Apple’s App Store Stubbornness May Be iOS’s Greatest Security Vulnerability

Only if you were extremely cavalier and careless. (Or used Microsoft Outlook and Internet Explorer, but that’s the same thing. :slight_smile: I never had a problem with command-line tools and later the Netscape/Mozilla suite.)

I’ve been downloading shareware/freeware apps from the Internet since before there was a “WWW” and I’ve never even once downloaded a virus. And this was mostly DOS and Windows applications.

It all comes down to where you choose to get your software. If you download from a server with responsible operators, that scan for and block malware, then you’re mostly going to be safe. And if you perform your own scans on what you download before trying to install/run it, that is about as good as you’re going to get.

No need to limit yourself to an app store that’s officially approved by the OS provider.

As a matter of fact, that’s hardly a guarantee. The one time I got a virus on my PC (running Windows 95, if I remember correctly), it got installed via Windows Update. That’s right - Microsoft’s own update server somehow got a virus-infected update, which they distributed. When I reported it to them, they denied that it was even possible, but I know for a fact that it was them because I wiped the computer (reinstalling from CD), and the same virus appeared immediately after installing the first update.

2 Likes

Part of the fantastic-ness is that it doesn’t allow side-loading. Taking away its best feature is not a good way to win that competition.

1 Like

No. That’s not a feature of the App Store. That’s a feature of the operating system.

Even if side-loading was allowed, anybody who chose to only use the App Store would receive exactly the same features and benefits as the App Store currently has.

Side-loading changes nothing about the App Store.

2 Likes

and even tech-savvy users will be forced to install Facebook, Instagram, and WhatsApp.

Nope. Never had any of those. Likely never will. My life is just fine without them, thankyouverymuch.

I’ve been “sideloading” on my Macs since 1984. Never had a problem. Sure, you need to research where you get your stuff from. And yes, that is work. And sure, some people will get in trouble because they are not willing/able to do that work. That’s just the way the world is. I prefer to do that little bit of extra work even on my iPhone than live in a world where two private companies alone get to dictate without any common-sense regulation the devices that are slowly but surely becoming a bare necessity just to get through everyday life. As mentioned by others before.

My personal views on this issue and Apple specifically would be different if iOS were a 5% platform for a select few and you could claim whoever doesn’t want to abide by Apple’s closed App Store rules can go check out those other 95%. But at least in the US, and especially around this part of the US, iPhone is a major platform, of just two. That’s not choice, that’s duopoly. So if Apple doesn’t budge on its own, I expect regulation to kick in. In a world where there’d be 10 such platforms each with distributed market shares we could let the market duke it out. But that’s 5th grader libertarian fantasy land, not the actual world we live in. Ours is that of mostly unregulated duopoly. Now perhaps US regulators can get away with not doing their jobs (repeatedly), so then I’m more than happy to watch the EU clobber Apple into submission. Will that have undesired side effects? I’m certain it will. Will I regret that? I sure will. But does that in itself present a reason to just let Apple continue as it has in the past? Not a chance.

It’s part of the entirety of the security system that Apple has set up, and it’s inextricably linked with the App Store, so I consider them part and parcel of the same thing.

I want to roll up my responses to a few different points here.

First, I completely agree that Apple has some capricious and developer-unfriendly policies in place. They also have some arbitrary enforcement (a lot from what I hear). Those are all issues I believe Apple needs to address and I’ve been knocking them for it for years. It’s the reason we used the title for the article that we did- Apple created this situation directly due to those policies, which aren’t all just about the payments/percentages.

Second, malware was an unmitigated disaster on Windows until relatively recently. It was so bad the US government notified Microsoft that they, the largest IT buyer in the world, would stop buying MS products if the situation wasn’t changed. This resulted in the Trustworthy Computing Initiative in 2001 (I think, being lazy). Malware is still a problem on Windows today - for multiple reasons and Microsoft is also moving to an App Store model (not mandatory) to provide a “safer” experience. Again, very early days here.

Macs simply weren’t a big enough target back then. They barely are today, but we do see greater targeting compared to the years mentioned here. Apple has has WAY better security now than 10 years ago. Far from perfect, but much better. Personally I advise friends and family to mostly just buy from the Mac App Store or well-known developers. Some still get annoying malware (mostly minor stuff so far that’s been easy to clean).

