Apple has published a brochure Building a Trusted Ecosystem for Millions of Apps where they argue that the App Store is an important middleman that delivers safety to billions of people and that if people are allowed to load apps from random sources, bad things™ would happen.

I respect many people at Apple who work real hard to push for better design and better technology. I also respect Apple as a commercial enterprise that knows how to make money that funds all that design and technology with scale and consistency.

However, we should call propaganda for what it is. The App Store is not the important middleman that provides safety for the users. It is the design of the gadget itself that protects the owner and their data from malicious or malfunctioning code. Of course, there are spots of imperfection, but the App Store provides only a superficial and incomplete substitute for a solid technical solution within the design of the hardware and the software.

The principle

I’ll get to the boring commentary of the points made by the brochure below, but before I’d like to remind you all of a principle formulated in 2010 by Ivan Krstić who still works on core security at Apple: “security driven by user intent”. At WWDC 2010, Apple announced sandbox technology being brought from iPhone to the Mac. Ivan made an insightful presentation that explained the philosophy behind this:

• computers contain data of our entire lives,
• apps can be written by anyone and deployed over the internet,
• apps should not have access to all of user data by default,
• access to data should be driven by user intent so that the user always knows who has access to that data.

The most impressive example of applying this principle was “Open File” dialog in OS X Lion. Before sandboxing, the app would have access to the entire disk. When you want to open a file, the app would use a system framework within its address space to draw an “Open File” dialog to let user select a specific file. Within a sandbox, the app has only its own containerized folder (just like on every iPhone), plus a list of permissions granted to it by the kernel. The “Open File” dialog is no longer rendered by the app, but instead the system draws its own Finder window over the rectangle placeholder left by the app. What user sees is the same familiar experience, but what happens behind the scenes is exactly what matches user’s intent: system-like dialog sees all files because the system has access to all these files, but only the selected one is granted to the app. Same works for drag-and-drop: when a file is dropped to the app, system grants access to that exact file.

The same principle works on the iPhone: when an app wants to select a file or a picture, it is the system dialog that appears and only the selected items are granted to the app. Same goes for the contacts in the address book. And since WWDC 2021, there is even a location button that helps avoiding clunky Allow/Deny dialogs that annoy people and are not directly tied to intent and specific action. I’m eager to see this implemented for the camera and mic, so we can just press on/off buttons instead of being prompted whether we allow an app to spy on us indefinitely.

Ephemeral MAC addresses, private relay, one-time email addresses are all the technologies, not policies, that improve your security by minimizing leakage of private information.

As you have already noticed, this works for all apps, no matter who developed and signed them: Apple, App Store or independent developers. It is the job of the operating system and hardware to keep your data safe and make sure apps do not interfere which each other. App Store is a nice service where you can find and easily buy/install applications, compared to the wild web, but it is not and never be an effective guardian: only the operating system can do that job, 24/7 without any human supervision.

Boring commentary

We built the App Store to give developers from around the globe a place to build innovative apps that can reach a growing and thriving global community of over a billion users.

That is true: ease of use of App Store is what helps users spend money on apps, which is a great incentive for developers to build more and better.

Given the sheer scale of the App Store platform, ensuring iPhone security and safety was of critical importance to us from the start. Security researchers agree that iPhone is the safest, most secure mobile device, which allows our users to trust their devices with their most sensitive data.

That is also true: if everyone is keeping everything in their computers and installing millions of applications on them, it is quite important to make computers secure at the core.

We built industry-leading security protections into the device, and we created the App Store, a trusted place where users can safely discover and download apps. On the App Store, apps come from known developers who have agreed to follow our guidelines, and are securely distributed to users free from interference from third parties. We review every single app and each app update to evaluate whether they meet our high standards. This process, which we are constantly working to improve, is designed to protect our users by keeping malware, cybercriminals, and scammers out of the App Store.

Notice how device security is placed on par with App Store policies. At their scale App Store is at best a “last resort” measure on top of the actual security provided by the device itself. There are and always will be people circumventing human-operated policies. Heck, Facebook app is still shipping, as far as I know.

Apps designed for children must follow strict guidelines around data collection and security designed to keep children safe, and must be tightly integrated with iOS parental control features.

This paragraph fails to convince me why all adults must have crippled devices because that way kids are safer. Parents can turn on “kids mode” for their kids and not turn it on for themselves.

Apple reviews all apps and updates on the App Store to intercept those that could harm users. This includes apps that contain inappropriate content. [...]

