Apple warns of increased iPhone security risks

Apple is telling European customers that new EU competition laws will make iPhones less safe once the company is forced to open up its platforms to third-party App Stores. The company, not exactly happy about this, has published a 32-page white paper where it spells out the risks arising from the EU’s big experiment.

The EU’s formal adoption of the Digital Markets Act (DMA) means Apple must make several changes to its App Store and business models. Changes include the introduction of support for third-party app stores, opening up to payment systems other than Apple Pay, and more.

The changes are only being made in the EU in response to the DMA; they’re not at present available outside the bloc.

Until now, only apps purchased from the Apple App Store could be installed on iPhones. This changes under the DMA, though Apple warns the change means it will be unable to give users the same degree of protection it could within its walled garden. That said, protecting customers remains Apple’s goal.

In the white paper, Apple continues to argue that EU customers will be negatively impacted because its platforms will become less secure. Threats could include social engineering, fake apps, scam apps, spyware, and ransomware. The white paper also offers an in-depth explanation of the work Apple has done to support the terms of the DMA, including development of more than 600 APIs.

In moving to comply, Apple stresses that its goals are to maintain the security and privacy of its users while becoming compliant with the EU law. Much of this has been reported before.

“While the changes the DMA requires will inevitably cause a gap between the protections that Apple users outside of the EU can rely on and the protections available to users in the EU moving forward, we are working tirelessly to make sure iPhone remains the safest of any phones available in the EU by reducing the risks introduced by these necessary changes-even though we cannot entirely eliminate such risks,” said Apple.

In practice, part of the model means that if a customer chooses to use an external app store or payment system, they will be shown a series of screen alerts warning them they’re about to leave the Apple-verse.

Apple also insists that app developers selling software outside its stores share basic information, such as the app name, developer name, app description, images, and age rating. The idea is that customers can better understand what they’re getting and then decide whether to trust the source.

Companies offering apps via their own stores must also commit to monitor for, detect, and remove malicious apps. They must also be able to provide ongoing support to users. If they fail to do these things, Apple will revoke their right to offer their own store.

I’ve heard that problems with downloaded apps are among the reasons people visit Apple Stores for helpand it seems inevitable many users will continue to do so if a third-party store is problematic. My understanding is that Apple will continue to help people where it can but will no longer chase developers for refunds.

The document explains that customers still have some choice.

People will not be forced to use third-party app stores and/or payment systems. But as key apps move to different store fronts, it will become increasingly challenging to maintain an Apple-secured existence for  customers who want to.

Despite the hype around freeing customers from the so-called “Apple tax,” people who enjoy the security of the platform do exist, the Apple white paper carries numerous emails that illustrate this, one of which says:

“I am writing to you because I am afraid of the next update that is planned for the European Union. I actually believe that the security of the iPhone and iPad and all other devices will be massively jeopardized if this update is installed. I really don’t want to install this update. I’m scared. I’m really scared of it, and I think it makes the iPhone a little bit less secure as it is.”

Apple’s decision not to support third-party apps at all when the iPhone was first introduced generated a lot of controversy. (Apple soon changed track and introduced support for them.)

At the time, Apple co-founder and CEO Steve Jobs said: “We’re trying to do two diametrically opposed things at once: provide an advanced and open platform to developers, while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task.”

He also warned — prophetically — of the unique risks of mobile, always connected devices.

“Some claim that viruses and malware are not a problem on mobile phones — this is simply not true. There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous.”

The latter argument holds true, particularly in light of some of the zero-day viruses currently being exploited and weaponized by private surveillance firms.

Both the always-connected nature of smartphones, along with the sheer wealth of personal data they contain, is fundamentally different from the nature of Macs and other PCs. And they get hacked, too.

Apple confirms that some big companies are extremely concerned about the EU changes. It explains that government agencies both in and outside the EU see the risks of the move.

“Several have told us they plan to block app sideloading on every device they manage,” Apple’s white paper states. “These agencies have all recognized that sideloading — downloading apps from outside the App Store — could compromise security and put government data and devices at risk.”

Apple has also crafted APIs for device management that permit administrators to disable sideloading on managed devices to protect business users.

The EU experiment in opening up the Apple ecosystem for third-party downloads will be closely watched by regulators everywhere.

Apple is under pressure to open up its App Stores across the world. But if doing so significantly reduces the user experience or generates the scale of danger Apple warns about in its report, others may think twice before mandating similar moves.

To some extent, the EU decision might also be driven by an emerging nativism among decision makers there, who are becoming increasingly aware that all the big tech platforms are run by US, rather than European, firms.

Apple will introduce these new measures with iOS 17.4. They will only be available in 27 EU nations. Apple has published detailed information about these changes at its Developer Support site.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss