Apple is continuing its campaign to explain why sideloading on Apple devices is a bad idea.
Apple Software Vice President Craig Federighi appeared at the 2021 Web Summit passionately defend your company’s approach to platform security on the iPhone. He was speaking out against a clause in the EU digital markets law this would force the company to support sideloading of apps on the iPhone.
There are four main reasons people want Apple to do this:
- For commercial reasons, like selling products created using Apple’s APIs to people on Apple’s platforms without paying for the ability to do so.
- For consumer choice, so it becomes possible to install and use apps that are not made available on the App Store.
- For sneaky reasons, how to avoid the App Store app review process to continue tracking users without consent or for other forms of surveillance.
- For criminal purpose, such as creating fake app stores to spread malware, ransomware, and more.
It is perfectly acceptable to try to gain a commercial advantage, and we have already seen how the mantra “open beats closed” is often used to undermine the interest of consumers. Google used it when it clashed with Apple over Android, although years later Android became much more closed.
Show your face
However, I think much of the energy behind the current campaign comes from a loosely united set of interests working to undermine Apple’s privacy and security for their own benefit. The group also has allies, equally committed to making a fortune in the so-called “metaverse,” which many see as a virtual world that we can still enjoy once climate change makes the real world too toxic.
The way I see it, when a company that can afford to lobby a former British Deputy Prime Minister rejected by voters complains about something, it will probably reflect its interest. In this case, it wants to undermine Apple’s privacy protections to protect its business, and it wants to create a bulwark against the upcoming war on augmented and virtual reality.
The protection of Meta’s business model is the basis of the company’s motivation. That’s why he accuses Apple of the same thing. And a recent move to create its own home market that contravenes Apple’s App Store guidelines shows how far it will go.
An even bigger business model
But there are others with a commercial interest in undermining the security of Apple’s platform: criminals who want to enter your digital lives.
The problem is that they are good at what they do. They are smart, sophisticated, and capable enough to set the stage to persuade innocent users to make mistakes. Who hasn’t clicked on an incorrect link in an email at least once?
They also don’t work in isolation. Online crime is a heavily funded industry, it’s not just about lonely losers in basements. They are computer banks in seemingly legitimate offices paid for by state and non-state sponsored groups. Cybercrime is projected to cost the world $ 10.5 trillion annually by 2025. A single successful ransomware attack costs an estimated $ 9 million to a US company if successful. according to IBM.
With this kind of money at stake, it is trivial for criminals to create bogus apps and app stores in an attempt to inject malware into devices. A little social engineering and some targeted phishing scams and they might be able to set up shops that target places, individuals, businesses or government agencies.
“Even if you have no intention of sideloading, people are usually forced or induced to do so,” Federighi points out. The impact of such attacks is vast in terms of revenue, business continuity, and reputation.
Humans are vulnerable
In all of these cases, the challenge is that humans are vulnerable. In all my years of writing security tips for users, I have come across this. Many argue that they don’t have to worry about security when using a Mac (they do); others will argue that they can download what they want and no one else will be interested. That’s not true either – you can be used as a conduit to infect others.
Think of those annoying messages we all get from friends in case their online address book is hacked. I think we’ve all seen some of them. Or consider those vast collections of data regularly stolen from businesses, including a shock data loss affecting half a million people in the UK this week.
All this information can be used as a weapon.
Now, imagine if that weapon was based on extracting these data stats to detect particular groups of people and then on creating attractive sounding software products that can be distributed to those people via your malware-infested app store.
A person who downloads malware can end up losing all the information they have about you. On a corporate level, this is much worse. A son attack on target showed a security vulnerability in a relatively low-level system can be used as a path to the company’s overall technology stack.
Federighi puts it this way: “The fact is that a compromised device, including a mobile phone, can pose a threat to an entire network. Sideloaded app malware can put government systems at risk, infect corporate networks, public services … “
But what about …?
There are two arguments that are routinely presented to undermine Apple’s position: that few people sideload on Android, which allows for this. And those Macs Do allow users to install apps from other sources.
I have not found any evidence of the first claim. I have found some reports indicating that app sideloading is more popular in the APAC region than in the US. I’ve also seen a report (from Google) that suggests sideloading apps actually creates risk. But I haven’t found any evidence of a way that shows a few people sideloading on Android. Hence, it is probably not appropriate to argue that this is the case.
And when it comes to the second claim, even Apple admits that Mac security isn’t as robust as it would like, despite being the safest PC platform out there.
Ultimately, a move to force sideloading on Apple devices won’t offer any significant benefit to most users, but it could have costs and consequences for most businesses and individuals that far outweigh the dubious benefits.
Consumers already have a choice they can make if sideloading is important to them. The argument that it is choice ironically denies choice by removing the option of a protected system.
Copyright © 2021 IDG Communications, Inc.