Skip to content

Commit

Permalink
let us talk about apple
Browse files Browse the repository at this point in the history
  • Loading branch information
JeuJeus committed Mar 8, 2024
1 parent 5e16ce2 commit 5dd6fcd
Show file tree
Hide file tree
Showing 2 changed files with 121 additions and 0 deletions.
121 changes: 121 additions & 0 deletions content/blog/security/apple/does-not-care-about-you.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
---
title: Apple is not caring about Security - that is just an obsessive attempt to maintain control
description: Whilst Apple is boldly claiming in their marketing material to care about users privacy and security, they leverage the fear related to those topics in order to keep the walls around their garden.
date: 2024-03-08
tags:
- apple
- security
- 'walled garden'
- 'european union'
- 'EU'
- compliance
- 'malicious apps'
- appstore
- 'digital markets act'
---

I would like to talk about a point that has come up again and again in the recent past.
Increasingly, companies are using claims in their advertising material that they are concerned about the security and
privacy of their users and want to protect them.
Unfortunately, a closer look often reveals not only that these statements are nothing more than marketing material, but
also that the companies only use them as a protective claim for their - or sometimes even contrary - purposes.
As an example, I would like to mention the latest developments around Apple's App Store.
At the same time, this observation can be applied to a large number of profit-oriented companies.
I have the feeling that I am stepping on people's toes relatively directly for the first time with this short article.
However, the aim of this article is not to bash a specific company, but to raise awareness of defensive claims.
So without further a do, let us step right in.

## The EU created facts in the form of laws

In this article, I will not go into further detail about the newly installed EU regulations.
What is relevant at this point is that the European Union, with the so-called 'Digital Markets Act', aims to prevent so
called
'gatekeepers' from imposing unfair conditions on businesses and end users and at ensuring the openness of important
digital services. [2]

Gatekeepers are defined as those providers who:
> "[...] [have] a strong economic position, significant impact on the internal market and [are] active in multiple EU
> countries" [2]
The EU has defined six corporations namely Apple, Alphabet, Meta, Amazon, Microsoft and ByteDance as gatekeepers in
september 2023. [2]

In addition to many other regulations, providers are forced to allow other providers to install apps alongside their own
app stores.[1]
Today we will look at this aspect in the context of Apple as an example.

## Apple's outraged reaction

Apple is known to widely restrict the Users ability to interface with their devices.
Amongst the restriction of access to the file system, NFC API Acess (concerning third party payment providers other than
Apple Pay), the ability to turn of WiFI/Bluetooth via Control Center.
Those have been mostly controversial but argumentatively comprehensible decisions.
Apple hase used a similar strategy to justify the restriction on sideloading apps or installing third-party App Stores.
In its press statement, Apple uses the narrative that the EU's legal requirement represents an attack on the security
and privacy of its users.
This article intentionally uses framing to frame the public perception of Apple's Walled Garden in the direction of a
safe and secure environment, which is of course only positive for the user.
At the same time, the newly installed EU legal regulations pose a threat...[3]

> "If not properly managed, alternative app marketplaces pose increased privacy, safety, and security risks for users
> and developers"
In particular, I would like to highlight a quote from the article - which mentions the keyword 'security' 10 times, '
privacy' 10 times and 'safety' 4 times.

> "Privacy and security questions about apps listed on alternative app marketplaces — including violations of user data
> privacy; and scams, fraud, and abuse" [3]
I would like to clarify this statement with another quote:

> The guiding principle of the App Store is simple—we want to provide **a safe experience for users to get apps** and a
> great opportunity for all developers to be successful.
> We do this by offering a **highly curated App Store where every app is reviewed by experts** and an editorial team
> helps users discover new apps every day.
> We also **scan each app for malware and other software that may impact user safety, security, and privacy**.
> These efforts have made **Apple’s platforms the safest** for consumers around the world.
## And what about Fake Apps?

Apple's explanations and arguments so far are very confidence-inspiring, I can understand why I should not leave their
safe nest ... right?
Apple's own App Store is the only way to ensure that no dangerous apps end up on your iPhone.
Fortunately, every single app is checked by experts for malware and dangerous content.

So how is it that a fake Lastpass password manager application ends up in Apple's highly secure and expert-reviewed App
Store?
And this despite the fact that the provider Lastpass, a commercial company protected by trademark law, has already
published the same application?

{% image "./fraudulent-app.png", "Fraudulent App" %}
[4]

## Takeaway
Let's be honest, this is not the first time that malicious apps have made it into the Appstore.[6][7][8][9]
Apple's walled garden has far more and bigger holes than the company is willing to admit.
But let's be honest, it's not even about security with this protective wall, it's more about monetary aspects and control.[10]

As always, there is no such thing as total security.
The best protection mechanism - and qualified mechanisms are definitely in use at Apple - are never enough if the threat is big enough.

Security is and remains a process in a continuous control loop, that necessitates ongoing adaptions and corrections.


---

## Sources

<a href="https://germany.representation.ec.europa.eu/news/faire-digitale-markte-torwachter-mussen-ab-heute-alle-dma-regeln-einhalten-2024-03-07_en" target="_blank">[1] - [German]
Faire digitale Märkte, Europäische Komission</a>
<a href="https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en" target="_blank">[2] -
Who are the gatekeepers?, European Comission</a>
<a href="https://support.apple.com/en-us/118110" target="_blank">[3] - About alternative app marketplaces in the
European Union, Apple</a>
<a href="https://developer.apple.com/app-store/review/guidelines/" target="_blank">[4] - About alternative app
marketplaces in the European Union, Apple</a>
<a href="https://blog.lastpass.com/2024/02/warning-fraudulent-app-impersonating-lastpass-currently-available-in-apple-app-store/" target="_blank">[5] - Warning: Fraudulent App Impersonating LastPass Currently Available in Apple App Store, Lastpass, Mike Kosak</a>
<a href="https://www.helpnetsecurity.com/2019/10/24/ad-fraud-ios/" target="_blank">[6] - 18 iOS apps with stealthy ad clicking code removed from App Store, Help NET Security, Zeljka Zorz</a>
<a href="https://unit42.paloaltonetworks.com/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/" target="_blank">[7] - Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users, Unit42, Claud Xiao</a>
<a href="https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei" target="_blank">[8] - Jekyll on iOS: When Benign Apps Become Evil, Usenix</a>
<a href="https://www.jamf.com/blog/ios-trojan-malware/" target="_blank">[9] - Trojan malware infecting 17 apps on the App Store, Jamf Blog</a>
<a href="https://appleinsider.com/articles/23/01/08/the-cost-of-doing-business-apples-app-store-fees-explained" target="_blank">[10] - Every Apple App Store fee, explained: How much, for what, and when, appleinsider, Alex Baggott</a>
Binary file added content/blog/security/apple/fraudulent-app.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 5dd6fcd

Please sign in to comment.