Apple Justifies iOS App Store’s Tight Control in White Paper

On 23 June 2021, Apple released a white paper that shows the company pushing back against the left/right alliance in US politics that threatens to redefine antitrust for today’s digital era. Apple’s white paper, “Building a Trusted Ecosystem for Millions of Apps: The important role of App Store protections,” tries to justify the company’s white-knuckled grip on the iOS App Store as stemming from a desire to protect users from malware and the exfiltration of personal and private data.

After a brief run through the document’s main points, I look at whether Apple’s stance is reasonable.

Apple Warns of Unfettered Harm

Owners of Apple gear and those who follow its technology or the politics of antitrust already know Apple’s core arguments. In this paper, the company puts it all on the table in a structured way. It’s a debate brief for congressional hearings to come and the firm’s attempt to defend itself ahead of six allied bills advancing in the US House that would require platforms to open up to competitors and allow greater user access, among many other changes.

Regulatory action that requires no new laws is also afoot. Lina Kahn, the Federal Trade Commission’s recently confirmed chair, brings a philosophy she developed for antitrust analysis that asserts consumers can be harmed even if a monopoly delivers low prices in the short term. Her position explains why the Department of Justice pursuing Apple rather than Amazon over ebook prices made no sense in the larger scheme of things because it allowed Amazon to increase its dominance and further control the market. Her view ran contrary to popular antitrust frameworks at the time, and her appointment indicates the Biden Administration’s intent to move away from the Robert Bork era’s antitrust focus on consumer harm in favor of a new path towards promoting competition. On 1 July 2021, Kahn achieved a 3-2 win in an FTC commissioner vote to rescind a 2015 FTC memo that reaffirmed the Bork view, seen as a first step towards revising policies.

The changes in law and rules would likely require Apple to open up iOS and iPadOS to allow sideloading, the installation of software by a user without going through an official store. Google’s Android platform already allows this. The current draft of the relevant bill in the House doesn’t suggest a specific mechanism, so Apple wouldn’t have to release an update that allowed the unfettered installation of any app—just some capability to do so. The language in question is:

It shall be unlawful for a person operating a covered platform, in or affecting commerce, to—

(1) restrict or impede the capacity of a business user to access or interoperate with the same platform, operating system, hardware and software features that are available to the covered platform operator’s own products, services, or lines of business;

Apple’s document is quite readable and makes cogent arguments, but it is 26 pages long. Here’s the summary:

• Sideloading would allow malicious apps to trick users into downloading them, resulting in the installation of ransomware, sniffing software, and other unwanted apps.
• Apple’s privacy rules couldn’t be enforced on sideloaded apps, rendering users susceptible to apps extracting personal information and private data. Some of those apps might even come from legitimate companies working within the letter of the law.
• Third-party app stores would be key targets of malicious actors. Those stores could have the best intentions but be unable to match Apple’s resources.
• Children would be able to circumvent parental controls by installing apps that work around them.
• Parents might inadvertently download apps for kids that would allow children to make endless, uncontrolled purchases.
• Even if you never intend to sideload an app, an employer or a school you or your child attends might require that you install apps from a third-party app store, exposing you to subverted apps or intentionally malicious ones. Even apps chosen by the business or school might engage in surveillance Apple would never approve, with or without properly disclosing it to you.
• Users could accidentally purchase and install pirated apps from third-party app stores.
• Developers could see their apps become available in pirated form in app stores without any reasonable way to stop it.

The document then explains the App Review process, in which humans and automated systems examine submitted apps to make sure they do what they say, are not malicious, and are not misleading. In this section, Apple notes that some of its privacy and purchase features—including privacy limitations, purchase controls for children, and subscription management—could be ignored or overridden by sideloaded apps, lead to unwanted exposure, recurring charges, or kid-initiated purchases: “These controls could not be fully enforced on sideloaded apps.” (Note the passive voice!)

This is all quite reasonable in form, but it provokes two separate questions: Why don’t these same problems apply to macOS? And how is this different from the state of things today? Let’s start with the Mac.

Why Is the Mac Different?

Is the Mac not subject to concerns about sideloading already? macOS currently has three tiers of app installation. The first tier allows only apps from the Mac App Store. The second allows Mac App Store apps plus apps that have passed a vulnerability and malware-testing stage (known as notarization) and then been cryptographically signed by Apple. If the second tier option still prevents you from launching apps you trust, you can then use a sequence in the Finder to open unsigned or unnotarized apps. This third tier (without any special sequence) was of course the status quo before the Mac App Store came to macOS.

The second- and third-tier options have retroactively become sideloading, and they remain the primary way that many users get their Mac software. That may be because the developer doesn’t wish to sell through the Mac App Store or because the app in question—like Keyboard Maestro, dearly beloved by some TidBITS editors—can’t meet the App Store’s sandboxing and other technical requirements and still perform its functions.

