Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Apple Points to Android Malware Infections in Argument Against Sideloading on iOS

Apple Threat Analysis Report Highlights Risks Posed by Sideloading on iOS.

Apple on Wednesday published a 30-page threat analysis report in an effort to show why allowing sideloading on iOS would pose serious privacy and security risks to iPhone users.

Sideloading is the process of downloading and installing mobile apps on Apple devices from sources other than the official App Store, such as through direct downloads or third-party app stores.

There has been pressure on Apple to support sideloading, but the tech giant believes that sideloading would “cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”

Apple is apparently trying to show how bad the situation is in the Android ecosystem, and suggests that iOS could end up just as bad if it starts allowing users to install applications from third-party stores and websites.

The company has collected data from nearly 150 reports and news articles published by major cybersecurity firms and news outlets since 2014 in an effort to show that Android devices are far less secure than iPhones. For instance, the report highlights two threat intelligence reports from Nokia showing that Android phones had between 15 and 47 times more malware infections than iPhones.

Apple’s report also highlights a recent EU report claiming that its cybersecurity agency, ENISA, detected 230,000 new malware infections every day between January 2019 and April 2020. It’s worth noting that Apple’s report says “230,000 new mobile malware infections,” but the EU and ENISA reports seem to refer to infections across all platforms, not just mobile platforms.

The tech giant also points to a Kaspersky report showing that the cybersecurity firm’s products detected more than 5.6 million malicious installation packages targeting Android devices last year.

Apple argument against sideloading on iOS

The company said that if it were forced to support sideloading, it would be easier for cybercriminals to target its customers, even if sideloading were limited to third-party app stores. It also pointed out that other app stores don’t check applications and don’t require developers to provide accurate privacy-related information, as the App Store does.

Advertisement. Scroll to continue reading.

“Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions. This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working,” Apple wrote in its report.

The company is concerned that universal support for sideloading would also cause problems for users who don’t want to install applications from third-party sources — they could be forced to install work- or school-related apps, or cybercriminals could more easily deliver their malware by creating fake App Store websites that lure users with tempting offers.

Apple published another, shorter report on the risks posed by sideloading in June.

While iOS may not be as targeted by malware as Android, iOS has still had some malware problems, including ones that impacted a large number of users. For example, the XcodeGhost malware discovered in 2015 impacted thousands of iOS applications and 128 million iOS users.

More recently, threat actors were observed delivering spyware to iPhones as part of a highly targeted espionage campaign that involved iOS zero-day vulnerabilities.

Related: Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?

Related: Apple Patches macOS Security Bypass Vulnerability Exploited by ‘Shlayer’ Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.