Third-Party App Stores Could Be a Red Flag for iOS Security
Even Apple can’t escape change forever.
The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices.
While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for Apple, applications and appropriate device protection.
While the DMA doesn’t come into full force until March 6, 2024, many organizations are acting now to minimize disruption, and Apple is among them. The company is apparently on track to allow users to download and install third-party app stores on their iOS devices. Apple is on the hook to comply with changes to cable connections. By 2024, the company will add USB-C ports to all iPhones.
Breaking the locks on digital gatekeeping offers benefits for both application developers and end-users. From the developer’s perspective, using a third-party app store to sell their software lets them avoid commissions taken by Apple, which can be up to 30% of user payments per app. From the user side, being able to go outside the iOS app ecosystem offers both more choice and more control. Instead of waiting for Apple to vet and approve new software, users could find versions of their favorite apps already for sale on third-party marketplaces or available directly for download.
Not surprisingly, Apple executives aren’t exactly thrilled about the shift, calling software sideloads “a cyber criminal’s best friend”.
Some of their concern is motivated by a desire to retain control over application distribution and the revenue it brings. However, they do have a point. The closed-loop nature of iOS has long been a selling point for Apple, which claims that it reduces security risk. The claim does have some merit: recent data found that 10 months after the release of Android OS version 12, 30% of federal employees were still running older, less secure versions. In the case of iOS 15, this number was just 5%. For the most part, the difference comes from control. Apple’s oversight of devices means updates are harder to avoid, while Android provides greater choice, but potentially greater risk.
However, the shift to third-party app stores and sideloaded software impacts Apple’s ability to deliver consistent security. For example, apps downloaded from non-iOS stores may include critical security vulnerabilities or even malware. If attackers can fool on-device security scans, they may be able to compromise user devices.
Since Apple won’t have any monetary stake in these apps, the company may not make protection a priority. This could offer a potential side benefit for Apple; they won’t have to spend money on third-party security, and if users get burned by rotten apps, they may come back to the iOS tree.
Whether you see the shift to open digital borders as good or bad, change is coming. As a result, security teams are well served taking time to prepare. Here are three approaches to help bolster iOS security post-change:
One approach is banning both third-party app stores and sideloading on business-owned iOS devices and enforcing this policy with mobile device management (MDM) tools.
While this will provide a measure of security, it also comes with potential drawbacks. First is the pushback from staff, especially if they use personal devices to work from home or while traveling. By blocking third-party app stores on personal devices, businesses may discover that staff simply stop using these devices for work, in turn reducing total productivity.
There’s also the case of useful apps that are available sooner on third-party app stores than through official channels. A total ban means companies are waiting longer to access features or functions that could improve operations.
Another approach is leveraging additional security tools such as next-generation web application firewalls (NGFWs) and AI-driven behavior analysis to evaluate the potential risk of third-party apps or sideloaded software. If these tools detect a problem, they can prohibit downloads. If the software is all clear, they can permit installation.
The key here is follow-up. Even if apps appear legitimate and pass initial scans, this doesn’t guarantee safety. As a result, continuous monitoring is critical to ensure both user devices and business networks remain protected.
IT teams may also want to consider creating new guidelines around where users can download apps when they can sideload software and what steps they need to take to reduce total risk.
For example, teams might analyze popular app store options and only allow access to a select few based on what they offer and what (if any) security policies they have in place. Companies can also make it mandatory for staff to inform IT staff about any new downloads on their device. They might give teams a chance to analyze the apps for risk. Companies also need to lay out clear consequences if rules around app downloads aren’t followed.
Worth noting? There’s no hard-and-fast rule here. With regulations in flux, organizations need to find approaches to third-party apps and sideloading that balance device security with user autonomy and control.
The days of closed-loop iOS stores are ending in the EU. But with increased choice comes a higher risk of getting a malicious app that wreaks havoc on user devices — and potentially puts businesses at risk.
To reduce the chance of compromise, IT teams should consider a three-pronged approach. This should include banning shady app stores and sideloading, using additional security tools to detect potential problems and creating new security guidelines to provide clear roles and responsibilities for users.
6 min read – The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of…
4 min read – Social engineering attacks have challenged cybersecurity for years. No matter how strong your digital security, authorized human users can always be manipulated into opening the door for a clever cyber attacker. Social engineering typically involves tricking an authorized user into…
4 min read – In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath…
James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…
Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that “it doesn’t get PC viruses”. But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we’ll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…
5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted network and application/data delivery function. How does one build a secure 5G network that provides the level of trust required by users today and in the future? The Benefits of 5G 5G’s new use cases come from: Customized network slices…
Necessity may be the mother of invention, and it also drives change. To remain competitive in 2021, companies had to transform rapidly. Today, many of us work from home. Remote and hybrid work models have become the new normal. But what about security? In one recent survey, 70% of office workers admitted to using their work devices for personal tasks, while 69% used personal laptops or printers for work. Also, 30% of remote workers let someone else use their work…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
