Apple’s rules around downloading apps from outside of its App Store have been an issue for a long time. Earlier, it was reported that Apple even received a warning in this regard from the European Commission’s tech chief Margrethe Vestager who accused the company of “using privacy and security concerns to fend off competition on its App Store”. Now, the iPhone maker has come out with a report claiming that “sideloading”, or distribution of apps through direct downloads or third-party app stores, increases the risks of cybercrime.
In its report released on October 13, Apple claimed that sideloading would—
- Allow more harmful apps to reach users because it would be easier for cybercriminals to target them – even if sideloading were limited to third-party app stores
- Users would have less information about apps upfront and less control over apps after they download them onto their devices.
- Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions.
This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working. This would make it easier for cybercriminals to spy on users’ devices and steal their data — Apple
Although it is imperative to flag issues of competition especially when it comes to Big Tech, it is equally important to ensure that the proposed antitrust solutions don’t lead to cybersecurity risks.
Using Android as an example of how bad things can get
Apple claimed that Android smartphones were “the most common mobile malware targets and have recently had between 15 and 47 times more infections from malicious software than iPhone. A study found that 98 percent of mobile malware targets Android devices. This is closely linked to sideloading.”
In addition, Apple said that cybercriminals and hackers rely on sideloading in Android devices to spread pirated apps, piracy, and intellectual property theft. “On the other hand, iOS users are unlikely to be exposed to malware, and many of the rare malware attacks on the platform are narrowly targeted attacks, often carried out by nation-states. Experts generally agree that iOS is safer compared to Android, in part because Apple does not support sideloading,” Apple claimed.
Bad actors have found their way in, despite Apple’s tight controls
Apple said that it created the Developer Enterprise Program to provide a way for large organisations to develop and privately distribute apps (for instance, confidential apps that do not go through App Review) for use only by their organisation’s employees.
Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market. Bad actors have used illegitimately obtained enterprise certificates to distribute apps that violate App Store policies, including apps containing malware such as Goontact and pirated versions of popular iOS apps — Apple
Since then, Apple said it has attempted to tighten controls further but this abuse has persisted. “If the option to distribute apps via sideloading were available on a massive scale, without any restrictions, and with Apple powerless to revoke certificates from bad actors in cases of abuse, malware and other forms of illegitimate apps would run rampant,” Apple claimed.
What can users be exposed to if sideloading is enabled?
- Malware: Apple said sideloading would expose iOS users to apps that contain known strains of malware. “App Review screens all apps and app updates submitted to the App Store to check for various types of known malware, including infected SDKs used in supply chain attacks,” it said.
- Spoofing: “If sideloading were supported on iOS, malicious actors would be able to distribute copycat versions of popular apps that trick users. On the App Store, apps come from known and vetted developers only, and their content is reviewed by a member of the App Review team,” the company said.
- Unsafe apps targeted at children: Apple said parents may inadvertently sideload apps appearing to be kid-friendly but actually put their children at risk. “App Store policies enforce strict guidelines around data collection and security on apps in the Kids category,” the company said.
- Big Tech will have to open up their ‘black box’ algorithms for regulatory scrutiny: EU Competition head
- Google wants safe harbour to be preserved, remains non-committal over competition in submission to EU
- Mozilla to EU: Make companies accountable for practices that amplify illegal content
- European Commission proposes Data Act 2021 to increase data-sharing between businesses and govts
Have something to add? Post your comment and gift someone a MediaNama subscription.