-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
121 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
--- | ||
title: Apple is not caring about Security - that is just an obsessive attempt to maintain control | ||
description: Whilst Apple is boldly claiming in their marketing material to care about users privacy and security, they leverage the fear related to those topics in order to keep the walls around their garden. | ||
date: 2024-03-08 | ||
tags: | ||
- apple | ||
- security | ||
- 'walled garden' | ||
- 'european union' | ||
- 'EU' | ||
- compliance | ||
- 'malicious apps' | ||
- appstore | ||
- 'digital markets act' | ||
--- | ||
|
||
I would like to talk about a point that has come up again and again in the recent past. | ||
Increasingly, companies are using claims in their advertising material that they are concerned about the security and | ||
privacy of their users and want to protect them. | ||
Unfortunately, a closer look often reveals not only that these statements are nothing more than marketing material, but | ||
also that the companies only use them as a protective claim for their - or sometimes even contrary - purposes. | ||
As an example, I would like to mention the latest developments around Apple's App Store. | ||
At the same time, this observation can be applied to a large number of profit-oriented companies. | ||
I have the feeling that I am stepping on people's toes relatively directly for the first time with this short article. | ||
However, the aim of this article is not to bash a specific company, but to raise awareness of defensive claims. | ||
So without further a do, let us step right in. | ||
|
||
## The EU created facts in the form of laws | ||
|
||
In this article, I will not go into further detail about the newly installed EU regulations. | ||
What is relevant at this point is that the European Union, with the so-called 'Digital Markets Act', aims to prevent so | ||
called | ||
'gatekeepers' from imposing unfair conditions on businesses and end users and at ensuring the openness of important | ||
digital services. [2] | ||
|
||
Gatekeepers are defined as those providers who: | ||
> "[...] [have] a strong economic position, significant impact on the internal market and [are] active in multiple EU | ||
> countries" [2] | ||
The EU has defined six corporations namely Apple, Alphabet, Meta, Amazon, Microsoft and ByteDance as gatekeepers in | ||
september 2023. [2] | ||
|
||
In addition to many other regulations, providers are forced to allow other providers to install apps alongside their own | ||
app stores.[1] | ||
Today we will look at this aspect in the context of Apple as an example. | ||
|
||
## Apple's outraged reaction | ||
|
||
Apple is known to widely restrict the Users ability to interface with their devices. | ||
Amongst the restriction of access to the file system, NFC API Acess (concerning third party payment providers other than | ||
Apple Pay), the ability to turn of WiFI/Bluetooth via Control Center. | ||
Those have been mostly controversial but argumentatively comprehensible decisions. | ||
Apple hase used a similar strategy to justify the restriction on sideloading apps or installing third-party App Stores. | ||
In its press statement, Apple uses the narrative that the EU's legal requirement represents an attack on the security | ||
and privacy of its users. | ||
This article intentionally uses framing to frame the public perception of Apple's Walled Garden in the direction of a | ||
safe and secure environment, which is of course only positive for the user. | ||
At the same time, the newly installed EU legal regulations pose a threat...[3] | ||
|
||
> "If not properly managed, alternative app marketplaces pose increased privacy, safety, and security risks for users | ||
> and developers" | ||
In particular, I would like to highlight a quote from the article - which mentions the keyword 'security' 10 times, ' | ||
privacy' 10 times and 'safety' 4 times. | ||
|
||
> "Privacy and security questions about apps listed on alternative app marketplaces — including violations of user data | ||
> privacy; and scams, fraud, and abuse" [3] | ||
I would like to clarify this statement with another quote: | ||
|
||
> The guiding principle of the App Store is simple—we want to provide **a safe experience for users to get apps** and a | ||
> great opportunity for all developers to be successful. | ||
> We do this by offering a **highly curated App Store where every app is reviewed by experts** and an editorial team | ||
> helps users discover new apps every day. | ||
> We also **scan each app for malware and other software that may impact user safety, security, and privacy**. | ||
> These efforts have made **Apple’s platforms the safest** for consumers around the world. | ||
## And what about Fake Apps? | ||
|
||
Apple's explanations and arguments so far are very confidence-inspiring, I can understand why I should not leave their | ||
safe nest ... right? | ||
Apple's own App Store is the only way to ensure that no dangerous apps end up on your iPhone. | ||
Fortunately, every single app is checked by experts for malware and dangerous content. | ||
|
||
So how is it that a fake Lastpass password manager application ends up in Apple's highly secure and expert-reviewed App | ||
Store? | ||
And this despite the fact that the provider Lastpass, a commercial company protected by trademark law, has already | ||
published the same application? | ||
|
||
{% image "./fraudulent-app.png", "Fraudulent App" %} | ||
[4] | ||
|
||
## Takeaway | ||
Let's be honest, this is not the first time that malicious apps have made it into the Appstore.[6][7][8][9] | ||
Apple's walled garden has far more and bigger holes than the company is willing to admit. | ||
But let's be honest, it's not even about security with this protective wall, it's more about monetary aspects and control.[10] | ||
|
||
As always, there is no such thing as total security. | ||
The best protection mechanism - and qualified mechanisms are definitely in use at Apple - are never enough if the threat is big enough. | ||
|
||
Security is and remains a process in a continuous control loop, that necessitates ongoing adaptions and corrections. | ||
|
||
|
||
--- | ||
|
||
## Sources | ||
|
||
<a href="https://germany.representation.ec.europa.eu/news/faire-digitale-markte-torwachter-mussen-ab-heute-alle-dma-regeln-einhalten-2024-03-07_en" target="_blank">[1] - [German] | ||
Faire digitale Märkte, Europäische Komission</a> | ||
<a href="https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en" target="_blank">[2] - | ||
Who are the gatekeepers?, European Comission</a> | ||
<a href="https://support.apple.com/en-us/118110" target="_blank">[3] - About alternative app marketplaces in the | ||
European Union, Apple</a> | ||
<a href="https://developer.apple.com/app-store/review/guidelines/" target="_blank">[4] - About alternative app | ||
marketplaces in the European Union, Apple</a> | ||
<a href="https://blog.lastpass.com/2024/02/warning-fraudulent-app-impersonating-lastpass-currently-available-in-apple-app-store/" target="_blank">[5] - Warning: Fraudulent App Impersonating LastPass Currently Available in Apple App Store, Lastpass, Mike Kosak</a> | ||
<a href="https://www.helpnetsecurity.com/2019/10/24/ad-fraud-ios/" target="_blank">[6] - 18 iOS apps with stealthy ad clicking code removed from App Store, Help NET Security, Zeljka Zorz</a> | ||
<a href="https://unit42.paloaltonetworks.com/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/" target="_blank">[7] - Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users, Unit42, Claud Xiao</a> | ||
<a href="https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei" target="_blank">[8] - Jekyll on iOS: When Benign Apps Become Evil, Usenix</a> | ||
<a href="https://www.jamf.com/blog/ios-trojan-malware/" target="_blank">[9] - Trojan malware infecting 17 apps on the App Store, Jamf Blog</a> | ||
<a href="https://appleinsider.com/articles/23/01/08/the-cost-of-doing-business-apples-app-store-fees-explained" target="_blank">[10] - Every Apple App Store fee, explained: How much, for what, and when, appleinsider, Alex Baggott</a> |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.