Apple argues against App Store antitrust claims with report on sideloading cybercrime risks

The FluBot malware doing the rounds in Aotearoa can't infect iPhones for one good reason.
The FluBot malware doing the rounds in Aotearoa can't infect iPhones for one good reason. Photo credit: Getty Images

When New Zealand's cybersecurity agency CERT NZ warned Kiwis about scam text messages infecting phones with malware earlier this month, there was a focus on Android users.

Indeed, one line in its advice made absolutely clear iPhone users didn't have to worry about the malicious FluBot app.

"Apple phones can receive the message but cannot be infected," CERT NZ stated.

The reason for this is that Apple retains a controversially tight control over which apps users can install on its phones, unlike Android.

In Apple's case, users have to download all apps through its App Store and doesn't allow 'sideloading' - installation through direct downloads or third-party app stores.

That's not the case with Android, which allows users to install apps they've downloaded themselves. There are numerous third-party app stores for Android phones, including some from phone manufacturers themselves.

But there has been increasing scrutiny on Apple's stance as it forces developers to pay the company a large percentage of any app sale iPhone users pay. Some of the scrutiny is coming from the European Union (EU), which has drafted rules stating users would have to be given the option to sideload.

The Cupertino-based company is fighting back, however, releasing a new report today that includes a threat analysis of sideloading. In it, Apple cites a European regulatory agency reporting 230,000 new mobile malware infections per day, with Android devices suffering 15 - 47 times more malware infections than iPhone.

Apple claims if EU antitrust chief Margrethe Vestager's proposed rules become law there are a number of potential negative impacts, including:

  • More harmful apps would reach users because it would be easier for cybercriminals to target them
  • Users would have less information about apps up front, and less control over apps after they download them onto their devices
  • Some sideloading initiatives would also mandate removing protections against third-party access to hardware elements and operating system functions.

Apple says it could also mean, like the FluBot attack seen in Aotearoa, that cybercriminals could trick users into sideloading apps by offering bogus security updates mimicking the appearance of the App Store, or by touting free or expanded access to services and exclusive features.

The tech giant even points to Europol, the European Agency for Cybersecurity and the Department of Homeland Security, all of whom conclude unauthorised app stores shouldn't be used.

Apple concludes that "sideloading, through either direct downloads or third-party app stores, is not in the best interest of users' security and privacy".

However, some argue against Apple's claims, insisting the company should not be able to charge either 15 or 30 percent commission on every in-app purchase made on an iPhone, iPad, iPod or Apple Watch.

It's one of the reasons Epic Games tried to bypass the in-app system, causing Apple to ban its game Fortnite and leading to an ongoing legal battle which shows no signs of ending.

A group called Coalition for App Fairness, which includes Spotify and Epic Games, says Apple's malware arguments are a distraction and that built-in security measures are what really help the consumers, not the App Store.

"What matters to us is the obligation imposed on developers whose apps sell digital goods and services to use Apple in-app payment system," Damien Geradin, a lawyer for the group, told Reuters.

An Apple representative told Newshub consumers have a choice between Android's more open store system and Apple's locked down version, and if they choose the latter, then not being able to sideload shouldn't be a surprise.

But consumers would still have a choice, even if Apple is mandated to offer sideloading - they could simply choose not to use third-party app stores and stick to the official App Store.

But when it comes to malware? Depending on the tricks from the cybercriminals, it potentially could become very hard to identify what's real and not.