Apple says US law would make App Store less secure


Apple Inc. says a proposed antitrust bill to open up the app store market will make iPhones less secure, even though Congress and some big companies already have Apple-approved tools that allow them to circumvent the App Store.

Although Apple claims to be the only company that can offer a secure App Store, the iPhone maker has long allowed members of Congress and big corporations to circumvent its strict controls and use alternatives to install third-party apps. The practice is not widely known and is at odds with Apple’s opposition to the bill to break its mobile app store duopoly with Alphabet Inc’s Google.

Apple’s acceptance of some cases of so-called sideloading looms large as Congress nears a vote next month on antitrust measures. While Apple argues that outside apps would make iPhone users vulnerable to malware and scams, competition advocates and cybersecurity experts say the company’s protests seem more aimed at defending its business model. .

“Security is a giant red herring,” said Bruce Schneier, a fellow at Harvard University’s Berkman Klein Center for Internet & Society. “It will scare a lot of people. The goal is to protect the monopoly.

Apple tightly controls the iPhone, requiring all mobile app downloads to take place in its App Store, where it takes up to 30% off digital sales. To gain access to the App Store, developers must submit apps to Apple’s team, which reviews them to ensure compliance with the company’s privacy and security policies. The company prohibits developers from offering certain things like sexually explicit content, all-in-one cloud gaming services, and cryptocurrency mining.

A 2020 House investigation found that Apple had “monopoly power over the distribution of software on iOS devices”, allowing it “supernormal profits”.

“Developers have no choice but to follow Apple’s policies to reach customers who own iOS devices,” the report says, just as iPhone owners “have no other way to install apps on their phones.

Following the House investigation, a bipartisan group of lawmakers introduced legislation to open mobile app stores. The Open App Markets Act would require Apple and Google, of which Google Play is the most popular app store on Android mobile phones, to facilitate downloading from other app stores and change the default apps on Android mobile phones. phones.

“We remain concerned that this legislation threatens to break that pattern and undermine the privacy and security protections that our users depend on,” said Apple spokesman Fred Sainz. “The legislation as originally drafted created unintended privacy and security vulnerabilities for users. We believe the proposed remedies fall far short of the protections consumers need. »

Computers, including Apple’s Mac, have always allowed direct downloading of software. Google’s Android also allows users to install apps without going through its built-in app store. Only Apple requires iPhone users to use its App Store for all mobile app downloads, said John Bergmayer, chief legal officer of the nonprofit advocacy group Public Knowledge.

“Proponents of these regulations argue that no harm would be done by simply giving people a choice,” Apple CEO Tim Cook said at a privacy conference in April. “But removing a more secure option will leave users with less choice, not more.”

But Apple sometimes makes exceptions to allow sideloading and apps that haven’t gone through its review process.

Lawmakers and staff go to a special, secure online portal to install apps, said Dan Weiser, who works for the House’s administrative director. This secure portal helps ensure members are using licensed apps and have the latest versions, he said.

House and Senate app catalogs, created using cloud-based software from VMWare Inc, include popular apps like Webex and Zoom customized so members can securely participate in hearings remotely .

The catalog also contains custom apps designed specifically for members of Congress, Weiser said. These include apps for accessing the House or Senate’s secure internal network, email, live updates and calendars.

The House and Senate app catalogs were created as part of an effort to modernize the technology used by Congress, centralize its purchasing, and ensure it is protected against potential cyberattacks.

The Senate’s IT services are managed by the Sergeant-at-Arms, who did not respond to questions about his app catalog. But Senate aides and a contract solicitation issued by the Sergeant-at-Arms’ office confirmed that the chamber uses the same system.

Apple admitted in a federal antitrust lawsuit last year that it has long allowed certain companies to bypass the App Store. Craig Federighi, a senior Apple executive and engineer, said large organizations can get permission to distribute apps directly to their employees instead of going through Apple’s App Store and review process. This allows them to create company-specific apps, he said, citing as an example a 3D modeling app that animation studio Pixar created for its designers.

“These are not apps they want to sell to the general public,” Federighi said. “They want to provide it only to their employees. The Enterprise program is supposed to give them the ability to do that.

These custom apps are not reviewed by Apple, he said. The arrangement, called Apple Enterprise Program, has been around since 2008.

It’s the company’s responsibility to ensure apps are safe and secure enough for employees to download and use, he said. Apple is confident that companies would not want to harm their own employees by installing malware or other malicious applications on company-owned devices, Federighi said.

Apple declined to answer questions about how many businesses in the U.S. use the program today, but said “most” enterprise customers now use Apple Business Manager, a more tightly controlled program introduced in 2019. where custom apps are subject to limited review by Apple. . The company also offers a service called TestFlight, where developers can distribute still-in-progress apps to a limited number of users for testing.

Apple said it has taken steps to limit “abuse” of its Enterprise program. For example, he cited a January 2019 incident where the company suspended Facebook for distributing an app to consumers through the Enterprise program that collected user data. Facebook then regained its access.

Downloading software directly is less secure than downloading an app from Apple’s App Store, but not the “security apocalypse” the company claims to be, Schneier said.

This lesser security “is what exists on everyone’s PC right now,” he said. “It’s obviously true that Disney World is safer than a public park. That doesn’t mean we give Disney a monopoly on every public park in the country.”

Reporting by Leah Nylen for Bloomberg News.

Copyright 2022 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Comments are closed.