Apple’s App Store Stubbornness May Be iOS’s Greatest Security Vulnerability

Originally published at: Apple’s App Store Stubbornness May Be iOS’s Greatest Security Vulnerability - TidBITS

Apple’s App Store helped make iPads and iPhones the most secure consumer-focused computers ever created. But Apple’s opaque policy enforcement and payment restrictions are now motivating regulators and courts to get involved, which will likely force changes that will damage consumer safety.

2 Likes

Why do you still say that sideloading “compromises” the security? Even on the Mac the apps are signed and notarised. The only check that Apple does takes 10 minutes to verify that an app does what it says. What do you think that a reviewer can do in 10 minutes?

Many developers get rejected for the most ridiculous reasons. That’s what the app review is for me. And not something that ensures security.

It’s also trivial to make a fraudulent app pass the review. Just check what Kosta Eleftheriou found out with super simple data.

I develop a macOS app and don’t do iOS.

1 Like

Signing and notarization on the Mac only tell you who to blame, and give Apple an emergency rip cord, but they don’t preemptively prevent you from rogue applications.

https://www.makeuseof.com/sideloading-installing-apps-risk/amp/

1 Like

Here’s Google’s answers to why side loading apps is extremely dangerous:

https://support.google.com/android/thread/147764727/how-do-i-download-apps-that-arent-from-play-store?hl=en

As well as this:

And the results of an excursion into side loading by one of the powers that be at Malwarebytes:

But there’s one huge difference here - Google allows third-party app stores. For nearly everybody, side-loading is unnecessary. I’ve only used it for work, in order to install apps that were written by a co-worker as part of a proof-of-concept development effort for a customer.

You can explicitly grant an android app the ability to install an application package. As a matter of fact, that’s how side-loading works - you copy a package to the file system and (at least the way I’ve done it on my Samsung phone), you grant your file manager installation permissions. Then when the file manager opens the package file, you are asked if you want to install it and after you say yes, it installs.

The Google Play Store automatically has permission to install apps - since it wouldn’t work otherwise. You can grant this permission to other apps. This is how (for example) the Amazon app store works. It’s just another app on your phone, but it has app-install permission, which it uses when you download and install a purchase.

I think Apple could do the same thing, if they wanted to. They could grant app-install permissions to third-party app store applications (e.g. Amazon), which would be distributed as free apps on Apple’s app store. They can be as careful as they want to make sure only legitimate software resellers that supervise what they sell (to block malware and pirated software and such) are allowed to release app store apps.

I think doing this would satisfy most government regulators without allowing full-blown side-loading. The only potential catch here is that there will always be some app stores that get denied permission and some will complain and threaten lawsuits. So Apple needs a very clear-cut and well-documented set of standards and they must stick to them no matter how inconvenient they might be for some stores.

And the nice thing is that Apple already has the software infrastructure in place. A third-party app store is conceptually not much different from a corporate profile (which allows installation of corporate apps from a corporate server on phones managed by that corporation). It will really just come down to business policy, not any technological change.

1 Like

I’m very sorry the App Store hasn’t worked out for you. I do hope that you’ll be able to do some adjusting and resubmit, and get a positive result soon. But like just about every retail operation across the globe, the powers that be in stores get to decide what they will, or will not sell, for whatever reason they want.

1 Like

Josh Centers’ Aug 2020 TidBITS posting doesn’t discuss sideloading per se, but it does delve heavily into the App Store and its various issues. Just thought I would reference it here.

1 Like

Of the entire chain of security listed in the article, the only one that is omitted in sideloading is the app store review.

Everything automatic in the App Store review can be done before notarising the app as well.

So the only thing extra is some Apple Employee launching your app and verifying that for the first few minutes that the application vaguely does what it says it does. But nothing stops the application from waiting until next month (or any other signal) and changing its behaviour entirely. So the app review servers no security purpose - its purpose is purely to disallow honest developers from breaking Apple’s (often unwritten) rules in how they behave. App Review is entirely to control applications for Apple’s benefit.

There is no additional security in App Review, and therefore no loss of security in sideloading.

Meanwhile there are whole categories of applications that will never be written while Apple has absolute control over what applications can be distributed. This is a huge, unknown, loss to all iPhones users, one that is impossible to quantify.

4 Likes

Thanks for remembering! Rich and I are very much at philosophical odds here, but I respect his well-informed opinions.

This came up from someone on Twitter as well. I think the issue is if notarization would still be considered acceptable to the regulators and competitors (and Apple). I suspect I internally self negotiated out of that being a viable option.

The automated/anti-malware reviews could be included still… but would that fly? Apple would still be the gatekeeper so… I’m willing to admit it could work. I think it would still be less secure/private but to a much smaller degree than fully-ungoverned side loading. I believe you are saying that a notarization review would still have some level of nominal security checks, please correct me if I’m wrong. I’m also assuming that you mean notarized apps would still have entitlement enforcement and sandboxing (I don’t mean apple reviewing the entitlements, but the entitlements triggering user consent).

I’d prefer to see Apple being held more accountable for App Review improving security (including updates) than saying they suck at it so let’s just get rid of it. Clearly it works to a large degree due to the very limited amount of malware we’ve seen.

2 Likes

Oh, I agree Apple has screwed up a lot in the App Store. I just want to keep the ecosystem as safe as it is right now.

