Emulator

What is a mobile emulator?

A mobile emulator is a software tool that mimics the functionality of a mobile device, allowing applications designed for Android and iOS mobile platforms to run on desktop systems. Emulators simulate both the hardware and software environments of mobile devices, which can be useful for app testing, development, and debugging.

Summary

Mobile emulators are primarily used by developers to test apps in a controlled, virtual environment before deploying them on real devices. But bad actors often use emulators to manipulate apps, bypass security measures, and carry out fraudulent activities like credential stuffing, payment manipulation, or API abuse.

Running apps in emulator environments can expose vulnerabilities not present on real devices. To mitigate these risks, developers implement anti-emulation techniques to detect and block apps from running on emulators, particularly in high-risk environments like finance, e-commerce, or secure messaging apps. The methods used to block emulators vary between iOS and Android, with each platform having different approaches for detecting emulation and ensuring the app’s security.

Deep dive

Difference between emulator and simulator

Emulator: An emulator mimics both the hardware and software features of a mobile device, allowing the app to run as if it were on an actual physical device. This gives you a comprehensive testing environment and is useful for debugging hardware-dependent features like sensors and network behaviors. Emulators are preferred for in-depth testing like app performance under different device conditions. For example, Android’s official emulator in Android Studio simulates various screen sizes, device configurations, and hardware like GPS and accelerometers.
Simulator: A simulator imitates the software environment but not the hardware, so it can run an app and display its user interface but cannot accurately replicate hardware-dependent features. Simulators generally run faster than emulators as they do not simulate hardware components, making them more efficient for early-stage development and user interface testing. For example, Apple’s iOS Simulator in Xcode allows developers to test the app’s logic and user experience on different versions of iOS, but it does not emulate the actual hardware’s behavior, like camera performance or low-level device interactions. Simulators are ideal for basic app logic checks and rapid prototyping where hardware interaction is not a concern.

Why bad actors run apps on emulators

Malicious actors use emulators to:

Manipulate app behavior: By running apps on emulators, attackers can pause execution, alter inputs, or modify app logic to bypass security features like authentication, encryption, or geolocation restrictions.
Automate fraud: Attackers use emulators to scale attacks, such as automating credential stuffing or generating fake app sessions, enabling them to perform fraudulent activities on a large scale.
Reverse engineer apps: Emulators provide attackers with the tools to decompile apps, analyze their code, and discover vulnerabilities or hidden functionality that can be exploited.

Why developers should prevent their apps from being run on emulators

Developers need to prevent their apps from running on emulators because:

Increased vulnerability to exploitation: Emulators allow attackers to bypass critical security mechanisms like encryption and authentication by modifying the app’s behavior or extracting sensitive information.
Fraud and abuse: Automated fraud schemes, like using fake accounts or conducting financial fraud, can be carried out at scale through emulators.
Privacy violations: Sensitive user data can be more easily extracted from apps running in emulators, potentially leading to breaches of privacy and legal violations.

How to prevent apps from being run on emulators

To prevent apps from running on emulators, developers use a combination of detection techniques and response strategies. Here are the main methods:

Detection techniques

Device fingerprinting: Identifies whether the device is a real phone or an emulator by comparing hardware specifications like CPU, RAM, and sensors, which are often different in emulators.
Behavioral detection: Monitors for suspicious behavior like accessing sensors or features that don’t exist in an emulator environment to detect emulated conditions.
Environment variable checks: Examines system properties and environment variables that may indicate the presence of an emulator.

Response strategies

API restrictions: Limits or disables certain APIs when an emulator environment is detected, preventing critical app functionality from being exploited.
App termination or alerts: Triggers app shutdown or sends security alerts when an emulator is detected, ensuring potential threats are mitigated immediately.
Feature degradation: Reduces app functionality or disables high-risk features to minimize potential damage if an emulator is detected.

How to prevent apps from being run on emulators (iOS vs Android)

iOS: Apple's strict app distribution model through the App Store already limits the use of emulators in most cases. However, developers can enhance security by checking for environment-specific indicators (e.g., the presence of debugging tools) and utilizing jailbreak detection since emulators typically operate in a “jailbroken” state.
Android: Android allows more flexibility with emulators, but this makes apps more susceptible to being run in unauthorized environments. Developers can use the Play Integrity API to detect and prevent apps from running in an emulator, alongside checking for system properties (like CPU architecture) that differ between real devices and emulators.

Examples

Nintendo targets emulators: In October 2024, Nintendo took legal action against Ryujinx, the second most popular Nintendo Switch emulator, following a similar lawsuit settlement against Yuzu. Ryujinx developers were contacted by Nintendo and agreed to halt development, leading to the removal of their website, GitHub repository, and other related assets. At the time of closure, Ryujinx had developed an Android version and was actively working on an iOS port. The crackdown is part of Nintendo’s long-standing legal efforts to protect its intellectual property.
Deepfake attacks on ID verification systems: In 2023, generative AI-led deepfake attacks on identity verification systems surged by 704%. Attackers employed emulators to mimic mobile devices and conduct digital injection attacks, replacing legitimate camera feeds with deepfakes. They manipulated biometric verification apps as if they were using real device cameras, bypassing detection systems and blending virtual and real-world environments seamlessly.
Mobile emulators target banking apps: In 2023, a major shift was observed from bot attacks to mobile emulator-based fraud among five North American banks, with one bank reporting 1,584 additional emulator attacks compared to 2022. Fraudsters increasingly use emulators to bypass traditional security controls, exploiting these tools to mimic real devices for unauthorized transactions.

History

Mobile emulation began in 1997 with the release of the Palm OS Emulator, which allowed developers to test their apps on personal computers without needing a physical Palm device. This early emulator set the stage for advanced tools like Nokia’s SDKs in the early 2000s that provided emulators for Symbian OS.

Emulators soon became an essential part of development toolkits. By the mid-2000s, mobile emulation tools were helping developers test apps across different ecosystems, like Apple's iOS Simulator alongside Xcode in 2008 and the Android Emulator as part of the Android SDK around the same period.

As mobile apps integrated into financial services, e-commerce, and data-sensitive platforms, emulators attracted the attention of bad actors. By the late 2010s, attackers were exploiting emulators to reverse engineer apps and perpetrate fraud. This uptick in mobile malware and fraud schemes led to the development of anti-emulation techniques to safeguard apps in high-risk environments.

Future

As mobile security evolves, emulation detection techniques will become more sophisticated, incorporating machine learning and behavioral analytics to identify malicious activity more accurately. Future advancements in trusted execution environments (TEEs) and device attestation will make it harder for emulators to mimic real devices, further protecting mobile apps from being compromised.

Regulations in finance and healthcare are pushing for stricter emulator detection requirements in mobile apps to prevent fraud and ensure data privacy. PSD2 in finance and HIPAA in healthcare mandate robust security controls to protect sensitive information and prevent unauthorized access.