On to iOS- clearly a much bigger target. Apple recognized this early and started taking security more seriously. I know this because… I know some people involved and will leave it at that.

Back to notarization… yep, no scanning on Mac, no sandboxing. I would want both of those for iOS. I want NOTHING that compromises the sandbox. That’s my personal opinion based on 20+ years of working in security. It’s okay if you disagree, just my perspective. Notarization that respects the sandbox and entitlements could be a compromise. Still not my choice, but better than open-field side loading.

In the end, much of this is about to be out of Apple’s hands anyway. They have been too slow to realize the risk and I don’t see this turning out well. Regulators are the last people I trust to make these decisions.

3 Likes

Thanks for your response. I certainly agree with this part:

I’d prefer that compromise. The sandbox is important, and as some of the security features from iOS move to MacOS, I’m happy. I’ve even been somewhat pleased that as Apple has added security to their latest computer hardware, that they haven’t prevented me from running Linux or other OSes if I want to. I think that’s important.

mogull has saved me a lot of time by expressing my position fairly well.

In over 30 years of supporting company security teams and many diverse users, I have found VAX/VMS and macOS to have been and to be my favorite environments because of continually increasing security capabilities with each OS release. I currently support users of Microsoft Windows and OS X, macOS, and all the device variants of iOS. I applaud the continuing vendor efforts toward a consistent and safe user environment.

My biggest fear is that the existing Apple environment will be dismantled and become as disjointed as the Windows environment. As a regular user of Microsoft and Apple operating systems as well as supporter of diverse users of both, I find the current Apple model superior regarding ease of support and integration between OS and devices. Currently, I don’t worry much about what iOS users install – I can still support them. But, if the gazillions of iOS devices have anarchic software, the Users may not want to pay for my time required to support them.

The proper target for our wrath is not closed software distribution as much as the apparently inconsistency of software review in Apple’s app stores.

1 Like

Unless you work for Apple…that statement has no basis in fact because Apple employees and only Apple employees (plus their accountants) know the cost of the store…and is most certainly more than just the cost of the hardware and bandwidth used. Office space, taxes, overhead, executive salaries, charitable donations, software engineering and many other corporate expenses are charged proportionately to departments or groups in the company…that’s the way business works and how expenses are allocated.

That said…Apple is a business and absent being a regulated monopoly…it isn’t any of the government’s business how they run their business or how much profit they make…making a profit is really the sole goal of a business regardless of how many liberal or conservative or environmental or firearms or abortion or whatever causes they tout.

And that said…it seems obvious that various governments around the world are going to stick their noses in anyway…and wrongfully IMO…and force side loading and 3rd party payment systems. When they do…Apple should force users to make a choice…you can have the Apple store or the 3rd party stores…and flipping the switch to 3rd party results in user agreement which is transmitted to Apple that Apple is not responsible. If a user switches back to the Apple store via settings…non Apple store apps get deleted…again with user approval via dialog and transmission to Apple. Same with 3rd party payment systems…if a dev chooses to use one then the dev either uses his own store or a 3rd party store or can use Apple’s but the dev gets charged for using Apple’s store…they don’t get to use Apple’s infrastructure for free.

The walled garden is an Apple specific feature which millions of users want…those users and devs that don’t like it are free to go to Android or elsewhere. Same issue with forcing Messages to interact with all messaging platforms…there are other apps and OSes that do that…and again users have a choice…and millions of users have made the choice that the advantages of the walled garden offset the disadvantages which are clearly existent…but those users simply made a choice.

1 Like

That walled garden has been a blessing to my ability to support users.

1 Like

You’re simply begging the question. The fact that they are a monopoly is what allows them to have 100% of the market. It’s not an argument to say, but if we broke up the monopoly then they wouldn’t be a monopoly.

Those who say they are doing a great job do need to face the fact if they are doing a great job they should be able to compete in a free market.

It’s not secret knowledge that Apple is making more and more of their money on services. Let’s not pretend like 30% isn’t very profitable for them. I don’t want the government to dictate the percentage, but I’m less worried about demanding that Apple let users choose what to run on their own hardware.

