Application security

Apple defends App Store model with report on security

People shop at the Fifth Avenue Apple Store during the launch of Apple’s iPhone 13 on Sept. 24, 2021, in New York City. (Photo by Spencer Platt/Getty Images)

Amid repeated hints that lawmakers would require Apple and other platforms to allow third-party app stores and sideloading of applications, Apple released a white paper defending the current App Store model as a necessity for security.

This is the second time Apple has released a report as an appeal to legislators' cybersecurity sensibilities. In June, Apple released a colorful, consumer-oriented guide to understanding the risks of sideloading, featuring illustrated characters navigating life in a post-walled garden world. The new report is more academic and less of a storybook.

Lawmakers and consumer advocates have argued that Apple controlling the only means to get apps onto an iPhone creates a monopolistic system unfair to developers forced to pay a percentage of app earnings. Apple and many (but not all) security experts frequently worry that sideloading removes Apple's ability to pre-scan apps for malware and remove it from circulation.

The Apple white paper poses the argument that Android, which does not restrict users to the Google Play store, has a larger problem with malware. Nokia Threat Intelligence reports, cited by Apple, clock 15 to 47 times more malware infections in an average Android phone than in an iOS one.

That number combines Android malware downloaded directly from the Google Play store and sideloaded from other stores. A representative from Apple told reporters that sideloading increases the likelihood of malware even when the malware is not sideloaded — malware makers enjoy the flexibility of distributing malware on the Play Store until they are caught, then moving malware to third-party hosting for a second life. With iOS, once the malware is off the store, it is gone.

Apple's report notes that the average cost to an organization of a single employee's phone being infected with malware is around $10,000. The report also notes that federal agencies offering guidance on best practices for phone safety, including CISA and NIST, recommend always using the official store.

Epic Games recently lost nine of 10 claims in a lawsuit against Apple to allow it to distribute Fortnite outside the App Store, though a judge ruled Apple could no longer ban developers from directing users to external payment systems outside its own platform. Apple this week appealed that ruling.

In its report, Apple argued that third-party stores, with less stringent protections against copyright infringement and hacked apps, can damage developers' brands.

Talking to reporters, Apple said that a debate over sideloading is more focused on developers' interests than those of users — that people who own phones might prefer security to a wider choice of marketplaces. It hoped that this report would help defend that vision of users.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.