Sunday, March 21, 2021

Harvard and Georgia Tech professors debunk Apple's security pretext for App Store monopolism: Epic Games v. Apple

This is the second part of a trilogy of posts on a slew of documents Epic Games filed on Friday. In the previous post, I published and briefly discussed Apple's and Epic's tentative witness lists for their May antitrust trial in Oakland. In the next one, planned for later today (Sunday), I'll discuss the economic analysis underpinning Epic's market definition.

Apple would have us--and especially competition authorities and courts--believe that there cannot be security without tyranny: in the world according to Apple, there's either a monopolistic App Store with all its unfair rules and their arbitrary application, or malware will take over our phones.

To software developers like me, this is transparent fearmongering. But Apple has to say something to defend the indefensible. It can afford more easily than any other company in the world to get some people to say things that independent experts couldn't possibly say with a straight face. And it may just hope that judges or the decision-makers in competition authorities could be gaslighted when a topic is technical and uneasiness may just be enough to let Apple sustain a harmful monopoly in app distribution.

Come May, Judge Yvonne Gonzalez Rogers of the United States District Court for the Northern District of California will hear what Apple has been telling antitrust authorities around the globe for a while. Fortunately, the other side--Epic--will also be heard. Based on the summaries of the opinions of Epic's experts on security that were filed on Friday, renowned experts will help the court see through what is just a smokescreen.

Professor James W. Mickens of the Harvard John A. Paulson School of Engineering and Applied Sciences will testify that "Apple considerably overstates the security benefits of its own centralized App Store model" and that "if Apple allowed iPhone users to opt into app distribution via third-party channels, those users would not suffer from a meaningfully less-secure experience" (this post continues below the document):

376-13 James Mickens Openin... by Florian Mueller

Professor Mickens's analysis identifies "five security properties for iPhone apps: sandbox compliance, exploit resistance, malware exclusion, user consent for private data access, and legal compliance." While Apple argues that its operation of an exclusive app store and its review process are key to the enforcement of those security properties, Professor Mickens notes that the first three of those properties are enforceable by an operating system (here, iOS) alone, and with respect to the other two, which an operating system can enforce only to some degree, "a variety of empirical evidence suggests that, in practice, the App Store does a weak (at best) job of enforcing these additional security properties."

Everyone knows that Apple has always enables users to directly download and install third-party apps for MacOS. But even on iOS--and in connection with mission-critical applications--Apple itself actually relies on its iOS security architecture rather than an app review process: "In particular, the Apple-sanctioned Developer Enterprise program5 allows a third-party business to distribute the company’s proprietary apps to company employees. These apps are not reviewed by Apple."

To the extent that iPhones obtain information such as location (by GPS) or motion (accelerometers) that Macs don't have, there is no restriction to data synchronization between iPhones and Macs--and on Macs, third-party apps that users installed without Apple ever having reivewed them could access that treasure trove of data anyway.

While Android app distribution is also restricted, that is not going to be a topic of discussion in May. However, Apple's claims of iPhones being more secure than Android devices will probably come up. In my observation, Android security is only a problem if it takes too long between the emergence of a security loophole and the availability of fixes for particular devices, and with the Android devices I have and use, all of which are from first-rte vendors, I'm not concerned about that. Professor Mickens's summary says the following about the Android-iOS security comparison:

"[A] variety of evidence suggests that iPhones are not significantly more secure than Android devices. For example, a recent security evaluation of hundreds of iPhone apps found that those apps suffered from many of the security problems observed in Android apps. As another example, the open market for smartphone security vulnerabilities currently assigns a higher monetary value to Android security exploits. These market dynamics imply that Android is actually more secure than iOS."

Epic's expert is fair and does recognize that "Apple’s reputation for caring about security is not undeserved," but cautions against blowing this out of proportion, as some of this is attributable to "historical beliefs that are no longer true" even if they were in 2007 after the launch of the first iPhone.

As far as filtering out "religiously-offensive images" and similar content is concerned, it is obviously not a feature of today's operating systems to identify and block such material. But third-party app stores could also hire reviewers. I love the following sentence:

"For example, any reasonable person can determine whether an app provides 'lasting entertainment value'; being an employee of Apple is not a bona fide occupational qualification for issuing such a judgment."

Part of the problem really is hubris: Apple somehow believes that it has a patent on knowing and determining what's good for iPhone users. In reality, Apple just has an app store monopoly, and the world would be a better place with alternative app stores putting competitive pressure on Apple. Competition drives quality.

Last summer, shortly after Epic filed its complaint, a developer I don't remember explained on Twitter that any security benefits iOS has are attributable to technical features such as sandboxing, while it's just as easy to sneak malware through Apple's app review process as it is in Google's case.

This leads us to another Epic security expert: Professor Wenke Lee, the director of the Institute for Information Security & Privacy at Georgia Tech, was a member of a group of researchers who already presented a paper at a 2013 conference on how they managed to sneak malware through Apple's app review process. They submitted an app that was supposedly just about news from Georgia Tech, but inside the Trojan Horse--the researchers preferred the term "Jekyll app"--there were "dormant" code segments that could take control over your phone and generate tweets, text messages, or emails, or could take pictures without you even knowing. The related code segments were actually generated later, so an analysis of the code at the time of the app review wouldn't have found it. I've never written malware, but the first article ever that I successfully submitted to a computer magazine, back in 1985, discussed a variety of unorthodox coding techniques including self-modifying code, so I'm familiar with the concept.

Professor Lee will deliver an opening opinion and a rebuttal to Apple's claims that only Apple, through a monopolistic App Store, can achieve certain security goals, while Epic's expert explains others can do the same, the MacOS model could also be applied to iOS, and companies like Square and Stripe have already shown how to build security payment systems:

376-17 Wenke Lee Opening Op... by Florian Mueller

376-18 Wenke Lee Rebuttal O... by Florian Mueller

Share with other professionals via LinkedIn: