In case you thought the recent interview of Tim Cook, where the Apple CEO said allowing users to load apps from outside its app store would “destroy the security of the iPhone”, was a one-off, Apple returned to the topic on Wednesday in a paper released on its site.
To paint a picture of Apple’s missive, one only needs to keep in mind the warning from Dr Peter Venkman about “human sacrifice! Dogs and cats living together. Mass hysteria!” because make no mistake, Apple wants you to think it would be a disaster of Biblical proportions.
“Allowing sideloading would degrade the security of the iOS platform and expose users to serious security risks not only on third-party app stores, but also on the App Store,” the paper states.
“Malicious actors would take advantage of the opportunity by devoting more resources to develop sophisticated attacks targeting iOS users, thereby expanding the set of weaponized exploits and attacks …. that all users need to be safeguarded against.
“This increased risk of malware attacks puts all users at greater risk, even those who only download apps from the App Store.”
In attacking a hypothetical future where Apple is forced to offer sideloading, by the nature of the argument, it would be impossible to quantify exactly how much worse that future would be. The iPhone maker is correct that sideloading would open a new avenue for malware, and Apple wants regulators around the world to picture it as a vomitorium where malware would flow onto its platform to do very bad things.
Apple also made clear the downsides would impact its entire population of users, because when you fight a political battle, it’s important to make sure your side is able to “think of the children” in a better way than the alternative.
“[Sideloading] would also make it more difficult for users to rely on Ask to Buy, a parental control feature that allows parents to control their children’s app downloads and in-app purchases, and Screen Time, a feature to manage their and their children’s time with their devices,” the paper said.
“Scammers would have the opportunity to trick and mislead kids and parents by obfuscating the nature of their apps, making both features less effective.”
Using the life of a father, dubbed John, and his daughter Emma, aged 7, Apple showed how a sideloaded apps could ruin their day through unauthorised purchases, ransoming John’s photos on his camera roll, and purchasing pirated apps.
“This means that users like John, who had grown to take the safety and protection of iPhone and the App Store for granted, would have to constantly be on the lookout for the ever-changing tricks of cybercriminals and scammers, never knowing who or what to trust,” Apple said.
Imagine having to live in a world where a trickster was around the corner looking to benefit from you, and you needed to be on alert to not be ripped off. Let’s hope Cupertino doesn’t find out about cryptocurrency hustlers, or even the dodgy furniture salesman at the local strip mall.
Another thing to keep in mind when reading this paper is that Apple has succinctly described the world of MacOS where users, at the time of publication, are still able to install random apps from strange places on the internet. In its fight with Epic, Apple has taken to saying the level of malware on the Mac was unacceptable.
And what is the level of malware that has turned the Mac into this vertible malware free-for-all? A couple of pieces a week. How Microsoft must weep over reaching such plague-like levels.
But the real thing to be worried about, for Apple and its users alike, would be anything that pushes iOS into being more like Android — for religious reasons, if nothing else.
To get a handle on the raging malware party on Google’s ecosystem, the advertising company regularly publishes the levels of potentially harmful apps (PHA), which can absolutely be read as pieces of malware.
For all devices running Android with Google Mobile Services enabled — so not pure open source or some Chinese manufacturers — the level of PHAs is just coming off a two-year high, reaching 0.122% of devices. For an ecosystem of around 3 billion devices, that’s around 3.66 million devices — small percentages, but big absolute numbers.
Google says that as the Android version on devices increases, the level of PHAs goes down to 0.076% for Android 10, and 0.031% for Android 11.
For phones that only install apps from the Play Store, the PHA levels drop to 0.065%, with India leading the world with the highest rate at 0.121%, followed by Japan at 0.084%, Indonesia at 0.075%, and the US at 0.071%.
Having higher rates of malware in places like Japan is something that Proofpoint has observed, with malware being advertised with web redirects after a user’s location is pinned.
“As the official app stores become more restrictive with respect to the types of programs allowed within the marketplace, we anticipate a continued uptick in the downloading and usage of unofficial apps. Software like Fortnite, advanced ad blocking apps, torrenting apps, and rooting apps are popular enough that people will utilise third-party sources in order to run the program on their phone,” Jacinta Tobin, Proofpoint VP of Cloudmark Operations told ZDNet earlier this week.
“As long as highly coveted applications are barred from mainstream outlets, users will continue to seek out those sources elsewhere.
“App capabilities are a concern regardless of the download source. Users should be extremely diligent and be cautious of apps requesting permissions to contact lists, accessing SMS, or permissions relating to the phone.”
Sage advice regardless of platform or where apps are coming from.
However, given Apple’s more rigorous app inspection standards, the Android numbers would certainly be a top line for the more than one billion iPhone users, although potentially having 1.22 million devices infected with malware is nothing to sneeze at.
But that is also something that Google and Microsoft, as well as Apple with MacOS, have to deal with each and every day. It might not be solvable and will take the gloss of the iOS walled garden, but users will still be able to choose not to use any potential sideloading feature that Apple might be forced to introduce.
After all, that’s what user choice is all about.
Updated at 7:16am AEST, 24 June 2021: Put decimal point for absolute malware numbers in its correct place.