1. News
  2. Company news
October 14, 2021

Apple sideloads security defence into App Store debate

By Robert Scammell

Apple has argued that giving iPhone owners complete control over the software they install on their devices would “cripple” security protections as the tech giant attempts to fend off moves by regulators to open up its iOS App Store.

In a report published Wednesday, the Cupertino-headquartered firm said users would be at increased risk of mobile malware if users could “sideload” applications from outside of the App Store.

The EU is investigating whether Apple has abused its position by preventing consumers from finding cheaper app alternatives elsewhere, such as downloading directly from a developer’s own website or an alternative app store. Apple charges a commission of up to 30% to developers listing apps in its marketplace.

Apple has long held up security as a justification for its lucrative walled garden, and its new 31-page document suggests it is doubling down on that argument.

“Over the past four years, Android devices were found to have 15 to 47 times more malware infections than iPhone,” Apple’s report said.

It points to a selection of curated statistics from cybersecurity firms such as Kaspersky Labs.

A core part of Apple’s argument is that scammers and cybercriminals would find it easier to trick consumers into downloading a malicious app outside of its App Store. Apple must approve an app before it is listed on the Store and part of that includes a security check.

But Apple goes on to argue that users would also be at risk from other third-party app stores. That’s despite Apple ranking sixth out of 44 companies for application software in GlobalData’s cybersecurity thematic scorecard and below Google and Microsoft – both of which manage their own app stores.

“If Apple were forced to support sideloading, more harmful apps would reach users because it would be easier for cybercriminals to target them – even if sideloading were limited to third-party app stores only,” the report said.

It is the second time in recent months that Apple has made this argument to its critics. In June, Apple CEO Tim Cook claimed that sideloading would “destroy the security of the iPhone”.

Cybersecurity professionals tend to agree that iPhones are more secure than Android, but many argue that its block on sideloading isn’t the main factor.

“Sideloading does limit the potential for end-users to end up with malicious apps on their device,” Dylan Slogrove, information security consultant at F-Secure, told Verdict. “However, that needs to be weighed against the benefits of being able to run non-store applications on a device.

“I agree that a warning or small hurdle should be required if a user wants to run an app from a different, trusted third-party; I don’t think Apple should be the sole arbiter of what is and isn’t secure and allowed.”

Cherif Sleiman, CRO at Safe Security, told Verdict that Apple and Google’s security checks on their app stores helps create a more secure experience but that improving security awareness among users is also needed.

“While both Apple and Android have invested a lot to secure their app ecosystem, we can better protect against sideloading and other threats through proper and effective user awareness,” he said.

Nor does the App Store make iPhones immune to malicious software. Advanced spyware, such as that made by NSO Group, is able to pierce its defences. However, these type of attacks are rare and often carried out by well-resourced organisations or nation-states.

In recent months Apple has faced a flurry of blows to its iron grip on the App store.

South Korea passed a bill permitting developers to use their own payment systems, effectively blocking major app store operators such as Google and Apple from collecting app purchase commissions.

US lawmakers have proposed similar legislation in a bipartisan push against Big Tech.

Separately, Apple also said it will let developers of “reader apps” link to their own external sign-up website, allowing companies such as Netflix and Spotify to avoid paying commission that would be collected if using the App Store’s in-app payment system.

And in August, Apple agreed to a settlement with small developers in the US that will allow them to share information on how to pay for purchases outside of the App Store.