Apple’s response is to talk down the Mac. It notes that over a billion people use an iPhone daily—no love here to iPad and iPod touch owners—and as a result:

This large user base would make an appealing and lucrative target for cybercriminals and scammers, and allowing sideloading would spur a flood of new investment into attacks on iPhone, well beyond the scale of attacks on other platforms like Mac.

There’s some logic here—macOS and iOS really do inhabit different worlds in both how they’re used and how at risk they are to attack. At present, iOS is vulnerable almost exclusively to state actors because it’s so locked down that any exploits found are therefore incredibly valuable to governments who want to observe or disrupt criminals, activists, or opposition politicians. (Some governments classify activists and opposition politicians as criminals.) There have been plenty of patched iOS exploits in recent years, but while none have been widely exploited, some have been narrowly deployed against individuals or small classes of targets, like journalists in a given country.

Any hacker or researcher who discovers an effective iOS flaw may choose one of three paths: report it to Apple and potentially claim a cash bounty, report it publicly for personal or professional reasons before or after Apple has patched it, or sell it either to a company that packages exploits for governments or directly to a nation.

Exploits for Windows and Android offer additional revenue opportunities to their discoverers. It’s profitable and sometimes less risky for a hacker to deploy an exploit in malware to reap a reward from ransomware, extract financial information, hijack cryptocurrency balances, or rent out their software to malicious partners.

iOS exploits are rarer and fetch a high price (or provide increased credibility to reputable researchers) but are also restrictive and hard to deploy to unwitting recipients. (Jailbreaks remain feasible but rely on a device’s owner following numerous tricky steps.) It makes little sense to try to make money on the back of one or a combination of them. Windows and Android and Windows have such a huge array of versions, with a significant portion of devices both unpatched and unpatchable—like pirated copies of Windows or forks of Android—that it can be easy to target a large number of vulnerable users.

Relatively few Macs are in use compared to Windows PCs, Android phones, and iPhones. Arguably, Windows 10 offers better or as good security as macOS 11 Big Sur. But the proof is in the hacking: there has been no effective, widespread ransomware or other malware for macOS in ages. Either ne’er-do-wells avoid the Mac because of its small installed base or because it’s just hard enough to exploit that there’s no profit there.

Could Apple produce a hybrid solution that would satisfy demands for sideloading without compromising privacy? Arguably, the Mac App Store’s notarization and signing tier offers that, but it still requires a paid subscription to Apple’s Developer Program and adherence to Apple’s terms, including a round-trip through its automated verification processes.

Could Apple Negotiate Its Way Out of Sideloading?

Unfettered sideloading with no participation from Apple would be a terrible idea. It’s exactly why Apple makes users jump through hoops to open an unsigned and unnotarized app in macOS. If Apple opened iOS to sideloading with no protections, it would turn into the scene from Ghostbusters (1984) in which a government official succeeds in getting the ectoplasmic containment unit shut down. Tens of millions of new malware variations appear each year, developed and deployed by legions of individual, organized crime, and government-backed hackers who already spend their days and nights poking into iOS.

While unfettered sideloading might not be what’s best for users, Apple is using a classic motte-and-bailey tactic to push back: instead of advocating for a position unpopular with its critics and that Apple likes (the bailey), the company instead pushes a connected but much more defensible position (the motte). Apple’s goal is total control of its platform and a generous cut of all revenues that pass through. That’s the bailey in this case—what Apple wants but would struggle to defend if stated openly. The motte, Apple’s easily argued position, is that smartphone users want to be safe and secure. The logical fallacy is Apple’s suggestion that if it were to loosen any control, iOS would fall like Rome to the barbarians when, in fact, there are existing counterexamples inside the Apple ecosystem itself.

Apple already offers both the macOS model and its enterprise support for non-App Store installation. Michael Tsai noted this in a blog entry summarizing reactions to the white paper, “Businesses can already force employees to install certain apps, and these apps can already bypass App Review via Apple’s enterprise program.” (Schools can’t use this to push apps to students, only employees.)

If Mac owners can be trusted with “signed and notarized apps” with a non-obvious override for unsigned and unnotarized ones, and enterprises can be trusted to make apps and release them to millions of employees, why can’t individual users be given some control, too? Apple also has its hidden XProtect and MRT (Malware Removal Tool), which can police all apps, even those installed via the notarization and signing third tier noted above.

Is Apple so paternalistic that this white paper’s summary could be, “We know what’s best for you. Trust us. We’re protecting you.”? This sounds like the opening of every dystopian superhero film and TV show, recently including The Tick (season 2), Invincible, and The Boys. (Weirdly, those three shows were all made by Amazon. Is Jeff Bezos trying to tell us something?) Could overprotection exist to keep us within bounds that benefit others rather than for our own good? It’s also entirely possible that Apple justifies its paternalistic tone because it legitimately believes a firm hand is necessary given the virulence of the threats from sleazy marketers and organized crime alike.