No, there are a lot of walled gardens. It’s not just Apple-specific.

I think you meant to say “which millions of users have grudgingly accepted in order to get an iPhone.” I remember all the other examples things that competitors did or the jailbreaking scene added, that Apple eventually did. So many people said those things would be terrible… all the way up until Apple did them. Then all of the sudden it was great because Apple was doing it. This feels remarkably similar.

Today: “Sideloading will be terrible!”

My bet about tomorrow: “Sideloading is so amazing. Apple is the only company that could allow sideloading in this amazing way so that we still have security!”

2 Likes

They’re not a monopoly in the smartphone market place – there are clear and successful alternatives to iOS. If I wanted an open architecture, I would switch to Android. I’d rather have a closed system, which is one of the reasons that I stay with iOS.

Measuring success only by its ability to survive in a free market is what destroyed all the little mom&pop stores in the 1970s, hollowed out city centers in the United States, and put everything in giant warehouse stores at the city margins. We got things like Walmart and Amazon because of an irrational devotion to the free market.

2 Likes

They are the only place to buy Apple products and services…but since Android exists they are no more a monopoly than PlayStation is…there are many other hardware and OS and software sources…they’re just not sources for Apple products and services. As I said…millions of users choose Apple…and for probably the vast majority the security (albeit not perfect but way beyond Android and Windows) of the walled garden was a key consideration in the decision to buy an admittedly more expensive product up front but largely cheaper in the long run. Saying there a monopoly because they are the only sellers of Apple products and services is like saying Ford or BMW or RAM or Canon or Nikon or Waterford Crystal are monopolies because they’re the only sources for their products and services. It’s a specious strawman argument.

Apple does not do everything right with either their hardware, software, or store…and they should listen more to users and devs and fix what they can within their vision for what Apple OSes are supposed to look like and work like…but gain those are their business decisions to make…not the court’s or government’s because of so called anti competitiveness or user friendliness or cross platform capability…dumbing things down to the lowest common denominator is…well…dumb.

Whether Apple could or could not compete in a free market is irrelevant to the simple fact that Apple…being NOT a monopoly…should conduct their business strategies as Mr. Cook, his staff, and the board think they should conduct their business. Whether you or I or the EU government thinks that their decisions are the best ones for Apple doesn’t matter in the absence of monopoly considerations.

1 Like

Thanks, Peter. You said what I wanted to say better than I could have. And this is the most important point in this entire conversation.

Even these Apple-granted entitlements sound like a joke to me because we already have the user-granted Privacy prompts. I guess it’s reasonable that Apple could protect users, based on a human evaluation, from even being prompted to grant something ridiculous like Tetris access to your address book. But I’m not sure that’s a strong argument against side loading.

Apple’s dishonesty by muddying the conversation and conflating disjoint concerns and technologies diminishes my respect for Cook.

3 Likes
1 Like

Most probably Apple does not want to have to deal with having its help services swamped with calls about scams, viruses, malware, etc. Side loading would be equally bad for customers and businesses as well as Apple. For years, Android has had ongoing concerns due to sideloading:

https://www.androidpolice.com/2021/02/08/heres-why-some-google-app-updates-cant-be-sideloaded-on-android-11/

Security and protecting consumers are among Apple’s biggest, and most effective, selling points. The overwhelming numbers of people who seem to be whining about it are developers. Like Tim Cook has said many times…if you want to side load apps, get an Android:

And Craig Federighi:

Apple has a thorough description about the threats of side loading:

Well, with the App Store, only Apple has my payment details. I don’t have to worry about the developer having adequate security for my payment details; I don’t have to worry about having my credit card details leaked by a security breach except at Apple. And if there is a subscription involved, it’s a simple process to cancel the subscription. I won’t have to call anybody, write a notarized letter, etc., to cancel a subscription.

I hope that if sideloading and third party app stores are required that I can have an option in settings that will prevent sideloading (as is the case by default for Android) and that there is some sort of warning before I approve a purchase/subscription to a third party. I hope especially that family sharing plans have this so family organizers can lock down their kids’ devices.

1 Like

I’ll just leave this here:

1 Like

Thanks for the anecdote. Do you have data that suggests this is widespread?

1 Like