Apple is not caring about Security - that is just an obsessive attempt to maintain control
I would like to talk about a point that has come up again and again in the recent past.
Increasingly, companies are using claims in their advertising material that they are concerned about the security and
privacy of their users and want to protect them.
Unfortunately, a closer look often reveals not only that these statements are nothing more than marketing material, but
also that the companies only use them as a protective claim for their - or sometimes even contrary - purposes.
As an example, I would like to mention the latest developments around Apple's App Store.
At the same time, this observation can be applied to a large number of profit-oriented companies.
I have the feeling that I am stepping on people's toes relatively directly for the first time with this short article.
However, the aim of this article is not to bash a specific company, but to raise awareness of defensive claims.
So without further a do, let us step right in.
The EU created facts in the form of laws #
In this article, I will not go into further detail about the newly installed EU regulations. What is relevant at this point is that the European Union, with the so-called 'Digital Markets Act', aims to prevent so called 'gatekeepers' from imposing unfair conditions on businesses and end users and at ensuring the openness of important digital services. [2]
Gatekeepers are defined as those providers who:
"[...] [have] a strong economic position, significant impact on the internal market and [are] active in multiple EU countries" [2]
The EU has defined six corporations namely Apple, Alphabet, Meta, Amazon, Microsoft and ByteDance as gatekeepers in september 2023. [2]
In addition to many other regulations, providers are forced to allow other providers to install apps alongside their own app stores.[1] Today we will look at this aspect in the context of Apple as an example.
Apple's outraged reaction #
Apple is known to widely restrict the Users ability to interface with their devices. Amongst the restriction of access to the file system, NFC API Acess (concerning third party payment providers other than Apple Pay), the ability to turn off WiFI/Bluetooth via Control Center. Those have been mostly controversial but argumentatively comprehensible decisions. Apple hase used a similar strategy to justify the restriction on sideloading apps or installing third-party App Stores. In its press statement, Apple uses the narrative that the EU's legal requirement represents an attack on the security and privacy of its users. This article intentionally uses framing to direct the public perception of Apple's Walled Garden in the direction of a safe and secure environment, which is of course only positive for the user. At the same time, the newly installed EU legal regulations pose a threat...[3]
"If not properly managed, alternative app marketplaces pose increased privacy, safety, and security risks for users and developers"
In particular, I would like to highlight a quote from the article - which mentions the keyword 'security' 10 times, ' privacy' 10 times and 'safety' 4 times.
"Privacy and security questions about apps listed on alternative app marketplaces — including violations of user data privacy; and scams, fraud, and abuse" [3]
I would like to clarify this statement with another quote:
The guiding principle of the App Store is simple — we want to provide a safe experience for users to get apps and a great opportunity for all developers to be successful. We do this by offering a highly curated App Store where every app is reviewed by experts and an editorial team helps users discover new apps every day. We also scan each app for malware and other software that may impact user safety, security, and privacy. These efforts have made Apple’s platforms the safest for consumers around the world.[4]
And what about Fake Apps? #
Apple's explanations and arguments so far are very confidence-inspiring, I can understand why I should not leave their safe nest ... right? Apple's own App Store is the only way to ensure that no dangerous apps end up on your iPhone. Fortunately, every single app is checked by experts for malware and dangerous content.
So how is it that a fake Lastpass password manager application ends up in Apple's highly secure and expert-reviewed App Store? And this despite the fact that the provider Lastpass, a commercial company protected by trademark law, has already published the same application?
Takeaway #
Let's be honest, this is not the first time that malicious apps have made it into the Appstore.[6][7][8][9]
Apple's walled garden has far more and bigger holes than the company is willing to admit.
But let's be honest, it's not even about security with this protective wall, it's more about monetary aspects and
control.[10]
As always, there is no such thing as total security. The best protection mechanism - and qualified mechanisms are definitely in use at Apple - are never enough if the threat is big enough.
Security is and remains a process in a continuous control loop, that necessitates ongoing adaptions and corrections.
Sources #
[1] - [German]
Faire digitale Märkte, Europäische Komission
[2] -
Who are the gatekeepers?, European Comission
[3] - About alternative app marketplaces in the
European Union, Apple
[4] - App Review Guidelines, Apple
[5] -
Warning: Fraudulent App Impersonating LastPass Currently Available in Apple App Store, Lastpass, Mike Kosak
[6] - 18 iOS apps with stealthy ad
clicking code removed from App Store, Help NET Security, Zeljka Zorz
[7] -
Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users, Unit42, Claud
Xiao
[8] -
Jekyll on iOS: When Benign Apps Become Evil, Usenix
[9] - Trojan malware infecting 17 apps on the
App Store, Jamf Blog
[10] -
Every Apple App Store fee, explained: How much, for what, and when, appleinsider, Alex Baggott