Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
App Store Lawsuit

Well, 2017 is opening with a bang. Last week we had the deeply troubling report of a cross-platform mobile threat, which appears to be a harbinger of mobile-based attacks on enterprise infrastructure. Today we hear that a ruling from the 9th US Circuit Court of Appeals allows for a suit against Apple, claiming that the App Store monopolizes the iPhone apps market. This suit could force Apple to open up the App Store, allowing users to purchase iPhone apps from third-party stores.

While it’s not our place to argue the legal merits of an antitrust case, we can state, unequivocally, that this is a Bad Idea from an enterprise security point of view.

Today, iPhone users can purchase apps from the App Store confident that the app complies with Apple’s policies regarding privacy and security. This sets a baseline from a security point of view, and this level of security is by and large adequate for the consumer market. And while enterprises require an extra level of protection, they also rely on the protections provided by Apple’s app vetting process. A third-party app store is under no obligation to perform any privacy or security vetting, and in order to compete on cost will have market incentives to overlook such a costly step.

We need look no further than the Android third-party stores for proof. Note how quickly malicious versions of Android Pokémon Go and Super Mario apps showed up on third-party stores. The Android community suffers from higher malware and other malicious apps incidents, which primarily come from third-party stores. Android’s open ecosystem, while laudable in principle, is their Achilles heel when it comes to security.

One of the larger problems that arise with third-party stores is the difficulty in identifying and protecting against trojan apps. Imagine I have an account at Ginormous Bank, and decide to download their app. Imagine further that I download it from a third-party store–unaware of the fact that Ginormous Bank’s official app is only available from the App Store. That means I’ve downloaded a trojan. As soon as I log on, I’ve sent my credentials and possibly other PII to a malicious operator. And if I reuse the same password across services, which is a common approach, I may have provided a hacker with the ability to access and exfiltrate sensitive corporate data.

From an antitrust point of view, the objective is for open markets so that app prices might be lower. We would suggest that such savings would come at too high a cost from a security point of view.

Image credit: