker 2 (05:21):
Site, then you developer can no longer just assume that
Google or Apple or Huawei has checked the integrity of
the app file. Your user actually downloaded. The platform's initial
check isn't enough anymore.
Speaker 1 (05:33):
The burden shifts. It moves away from relying on the
store to securing the API access itself exactly.
Speaker 2 (05:39):
Think about apps handling sensitive stuff finance, health data, even
valuable game items. If someone downloads a tampered version from
a dodgy store.
Speaker 1 (05:48):
That fake app could be scraping credentials, redirecting API calls,
causing all sorts of havoc.
Speaker 2 (05:54):
Right, the risk moves from maybe a platform flaw to
direct run time tampering of your app. Soopers now face
this immediate need to defend against really sophisticated attacks things
like API abuse credential theft enabled by these potentially compromised
side loaded app versions.
Speaker 1 (06:11):
The built in platform security just isn't designed for that
scenario once the app is outside the official walled garden.
Speaker 2 (06:16):
And that leads us straight to the technical solution developers
need to look at. Security has to move from trusting
the distribution channel which is now fragmented.
Speaker 1 (06:24):
To verifying the actual app instance trying to talk to
your back end precisely.
Speaker 2 (06:30):
And for developers working across Android iOS HarmonyOS, this really
pushes mobile app attestation forward as well, almost a required defense.
It's key for managing the risks of sideloading and third
party distribution safely.
Speaker 1 (06:44):
Okay, So if I'm a developer, what's the big advantage here?
Why is app attestation better than the checks Google or
Apple already do? What's the core difference?
Speaker 2 (06:52):
It fundamentally shifts where you enforce trust. Instead of relying
on the app Store, which might have distributed a compromised app,
you enforce trust at your own API gateway.
Speaker 1 (07:02):
Ah, so it's closer to the critical transaction exactly.
Speaker 2 (07:04):
Attestation verifies the integrity of the app while it's running,
right at the moment it tries to access your API.
It's not just checking a static file that was downloaded
potentially weeks ago.
Speaker 1 (07:14):
How does that specifically counter the risks Google brought up,
the malware tampering, fake apps hitting your api.
Speaker 2 (07:22):
It tackles them head on through layers of checks. It
looks at the app itself as it been modified, repackaged,
and it looks at the environment it's running in. Is
the device rooted, jail broken? Is there debugging or hooking
going on?
Speaker 1 (07:36):
Things that happen after installation? Which static checks miss?
Speaker 2 (07:40):
Right? It's designed to catch runtime attacks, reverse engineering instrumentation
frameworks trying to hook into your apps functions. Attestation provides
defenses against those you mentioned.
Speaker 1 (07:51):
Dynamic security features too, like dynamic certificate pinning and runtime
secrets management.
Speaker 2 (07:58):
Yes, let's break those down. Runtime secrets management, it's not
just about hiding passwords better in the code, because the
attackers can often find those with static analysis.
Speaker 1 (08:07):
Okay, So what is it then?
Speaker 2 (08:08):
It means critical secrets like API keys or encryption keys
aren't stored statically within the app package itself. Instead, they're
either generated on the fly or delivered securely during the
runtime session only when needed, and often tied to the attestation.
Result makes them much much harder for an attacker to
just extract.
Speaker 1 (08:25):
I see and dynamic certificate pinning. That sounds like it
stops men in the middle attacks.
Speaker 2 (08:30):
It does. It lets the app double check that it's
talking to the real server, not an imposter trying to
intercept the connection with a fake certificate. Doing it dynamically
means you're not hard coding certificate details that can become
outdated or compromised.
Speaker 1 (08:43):
It adapts okay, so the core mechanism ties this all
back to my API calls. Right, That's where the control
really happens.
Speaker 2 (08:49):
That's the key enforcement point. The attestation process results in
a secure token, often a JWT adjacent web token, but
this token is only issued if the app and the
device pass all those integrity.
Speaker 1 (09:01):
Checks and this token goes with the API call.