A better approach might be for Apple to negotiate some sort of middle ground with developers, its customers, Congress, and the Biden administration (and the EU and other countries, too) in which it gives up some of its financial leverage in exchange for a more broadly moderated alternative to App Store only installation.

Here are a few areas of contention where Apple could give ground:

• Drop fees from 15% and 30% to 10% and 15%: Developers and users alike are already frustrated that Apple both places itself in the middle and tries to claim that it is not purely out to make money—that it adds value to the system worth 15% or 30% of the price of apps, subscriptions, and digital transactions. The commission has long been seen as too high. Last year, Apple admitted 30% was excessive by offering a program for small and mid-sized developers to drop that to 15%, with some provisos (see “Apple Drops App Store Commission to 15% for Small Developers,” 18 November 2020). In 2016, Apple also shifted subscription renewals to 15% and has reportedly cut private deals for under 30% with some companies. If Apple went further and dropped the fees to 10% for small developers and 15% for larger ones, much developer ill-will would disappear.
• Allow non-Apple payment methods for digital goods: Rather than forcing developers to use Apple’s in-app purchase system, the company should allow digital purchases using methods from which it wouldn’t receive a cut. That would put it in a position of having to compete for developers’ business by being easy to use and price-competitive.
• Allow links from apps to the developer’s site: Apple should allow apps to contain links to a developer’s website, including for off-app subscriptions. Apple has negotiated arrangements with billion-dollar companies for some of this—why not $10,000-per-year developers, too? (Apple should also stop complaining to publishers about hyperlinks in ebooks on its bookstore that point to Amazon and other competitors.)
• Stop “Sherlocking” apps: Apple certainly should have the right to make apps and add features that its customers want. But the company isn’t innovating when it nearly duplicates apps and then uses its App Store control to promote them more heavily in search results. There’s a balance that doesn’t involve undermining app creators.
• Improve protection of customers: The company’s words about how it maintains a safe App Store through strong oversight ring hollow given how easy it is to find apps that use deceptive titles to mimic popular apps from other developers. (In 2018, David Barnard examined the combination of app deception and subscription scams in depth.) Similarly, stories abound of apps charging usurious fees or tricking users into expensive subscriptions.
• Improve protection of developers: Developers lose revenue from apps that hijack consumer attention through misleading titles, ads that impersonate another app, and countless fake reviews. The paper noted, “Apple deactivated 244 million customer accounts due to fraudulent and abusive activity, including fake reviews. It also rejected 424 million attempted account creations due to fraudulent and abusive patterns.” That may be so, and it’s certainly troubling, but Apple is still falling short in this regard.

Will Apple’s white paper be sufficient to deter the US Congress’s and FTC’s desire to offer more choice to consumers and leave them subject to less control? On its own, it seems unlikely. (Never underestimate the power of other forces, such as deep-pocketed lobbying.) I believe Apple has to trade away some control to justify why it should still play an essential role in protecting users without being the sole gatekeeper andtoll collector.

Apple and regulators might reach compromises that don’t go as far as my suggestions above, but the paper is convincing only about certain aspects of Apple’s arguments. And there’s something about technology giants that brings politicians in the United States together across the aisle. While liberals, conservatives, and those of other political stripes seldom find commonalities these days, complaining about Big Tech’s moderation, lack of consumer control and protection, and bad behavior towards vendors is one point of agreement. Dissenters appear across the political spectrum, too, but seem to be in the overall minority.

Coda

There are two side notes to end with. First, Apple oddly notes that “A study found that devices that run on Android had 15 times more infections from malicious software than iPhone.” The footnote cites Nokia’s 2020 Threat Intelligence Report 2020. That’s an accurate citation, but a bizarre statistic. The report says an average of 0.23% of mobile devices were estimated to be infected each month. Given that a couple billion Android and iOS/iPadOS smartphones and tablets are in use globally, that means roughly 5 million are infected at any given time…and that over 300,000 of those are iPhones. That number seems quite high relative to what we know about iOS security.

Second, the report opens with a 2007 quotation from a sort of blog post/open letter from Steve Jobs originally posted on apple.com:

We’re trying to do two diametrically opposed things at once: provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task.

Follow the footnote and you find that Apple didn’t use a permanent link for that public statement. Because of that oversight 14 years ago, Apple was forced to point to a reliable third-party resource. One that has been trusted by Apple users for over 31 years and has worked hard over decades to ensure that old URLs to articles don’t break even across three distinct Web publishing systems.

Yes, it’s little old us. Adam Engst’s mother was for many years the Cornell University Archivist, and I hope she’s proud of her son and daughter-in-law.