1 Like

What the whining programmers don’t consider is that before Apple created its App Store Model, programmers were at the mercy of the publishers they had to sell through and received way less than the 70% which Apple would be paying them. So if the EU requires Apple to let other publishers sell apps, the whining programmers of of those apps will be paid less & less. Sounds like they are being penny wise and pound foolish to me.

1 Like

Of course, sideloading is nothing new—it’s how things work on the Mac today, where you can install any app from any source.

I never thought I’d see the day where TidBITS would derogatively refer to installing an app on my Mac as “sideloading.” Sad to see you try to make people think they’re in danger if they buy products from your sponsors.

even tech-savvy users will be forced to install Facebook, Instagram, and WhatsApp.

Nope. Nopity nope nope. Who’s forcing you to? They haven’t forced me. Hard pass.

What if your bank only supports an alternative store?

Are you kidding me? Can you point me to any example of this happening in Android world or is this just fear mongering?

The only difference back then was that we only loaded games from physical media, like cartridges or CD-ROMs.

In other words, what you call “sideloading” elsewhere. At the time this is also how we got apps onto our computers.

I’m extremely hopeful that the government will stop the abuse that Apple has foisted on its customers. By demanding to have universal control over what we can use the computers in our pockets for, Apple harms it’s users and the market. Security may indeed decrease some, but look on the bright side:

  1. As you’ve already admitted, the choice is with the user. If you want to stay as secure as possible, just stick with Apple’s store.

  2. You’re a security guy. If other people don’t listen and security suffers, there’ll be more money flowing to your part of the economy. :slight_smile:

4 Likes

Mac notarised applications do not have to be sandboxed.

All applications are subject to the local consent and security restraints (and it would be nice if these were not so horrendously buggy on the Mac, which leaves me with little confidence that the actually security works properly).

I’m not really sure that notorisation really adds any security anyway. Realistically, even if Apple static checks the application, applications are, by definition, Turing complete, and can get around those restrictions if they can generate their own code.

What signing does provide is a way for Apple to remotely kill (and preventatively stop from executing in the future) specific application and/or developers.

I am not opposed to either of these (the notorisation require and the remote kill-ability) remaining as long as the restrictions are strictly based on security threats.

The problem with the App Review is a) it is pure security theatre and adds nothing at all, and b) it exists purely for Apple’s control, to limit what can be done to only what Apple allows, which I find needlessly (even offensively) restrictive. I just learnt today that I cannot even write a Car Play application for my own phone and my own car without getting Apple’s permission. That is simply an unacceptable restriction on my use of my own devices.

The only effective security is the security that happens on the device. This is true regardless of the App Store or App Review. Signing/Notarisation allows the user to know that the app a) has been written by a known developer; b) has not been modified by a fourth-party; c) has not been actively killed as malicious by Apple, so it does have value.

2 Likes

Without wanting to be rude, this is utter rubbish. Sorry, but it really is.

I am a “whining programmers” in this regard, and I have been making a living selling my apps on the Internet since 1994. A typical cost would be less than 10%.

And I am far from unique. Lots of software, probably most software, was available for sale on the Internet before the iPhone was event released, and with costs under 10%.

The fact that Apple has tried (and apparently succeeded!) to convince people that there was no Internet sales of software before the introduction of the App Store is downright deceptive.

Here is just the list of Top Sellers on Kagi in early 2007:

Those are just the indies - all the major software houses had online stores as well.

And pretty much none of them have online store expenses of more than 10%.

5 Likes

Of course this is true. However, it was like the Wild, Wild West out there. Remember the days when shareware was the big thing? It’s still alive and easily available:

Way back then, digital viruses were spreading faster and wider than Covid variants are today. Security, esp. payment security, was iffy. Global payments were even iffier, as were managing local and international taxation issues. So was privacy. And fraud was a huge issue as well.

To participate in Apple’s App Store, developers do have to jump through hoops. Like in other most other retail venues in the free world, the owner gets to choose what they will sell, and what they will charge for stocking products. And Apple focuses on benefits to consumers as well as to developers. And I think that the costs of running the App Store must be very significant.

On the consumer side, I remember very well the old days of software sales – it was chaotic, confusing, and hard to monitor. Entire web sites were dedicated to keeping track of various software packages and whether they’d been updated. It was a pain and I much prefer the centralized nature of the App Store: automatic updates* & one place to look for software.

*Automatic updating techniques obviously arrived pre-Apple store but I found them unreliable.

2 Likes

No they weren’t. Very hard to take you seriously when you make such outlandish claims. Viruses have never been a substantial problem on the Mac.

3 Likes

I disagree.

Kagi was well established (10+ years) with thousands of developers, processing many millions of dollars of sales. Other players were also in the market. And most of the big name software like Adobe and Microsoft had their own stores.

On Windows, sure. On the Mac, not at all. Mac viruses were essentially eliminated by a cabal of anti-viral developers in the 90s, which restricted the number of viruses on the Mac to virtually none, and thus allowed easy management for them - essentially a reverse of Broken Window Syndrome. The last serious virus on the Mac back then was dealt with so effectively that the within days of its release the virus author was in jail.

If Apple’s App Store is so fantastic for customers and developers, then it should have no trouble competing with sideloading. Apple wont allow sideloading specifically because the App Store is not good enough to compete on its own merits.

The App Store is full of fraudulent scams (that Apple receives 30% of the revenue for, making them complicit in the fraud).

There is no way the costs of running the App Store exceed 10% of its revenue.

6 Likes