Inappropriate content is another mind trick from a category “think of the children”. Inappropriate content has nothing to do with the security of your data and the number one application that contains all the inappropriate content in the world is a web browser that ships front and center with every computer.

A study found that devices that run on Android had 15 times more infections from malicious software than iPhone, with a key reason being that Android apps “can be downloaded from just about anywhere,” while everyday iPhone users can only download apps from one source: the App Store.

No, sorry. Android is not a single architecture, it’s a piece of software that gets installed on random array of hardware. Most of shipping Android phones are generally cheap and less secure than iPhones.

That principle guides the high privacy standards we build into our products: we collect only the personal data strictly necessary to deliver a product or service, we put the user in control by asking them for permission before apps can access sensitive data, and we provide clear indications when apps access certain sensitive features like the microphone, camera, and the user’s location.

The access to data is managed by the system through (mostly) clever use of the principle “security driven by user intent” that I described above. It is actually a security hole to rely on some people with policies to manage data that’s flowing right in front of you on a computer that you have to trust anyway.

Today, it is extremely rare for any user to encounter malware on iPhone.

Yes, but not because of the App Store. See above.

Because of the large size of the iPhone user base and the sensitive data stored on their phones – photos, location data, health and financial information – allowing sideloading would spur a flood of new investment into attacks on the platform.

We have to compare this risk with the risks present on the web: if a bad app could ask you to give it access to some photos, the same could be done by a website.

On a Mac there is an optional notarization service that lets users have confidence that the app is from a developer known to Apple. So if, say, they permit the photo editing application access to the entire photo library and then later it is discovered that the app goes rogue, Apple would be able to hold the developer by the balls in the legal realm. But that does not mean the developer cannot distribute the app directly to their users without anyone at App Store vetting it upfront.

A sideloaded game bypasses parental controls.

The entire page 5 is telling a story how hardware is not capable (actually, it is) of enforcing parental controls. The hardest part is filtering the web traffic, and that’s certainly not the App Store’s job. Also, if App Store was optional, there is no problem in having a switch on a phone “only allow apps from 6+ category on the App Store” and a passcode.

Apple defending App Store on the grounds of kids’ safety sounds very patronizing: there is only one adult in the whole Apple universe, and all of you are children incapable of thinking for yourselves.

At the park, the copy-cat filter app John had sideloaded threatens to delete all of his photos unless he pays up.

I think Apple should work on a native Bitcoin wallet built into the Keychain, so John has a more convenient way to pay up a ransom. Currently, if your phone lets an app to encrypt/delete all its data, it is very annoying to register on Bitcoin exchange, file paperwork, set up a wallet, read the whitepaper and learn how to back up your private keys. A decent built-in solution for ransomware would be most welcome in this dangerous world. After all, we are all used to pay ransom for PCR tests to move around, and that’s marginally more convenient than ransomware.

John unknowingly downloads a pirated app from a third-party app store.

There is this thing called TLS and Certificate Transparency on the web designed for specifically this scenario. It is a federated (not centralized) system, and pretty much free of charge with little censorship risks (except in Kazakhstan).

A sideloaded app violates John’s privacy.

What the app actually does that cannot be controlled by the hardware is always going to be learned the hard way: after enough damage is done. One way to prevent and limit the damage is to have developers known. And this is achieved by having notarization and TLS-like trust chains, not via a centralized distribution channel, that cannot learn about the app’s malicious behaviour during a 2-day review.

In addition to the protections provided by App Review, we design our devices’ hardware and software to provide a last line of defense in case a harmful app is downloaded on the device.

The best defense relies on a combination of all layers – robust App Review to help prevent the installation of malicious apps, and robust platform protections to limit the damage malicious apps can inflict.

That is quite a statement. In the end of the brochure Apple claims that it is the App Store that’s doing all the heavylifting, and the security architecture is simply the last line of defense. I don’t remember when any of the infosec people I know would be praising Apple’s distribution system: it was always the top-notch technical solutions that provide robust, easy to understand security model: from the CPU architecture, to Secure Enclave, to filesystem encryption, containerization and sandbox, fine-grained permissions system up to intent-driven UI security.

The end result is that security experts agree iPhone is the safest, most secure mobile device. Apple’s many layers of security provide users with an unparalleled level of protection from malicious software, giving users peace of mind.

This closing paragraph is entirely true, but Apple is dishonestly making you think it’s their policing that keeps you safe, not the clever engineering and design.