Apple's Biggest Decision Yet: Security Risks of Third-party App Stores

The Digital Market Act levels the playing field for app developers

The Digital Market Act, a new European policy, is shaking up the app economy by promoting fairer competition in the Eurozone. Big tech companies, including Apple, now have new obligations that will impact mobile app development and security. One of the biggest impacts on mobile app security is that Apple may have to officially allow third-party app stores. In addition, developers may get access to smartphone features like NFC (Near Field Communication) for mobile payments. The goal is to avoid unfair conditions for business users, and not require developers to use specific services in order to be listed in app stores. In light of the latest news about Apple preparing to let rival app stores on iPhones reported by Bloomberg, this article explores the implications on iOS mobile app development and security as well as the best practices to mitigate potential issues by applying a comprehensive mobile app security solution.

Installing apps from third-party stores: A game-changer for iOS mobile app publishers

A key difference between iOS and Android app publishers is that the latter can develop and market apps on a wider range of devices, without being tied to the services of the Google Play store. Installing an app from a 3rd-party store is a common and accepted practice on Android due to the open nature of the ecosystem. In addition to Google Play, there are official third-party app stores from companies like Samsung, Huawei, and Amazon.

That has not been an option in the iOS ecosystem. The new European Digital Market Act could change this by opening up the competition to allow third-party app stores on Apple devices.

This change may benefit iOS app publishers by potentially reducing costs associated with the vetting process required to publish apps on the official Apple App Store and the 30% revenue share Apple charges. This revenue share has been a source of controversy and has led to high-profile legal disputes between Apple and app developers such as Epic Games, Spotify, and Elon Musk. Having an opportunity to no longer pay 30% of their mobile app fee revenue to Apple may encourage many developers to use alternative platforms to publish their apps.

What you need to know about third-party app stores and mobile app security

Well-established app stores, such as the Apple App Store or the Google Play Store, offer a number of security protections to help keep users safe from malicious apps. These protections include:

• Thorough vetting of apps: Apps that are available in official app stores are typically subject to a thorough vetting process to ensure that they do not contain any malicious code or security vulnerabilities.
• Automatic background updates: Many apps from official app stores are designed to receive automatic updates, which can help ensure that they are always running the latest and most secure version.

In addition to these protections, such app stores may offer additional security features, such as remotely locking or wiping a lost or stolen device.

Third-party app stores, on the contrary, can be a security threat because they may not offer the same level of functionality. For instance, they may not check whether an app contains malicious code before publishing it or before letting a user download it. This may make it easier for attackers to compromise the device, steal personal information or commit other crimes like fraud. Third-party app stores potentially enhance or enable some market problems that impact mobile app security. Let’s have a look at them in more detail.

Repackaged apps with malicious payloads

Mobile apps are potential threat vectors to distribute malware payloads that are capable of keylogging, overlay attacks, or other functions to harvest user data and credentials to commit fraud or access other systems without authorization.

Threat actors modify the original apps by injecting malicious code into them while keeping the original functionality. Through this method, victims are deceived into thinking they are using a legitimate app while the threat actors engage in illegal activities.

There are numerous real-life examples of such modified apps featured in the news. Recently, Security researchers discovered a trojanized version of legitimate VPN software for Android devices created to steal contact and call data, device location information, and messages from various apps. Another example is the new platform "Zombinder" which makes it easier for threat actors to bind malware to legitimate mobile apps. That causes victims to infect themselves while still having the full functionality of the original app. Legitimate third-party app stores could serve to provide additional distribution opportunities for these cases by letting threat actors target a broader audience.

Unauthorized enhanced apps

The OG App, an Instagram clone that offered a version of the platform without ads, recommendations, and Reels, was removed from the App Store a day after its official launch. The OG App allowed users to login with their Instagram account and browse content without being required to view elements that are unpopular with some users. This case shows the pros and cons of opening up the ecosystem to app developers.

Mods for mobile games to cheat

Mods, or modifications, are alterations to a game that are made by players or third-party developers. While some mods can add new features or enhance the gameplay experience, others can introduce security vulnerabilities or compromise the integrity of the game. One potential threat of mods for mobile games is that they can be used to cheat or gain an unfair advantage in multiplayer games. This can ruin the gameplay experience for other players and undermine the fairness of the game. Well-established app stores promptly take down such mods. On the contrary, third-party app stores could help make these cheats available to a broader audience by providing additional distribution opportunities for the mod developers.

Consequences for app publishers

Repackaged apps with malware can significantly damage the brand and market share of app publishers. According to Statista, a survey of global mobile consumers conducted in 2021 showed that approximately 45 percent of iOS and Android users would stop using a mobile app, as well as tell their friends to do the same if the app in question did not protect them, their data, and their use. Overall, iOS users appeared slightly more concerned than Android users and keener to stop using an app when faced with cyber threats. Moreover, removing unauthorized enhanced apps or mobile game mods from the market and catching the threat actors would be more difficult with a proliferation of 3rd-party stores that enables installation from a lot of additional new sources.

How Guardsquare keeps your iOS apps safe

Installing apps from third-party stores can be a dangerous game - it's easier for malicious actors to distribute deceitful apps or realistic clones that can be used to steal confidential data or distribute malware. Cloned apps can also access APIs without authorization to create enhanced versions of the original app or to access premium content for free.

How do threat actors do it? By carefully studying the target app to find vulnerabilities. reverse engineering it to understand how it works and, lastly, automating and distributing the attack by means of tampered apps.

But don't worry, there's a solution!

Guardsquare already knows a lot about the risks that third-party stores can amplify from the Android ecosystem. By offering a comprehensive mobile application security solution, from mobile app security testing with AppSweep to mobile app protection and monitoring apps in the wild via ThreatCast, developers are protected from potential threat actors aiming to reverse-engineer and tamper with their apps.

Applying Guardsquare's iOS protection solution, iXGuard, brings mobile app protection benefits to iOS developers. These include data encryption, code obfuscation, debugging protection, and hooking protection which dramatically reduce the risk of attacks, including the ones that could be originated by third-party stores. And when your app is out in the wild, Guardsquare's threat monitoring solution, ThreatCast, allows security teams to keep track of real-time threats and improve their apps' security posture with the insights the monitoring tool provides.

The new Digital Market Act and the potential opening of third-party app stores on iOS mean it's more important than ever for iOS developers to focus on the security of their mobile apps.

Learn how you can secure your app today.