Speaker 2 (09:04):
Yes, it's like a passport. Yeah, your back end API
gateway looks for this valid, cryptographically signed token on every
single incoming call, so that.
Speaker 1 (09:13):
Check on my back end becomes the new security gate
doesn't matter if the app came from Google Play or
some shady third party store. If the API call arrives
without a valid fresh ADA station token.
Speaker 2 (09:25):
Access denied, your API gateway rejects the request before it
can touch sensitive data or execute critical.
Speaker 1 (09:31):
Functions, So the control stays with the app owner, with
the vendor exactly.
Speaker 2 (09:35):
It puts the power to protect your API and user
data back in your hands. Even in this more open,
legally mandated environment, it's becoming essential.
Speaker 1 (09:44):
But hang on, people root devices, They find ways around
platform security all the time. Google had built in jecks. Right,
how does adding another piece of code app adds station
running on that same potentially compromised device actually solve This
is it really robust.
Speaker 2 (10:00):
That's a really important question. It comes down to where
the trust anchor lies and when the check happens. Platform
checks are often static, done mostly in install time, and yeah,
they can be bypassed later using runtime tools. Okay, at
testation uses dynamic checks looking for those runtime manipulations. But crucially,
it often relies on cryptographic proofs, sometimes involving secure hardware elements,
(10:20):
if available, that are much harder to fake. And the
most critical part the final decision the verification of that
attestation token that happens on your server, your API gateway.
Speaker 1 (10:31):
Ah, So the app running on the potentially dodgy device
can't just lie about being secure. It has to present
this verifiable proof to the back end.
Speaker 2 (10:39):
Precisely, it needs an unforgeable token generated by a trusted
attestation service proving its current integrity. That server side verification
is the key difference and the source of its robustness.
Speaker 1 (10:51):
It sounds powerful, but you know, no magic bullets and.
Speaker 2 (10:54):
Security absolutely correct attestation massively reduces the risk from this
forced centralization. It's way better than just relying on the
app store review process, but it's not foolproof on its own.
You still need layered defenses like what secure coding, input
validation rate limiting on your APIs, keeping an eye on
thread intelligence, ongoing risk assessment, the usual best practices, But
(11:17):
attestation provides that foundational layer of trust for the app
instance itself, which is critical now hashtag.
Speaker 1 (11:23):
Outro, So it really feels like developers are caught in
this vice. You know, anti trust laws are pushing for
openness for competition.
Speaker 2 (11:29):
Which is generally seen as good for users and innovation, but.
Speaker 1 (11:32):
It simultaneously shifts this huge security responsibility directly onto the
developer shoulders, largely independent of the app store itself.
Speaker 2 (11:40):
And if you zoom out a bit, this Google ruling
isn't happening in a vacuum. It's part of a bigger trend,
often driven by courts and regulators towards decentralizing these big
tech ecosystems. Google also had to stop some exclusive deals
share search data. The walled gardens are definitely getting cracks.
Speaker 1 (11:58):
So the future of mobile secure area it's not just
about writing secure code anymore.
Speaker 2 (12:03):
It's increasingly about maintaining cryptographic control over your API layer,
knowing verifiably that the thing calling your API is genuinely
your unmodified app running in a safe environment, especially when distribution, payments,
even discovery are becoming less centralized.
Speaker 1 (12:20):
Which puts the pressure squarely back on you, the developer.
The question really becomes, if your app could suddenly appear
on dozens of new, untrusted stores thanks to rulings like this,
how fast you need to implement something like attestation at
your API gateway.
Speaker 2 (12:33):
What's the real cost of waiting until after a breach
happens that exploits this new open environment. It's something every
mobile team needs to consider very seriously right now.
Speaker 1 (12:43):
We used human sources to put together this analysis of
the mobile security landscape today.
Speaker 2 (12:48):
And the process was also assisted by AI. We definitely
encourage you to keep digging into these topics as the
threats and the regulations are changing incredibly fast.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com