Use Recent OS Version

Decrease likelihood of successful privilege escalation attack.

Starting in Android 4.1, this technique requires privilege escalation for malicious applications to perform, as apps can no longer access the system log (other than log entries added by a particular app itself). (Additionally, with physical access to the device, the system log could be accessed via USB through the Android Debug Bridge.)^[1]

Most new versions of mobile operating systems include patches to newly discovered privilege escalation exploits used to root or jailbreak devices. Further, applications that target Android API level 28 or higher on Android 9.0 and above devices have a policy applied that prevents other applications from reading or writing data in their internal storage directories, regardless of file permissions.^[2]

In Android 8, broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest.^[3]

Android 9 and above restricts access to microphone, camera, and other sensors from background applications.^[4]

Android 9 and above restricts access to mic, camera, and other sensors from background applications.^[4]

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).^[5]

Starting with Android 4.2 the user must provide consent before applications can send SMS messages to premium numbers.^[6]

Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).^[5]

Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.

Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.^[7]

On Android 10 and above devices, applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime.^[8]

Newer OS versions generally will include security patches against discovered vulnerabilities that become known to the vendor. Additionally, iOS 11.4.1 and higher introduce USB Restricted Mode, which under certain conditions disables data access through the device's charging port (making the port only usable for power), likely preventing this technique from working.^[9]

Increase difficulty of escalating privileges, as security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.

New OS releases frequently contain additional limitations or controls around device location access.

iOS 10.3 and higher add an additional step for users to install new trusted CA certificates to make it more difficult to trick users into installing them. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.^[10][11]

Newer OS releases typically patch known root exploits disclosed in previous versions.

For applications running on Android 10 and higher devices, application developers can indicate that DEX code should always be executed directly from the application package.^[12]

As stated in the technical description, Android 7 and above prevent applications from accessing this information.

Starting in Android 6.0, applications can no longer access MAC addresses of network interfaces.^[13]

iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.^[14]