Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Apple Points to Android Malware Infections in Argument Against Sideloading on iOS

Apple Threat Analysis Report Highlights Risks Posed by Sideloading on iOS

Apple on Wednesday published a 30-page threat analysis report in an effort to show why allowing sideloading on iOS would pose serious privacy and security risks to iPhone users.

Apple Threat Analysis Report Highlights Risks Posed by Sideloading on iOS

Apple on Wednesday published a 30-page threat analysis report in an effort to show why allowing sideloading on iOS would pose serious privacy and security risks to iPhone users.

Sideloading is the process of downloading and installing mobile apps on Apple devices from sources other than the official App Store, such as through direct downloads or third-party app stores.

There has been pressure on Apple to support sideloading, but the tech giant believes that sideloading would “cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”

Apple is apparently trying to show how bad the situation is in the Android ecosystem, and suggests that iOS could end up just as bad if it starts allowing users to install applications from third-party stores and websites.

The company has collected data from nearly 150 reports and news articles published by major cybersecurity firms and news outlets since 2014 in an effort to show that Android devices are far less secure than iPhones. For instance, the report highlights two threat intelligence reports from Nokia showing that Android phones had between 15 and 47 times more malware infections than iPhones.

Apple’s report also highlights a recent EU report claiming that its cybersecurity agency, ENISA, detected 230,000 new malware infections every day between January 2019 and April 2020. It’s worth noting that Apple’s report says “230,000 new mobile malware infections,” but the EU and ENISA reports seem to refer to infections across all platforms, not just mobile platforms.

The tech giant also points to a Kaspersky report showing that the cybersecurity firm’s products detected more than 5.6 million malicious installation packages targeting Android devices last year.

Advertisement. Scroll to continue reading.

Apple argument against sideloading on iOS

The company said that if it were forced to support sideloading, it would be easier for cybercriminals to target its customers, even if sideloading were limited to third-party app stores. It also pointed out that other app stores don’t check applications and don’t require developers to provide accurate privacy-related information, as the App Store does.

“Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions. This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working,” Apple wrote in its report.

The company is concerned that universal support for sideloading would also cause problems for users who don’t want to install applications from third-party sources — they could be forced to install work- or school-related apps, or cybercriminals could more easily deliver their malware by creating fake App Store websites that lure users with tempting offers.

Apple published another, shorter report on the risks posed by sideloading in June.

While iOS may not be as targeted by malware as Android, iOS has still had some malware problems, including ones that impacted a large number of users. For example, the XcodeGhost malware discovered in 2015 impacted thousands of iOS applications and 128 million iOS users.

More recently, threat actors were observed delivering spyware to iPhones as part of a highly targeted espionage campaign that involved iOS zero-day vulnerabilities.

Related: Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?

Related: Apple Patches macOS Security Bypass Vulnerability Exploited by ‘Shlayer’ Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.