Allowing iPhone users to sideload iOS apps from sources other than the App Store is a disaster for iPhone security, Apple asserts in a "threat analysis" released today (October 13).
"Supporting sideloading through direct downloads and third-party App Stores would destroy the privacy and security protections that have made the iPhone so secure and expose users to serious security risks," according to "Building a Trusted Ecosystem for Millions of Apps," the 31-page paper states.
If Apple's claim sounds familiar, that's because in June Apple published a shorter paper with the same headline. At the same time, Apple CEO Tim Cook said sideloading would "disrupt iPhone security."
Government regulators on both sides of the Atlantic have threatened to force Apple to let iPhone users sideload apps. Since Apple collects 30% from App Store sales, this would water down one of Apple's main sources of revenue. (Google does the same thing for app sales on the Play Store.)
However, Apple is correct that sideloading is horribly bad for iOS security. Apple's main argument is that sideloading has always been allowed in Android, even though Google does not encourage it, and that Android's security has been greatly compromised as a result.
"Over the past four years, Android devices have been found to have 15 to 47 times more malware infections than iPhones," Apple said, citing numerous sources." A "major security firm" - in this case Kaspersky - detected "nearly 6 million attacks per month" on "clients' Android mobile devices.
Malware also infiltrates the official Google Play store, which does not vet apps as closely as Apple's App Store. However, the biggest malware problems in Android have been caused by users sideloading dubious apps from direct links in phishing campaigns or from "offloaded" markets that Google does not control.
"If Apple is forced to support sideloading, more harmful apps will reach users because it will be easier for cybercriminals to target them," the new paper argues.
It also points out that most third-party stores are not as heavily vetted as the App Store, and apps not approved by Apple also pose a privacy risk due to the possibility of spyware.
Then as now, these papers and comments were primarily aimed at European Union regulators: a proposed set of rules called the Digital Markets Act would force Apple to open the iPhone to apps from sources other than the App Store, but EU countries would first must first approve the rules.
A similar bill, called the Open App Markets Act, was introduced in both the U.S. House and U.S. Senate in August, but does not appear to be moving forward.
Margrethe Vestager, Europe's top digital regulator, told Reuters in July that promoting competition in the app market would take precedence over Apple's security concerns.
"I think privacy and security are paramount for everyone," Vestager said. Because I don't think customers will give up their security or their privacy if they use or side-load other app stores."
The paper even acknowledges a flaw in Apple's own iOS controls: the primary route of malware infection in iOS is through Apple's Developer Enterprise Program, which allows companies to create in-house iOS apps and allow them to distribute them privately to employees.
"Despite the program's tight controls and limited scale, malicious actors have found ways to gain unauthorized access to the program," the Apple paper states.
"Fraudulently obtained corporate certificates are being exploited to distribute apps that violate App Store policies, including apps containing malware and pirated versions of popular iOS apps. "
Apple claims that if sideloading were enabled for all iPhone users, iPhones would be flooded with the same kinds of spyware, stalkerware, Trojan horses, and other harmful things that are commonplace on Android phones that currently allow sideloading The company argues that it will be full of the same spyware, stalkerware, Trojans, and other harmful things that are currently commonplace on Android phones that allow sideloading. (Google's Android version requires changing some default settings before sideloading the app.)
"Forcing sideloading into the iOS ecosystem makes the iPhone less secure and reliable for users," Apple claims. . iPhone users will be constantly on the lookout for scams, they won't know who or what to trust, and as a result, users will download fewer apps from fewer developers."
.
Comments