Of the two major mobile operating system vendors, Apple enjoys a reputation for being the more private and safe option. The company attributes iPhone security to its “walled garden” approach, restricting app sideloading and making the App Store the only simple and straightforward way to get software onto its devices.
In the face of court decisions that may ultimately force it to loosen this policy, Apple is engaging in a PR campaign that has commissioned research to connect the more open architecture of Android to increased risk of malware. Among other claims, Apple says that an Android device is up to 47 times more likely to contract malware and that allowing app sideloading would attract a wave of cyber crime to the iOS platform.
Apple touts iPhone security ahead of regulatory decisions
Apple’s latest research-driven pamphlet touts the “critical importance” of iPhone security, making the case that a smartphone tends to be the type of device that contains the greatest amount of sensitive personal information. The central theme is that app sideloading would cripple its carefully-structured security protections and expose users to attacks.
The statistics it presents certainly cast Android in a poor light. Apple claims that its rival mobile OS experiences 15 to 47 times more malware infections, totalling six million attacks per month and about 230,000 new malware infections per day.
Apple also claims that allowing app sideloading would be detrimental to its users in a number of ways. Cupertino predicts a wave of cyber crime coming to its ecosystem, even if app sideloading was restricted to approved third-party app stores, along with reduced control over apps for users and the removal of “core components of iPhone security” from iOS due to requirements created by certain sideloading initiatives. Apple also predicts users being tricked by fake third-party app stores and forced into sideloading of apps by employers and schools.
While it is in Apple’s financial interest to paint as dire a picture as possible, the company is not factually wrong on some of its core assertions. However, it also may be exaggerating the case. As the Pegasus spyware recently demonstrated, iOS is just as likely to be exposed to high-level zero-day attacks that can give a threat actor complete control of the device. Also, while Apple’s iPhone security approach may provide users with superior protection from lower-level malware attempts, a recent study shows that it is not necessarily providing better privacy protection in terms of tracking by advertisers. All of this also looks at the issue through the lens of app use; Apple users can still be phished via text message or email in the same way that Android users can.
Apple’s own pamphlet also admits that there are still ways for bad actors to circumvent iPhone security and penetrate the App Store without app sideloading; primarily, purchasing approved enterprise certificates on the black market and sneaking in by way of the Developer Enterprise Program.
Apple on PR offensive ahead of potential app sideloading requirements
The app sideloading issue has emerged as Apple has faced regulatory and legal scrutiny from multiple sources, both from government agencies and in the form of private lawsuits. A recent concrete development was the decision in Apple’s long-running legal battle against Epic Games. While that ruling was mostly in Apple’s favor in terms of demonstrating monopoly power, it did also open a path to ending Apple’s ban on third party payment systems in App Store products. That, in turn, could create legal footing for challenges to Apple’s control on app delivery and tight hold on iPhone security. The case is still up in the air, as Epic is working through the appeals process.
Apple has also been facing antitrust scrutiny from the Federal Trade Commission and the Department of Justice for years now, and Congress is reviewing several bills that could impact App Store operations. This could bring the world of alternative iOS app stores out of the shadows. At one time iOS allowed alternative systems of purchase, in the early days of the iPhone. It did not introduce its own in-app purchase system until 2009 (about two years after the first iPhone launched) and did not begin banning third-party apps for using their own systems until 2011. Since then an underground ecosystem has emerged for the relatively small percentage of Apple users that choose to jailbreak their devices. Unofficial third party app stores, such as AppCake and AltStore, allow these users to install unapproved apps (at their own risk).
Apple’s white paper argument for iPhone security practices does not really address the fact that the App Store (and its vetting process) would continue to be available in any of these scenarios. Some contend that Apple restricts “power users” and those more technologically sophisticated in the name of protecting its most naive demographic of device owners, giving neither group a free hand in using hardware that they own (and likely paid a premium for).
Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, observes that this approach does cut down on malware exploitation of more vulnerable users but can never entirely eliminate it: “Security by obscurity is one of the main pillars of Apple’s mobile security model that actually works pretty well compared to Android. By keeping its source code private and by preserving its mobile ecosystem closed for any third parties, Apple indeed prevents countless mobile attacks. Actually, full control over hardware, OS and application layers of iOS devices greatly simplifies security compared to a convoluted patchwork of Android security, especially for devices running older versions of Android … Nonetheless, virtually every month a new critical vulnerability is discovered in iOS that allows remote code execution, sometimes even without interaction with the victim. Some malicious iOS apps also manage to bypass Apple Store’s multilayered controls and get installed by unwitting users. The chances to get a malicious app on your iOS device are, however, significantly less compared to an Android device. That being said, even if security by obscuring is clearly not a panacea, opening Apple’s ecosystem to third parties will, undoubtedly, bring a tenfold increase in malware targeting iOS devices and undermine Apple’s security model.”