Apple Says US Legislation Would Make App Store Less Secure
Apple tightly controls the iPhone, requiring all mobile app downloads take place within its App Store, where it takes up to a 30% cut on digital sales.
June 23, 2022 at 01:11 PM
6 minute read
Apple Inc. says an antitrust bill aimed at cracking open the app-store market will make iPhones less secure, even though Congress and some large firms already have Apple-approved tools that let them bypass the App Store.
Although Apple says it's the only company that can offer a secure App Store, the iPhone maker has long allowed members of Congress and large firms to bypass its strict controls and use alternatives to install third-party apps. The practice isn't widely known, and is at odds with Apple's opposition to the bill designed to break its mobile app-store duopoly with Alphabet Inc.'s Google.
Apple's acceptance of some instances of so-called sideloading looms large as Congress nears a vote next month on the antitrust measures. While Apple maintains that outside apps would leave iPhone users vulnerable to malware and scams, antitrust advocates and cybersecurity specialists say the company's protests appear to be more about defending its business model.
"Security is a giant red herring," said Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society at Harvard University. "It will scare a lot of people. The goal is to protect the monopoly."
Apple tightly controls the iPhone, requiring all mobile app downloads take place within its App Store, where it takes up to a 30% cut on digital sales. To get into the App Store, developers must submit apps for review by Apple's team, which scrutinizes them to ensure compliance with the company's rules on privacy and security. The company forbids developers from offering certain things like sexually explicit content, all-in-one cloud gaming services and cryptocurrency mining.
A 2020 House investigation found Apple has "monopoly power over software distribution on iOS devices" allowing it "supranormal profits."
"Developers have no other option than to play by Apple's rules to reach customers who own iOS devices," the report found, just as iPhone owners "have no alternative means to install apps on their phones."
In the wake of the House investigation, a bipartisan group of lawmakers introduced legislation aimed at opening up mobile app stores. The Open App Markets Act would require Apple and Google, whose Google Play is the most popular app store on Android mobile phones, to make it easier for users to download other app stores and switch the apps set as the defaults on phones.
"We remain concerned that this legislation threatens to break this model and undermine the privacy and security protections our users depend on," said Fred Sainz, an Apple spokesperson. "The legislation, as originally drafted, created unintended privacy and security vulnerabilities for users. We believe the proposed remedies fall far short of the protections consumers need."
Computers, including Apple's Mac, have always allowed direct downloads of software. Google's Android also lets users install apps without going through its built-in app store. Only Apple requires iPhone users to use its App Store for all mobile app downloads, said John Bergmayer, legal director for advocacy non-profit group Public Knowledge.
"Proponents of these regulations argue that no harm would be done by simply giving people a choice," Apple's Chief Executive Officer Tim Cook said at a privacy conference in April. "But taking away a more secure option will leave users with less choice, not more."
But Apple sometimes makes exceptions to allow sideloading and apps that haven't gone through its review process.
Lawmakers and staff go to a special, secured online portal to install apps, said Dan Weiser, who works for the House's Chief Administrative Officer. That secured portal helps ensure members use licensed apps and have the most up-to-date versions, he said.
The House and Senate app catalogs, created using VMWare Inc's cloud-based software, include popular apps like Webex and Zoom customized so members can securely participate remotely in hearings.
The catalog also contains custom apps specially designed for members of Congress, said Weiser. Those include apps to access the secured internal network for the House or Senate, email, live floor updates and calendars.
The House and Senate app catalogs were created as part of an effort to modernize the technology Congress uses, centralize its purchasing and ensure it's secure from potential cyberattacks.
The Senate's IT services are managed by the Sergeant at Arms, which didn't respond to questions about its app catalog. But Senate aides and a contract solicitation published by the Sergeant at Arms' office confirmed the chamber uses the same system.
Apple acknowledged during a federal antitrust trial last year that it has long allowed some companies to bypass the App Store. Craig Federighi, a top Apple executive and engineer, testified that large organizations can get permission to distribute apps directly to their employees in lieu of going through Apple's App Store and review process. This allows them to create apps specific to the company, he said, citing a 3D-modeling app that animation studio Pixar created for its designers as an example.
"These aren't apps they want to sell to the general public," Federighi said. "They want to provide it just to their employees. The Enterprise program is meant to give them the ability to do that."
Those custom apps aren't reviewed by Apple, he said. The arrangement, called the Apple Enterprise Program, has been around since 2008.
The onus is on the company to make sure the apps are safe and secure enough to be downloaded and used by employees, he said. Apple trusts that companies wouldn't want to harm their own employees by installing malware or other malicious apps onto corporate-owned devices, Federighi said.
Apple declined to respond to questions about how many companies in the U.S. use the program today, but said that "most" corporate clients now use Apple Business Manager, a more tightly controlled program introduced in 2019 where custom apps go through a limited review by Apple. The company also offers a service called TestFlight, where developers can distribute apps still in the works to a limited number users for testing.
Apple said it has taken steps to limit "abuse" of its Enterprise program. For example, it cited a January 2019 incident where the company suspended Facebook for distributing an app to consumers through the Enterprise program that collected users' data. Facebook later had its access restored.
Downloading software directly is less secure than downloading an app from Apple's App Store but not the "security apocalypse" the company makes it out to be, Schneier said.
That lesser security "is what exists on everyone's PC right now," he said. "It is demonstrably true that Disney World is safer than a public park. That does not mean we give Disney a monopoly on all public parks in the country."
Leah Nylen reports for Bloomberg News.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump Mulls Big Changes to Banking Regulation, Unsettling the Industry
CFPB Orders Big Banks to Limit Overdraft Fees to $5. But Will Its Edict Stick?
3 minute readUS Judge Throws Out Sale of Infowars to The Onion. But That's Not the End of the Road for Sandy Hook Families
4 minute readGreenberg Traurig Initiates String of Suits Following JPMorgan Chase's 'Infinite Money Glitch'
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250