A new report from Apple, entitled “Building a Trusted Ecosystem for Millions of Apps,” serves as an invective against the practice of sideloading apps to get around the App Store. Sideloading is used to access certain popular apps that have been banned from the App Store for reasons unrelated to security or privacy violations, most notably Fortnite. Apple’s new report characterizes any sideloaded app as a “serious security risk” and claims that allowing sideloading would do everything from putting ransomware on people’s phones to stealing their personal information.
Apple says sideloading apps would poke holes in its walled garden
The 16-page Apple report begins by touting the company’s “trusted ecosystem” as a place relatively free of malware, personal information theft and other security risks. It then moves on to say that sideloading apps would introduce a “flood” of hacking and threat activity onto the platform. The report presents several fictionalized examples of sideloaded apps bypassing parental controls, installing ransomware, leading users into inadvertent piracy, and leaking personal information in violation of Apple’s new anti-tracking measures. It concludes by listing off some of Apple’s safety features: automated scanning of App Store uploads, the App Review process that all developers are subject to, limitations on personal data collection, and the company’s support and refund processes.
The report does not really divulge anything new, and is likely intended as a PR move as Apple faces multiple antitrust probes in various parts of the world along with lawsuits alleging anticompetitive behavior. Apple’s court battle with Epic recently concluded and a decision is pending, with some legal experts believing that Epic did enough to at least force some changes to Apple’s store policies. The case, which is mirrored by similar lawsuits in the EU including one brought by Spotify, alleges that Apple’s platform is large enough to constitute a monopoly and that the terms it subjects developers to are unfair. Epic took specific issue with Apple’s mandatory 30% cut of sales made through the platform, something that many of the other antitrust actions have brought up. Epic was banned after making Fortnite purchases through other venues available in the iOS version of the game, and has responded by providing users with the means to sideload its Epic Games app.
Critics say Apple overstates security risks
Response from the assortment of forces gathered in opposition to Apple was predictably poor. Tim Sweeney, head of Epic Games, called the report a “sea of lies.” Various users of social media were quick to point out that the burglarizing fox illustration in the report could just as readily represent Apple taking a 30% cut of every transaction. Some developers took a more nuanced view of the situation, generally agreeing with Apple that sideloading apps will make the platform less secure but arguing that the company should get out ahead of it with some sort of controlled changes before governments force a broader change on them that creates a greater security risk.
While Apple has long enjoyed a better reputation for security among the two major mobile platforms, that reputation is largely from the perspective of a non-technical end user downloading apps with little idea of the potential dangers. When different scenarios are looked at, Apple does not always have a clear advantage. For example, while Android allows for sideloading apps it has also long had more robust privacy settings for managing the specific things that these apps can access on the device. And while it is true that security vulnerabilities seem to be more infrequent in iOS and its core apps, they do develop sometimes and are extremely valuable. This means that malicious actors go to greater lengths to preserve them and keep them quiet, and may exploit them for longer periods before anyone becomes aware of them. This year has been particularly bad for iPhone security risk, with at least seven updates required to address new vulnerabilities since the start of the year (as of late May).
The argument that the various antitrust cases bring is not necessarily that Apple has to specifically allow for sideloading apps, but that the App Store needs to adopt a more open model (more similar to Google’s Play Store) that takes less of a cut from its developers. While Android does allow sideloading apps, attempts will be blocked until the user manually enables the “Install Unknown Apps” setting and permissions for each of these apps can be controlled on an individual basis. Another possibility is that Apple may be legally compelled to allow third-party app stores on its devices, something proposed in a bill authored by antitrust subcommittee chairman David Cicilline (D-RI). Hank Schless, Senior Manager of Security Solutions at Lookout, provided some insight on what that outcome might look like as regards overall security risk and app purchases: “If these third party app stores become an option, many enterprises will opt to use them in order to more easily implement bespoke internal apps. This could open them up to additional risk. Third party app stores tend to be less monitored, so a threat actor could upload a compromised version of a legitimate internal app that they find on there.”
A recent transparency report from Google indicates that about three million Android devices currently have malware on them. There are two ways to look at that statistic, in terms of sideloading apps and overall security risk. The first is to compare it to Apple’s iPhone and iPad totals, for which there are no comprehensive numbers but the company’s last “bad” outbreak of malware (on the more open Mac) hit about 30,000 devices. The other way to look at it is that three million is still only about 0.1% of Android’s global active user base, and significantly less than the 30% of global PCs that are estimated to have some form of malware on them.