On Thursday, the Senate Judiciary Committee held a session to amend and then vote on the Open App Markets Act , a bipartisan bill designed to rein in the monopoly power of smartphone app stores—mainly those run by Apple and Google. Notably, the bill would require those companies to allow users of Android and iOS devices to download apps from places other than the Google Play store and Apple App Store, a practice called sideloading.
As you might imagine, Apple and Google and the lobby groups that represent them are trying hard (and spending big) to derail the antitrust bill. The bill may be particularly galling to Apple, which likes to keep tight control of the software on its devices, citing concerns over app security and user privacy. Google, by contrast, already allows users to install apps outside of its Play store.
The Judiciary Committee voted to send the bill on to the full Senate, where leadership will now decide whether to initiate debate. The bill has solid bipartisan support and has a real chance of passage. So it’s worth asking what Apple would do if it were required to allow apps on the iPhone from other app stores or marketplaces. What new security features could Apple introduce in iOS to prevent malicious apps from making it onto iPhones?
I asked some Apple pundits and security experts after the hearing Thursday.
Apple could—and should—bring their MacOS Gatekeeper security layer to iOS.”
AltStore developer Riley Testut
“I guess they’d rely on sandboxing to isolate [malicious] apps,” says Charlie Miller, a veteran mobile security engineer who currently works for the autonomous car company Cruise. Sandboxing is a way of isolating a piece of software to prevent it from interacting with other apps or interfering with the operating system—a technique that can minimize the chances of an app doing intentional or unintentional harm.
But sandboxing is possible only after an app is already on the device. “You can install what you want, but iOS can ‘try to’ limit what it can do, i.e., it can’t read your Netflix password,” Miller said in a message. (Miller is coauthor with Dino Dai Zovi of The Mac Hacker’s Handbook.)
If the law passes, the experience of installing apps on an iPhone might become more like that of downloading apps on a Mac, which has an App Store but also permits you to install apps outside of it—sometimes with dialog boxes warning of potential security risks.
“They could put in their own app-screening solution, so iOS scans the app package before even allowing it to install,” says Creative Strategies CEO and principal analyst Ben Bajarin. “Some browsers do this—they won’t even allow you to visit a website if they detect a malicious code.”
Riley Testut, a developer whose AltStore offers a way to sideload apps onto the iPhone, agrees. “Apple could—and should—bring their MacOS Gatekeeper security layer to iOS,” says Testut, whose AltStore and most of its apps are not authorized by Apple. “[Gatekeeper] would require all sideloaded apps be ‘notarized’ (aka automatically scanned for malware by Apple) and allow Apple to remotely kill any malicious app that was discovered, preventing users from installing it or even launching it,” he said in a message.
Testut says, however, that while he would like sideloading of apps to work safely on iPhones, he doubts that the Open App Markets Act—at least in its current form—would leave Apple with enough options to protect mainstream consumers who are less familiar with the risks of uncurated apps than the techies who use his AltStore service.
“There’s no denying that Apple’s app review process—although not perfect—does a great job at filtering out scam/malicious apps, because every app is reviewed by at least one real person,” Testut says. “Allowing users to install apps directly from the web or third-party app stores makes it far too easy for regular consumers to shoot themselves in the foot.”
The hardball option
If forced into allowing unvetted apps onto the iPhone, Apple could also decide to play hardball, suggests longtime Apple pundit and Relay Ventures partner Horace Dediu. “Apple could just void warranties if anyone” installs apps outside of the App Store,” he notes, adding that there may be legal questions over whether the company could legally do that.
“The same thing happened in the early days when jailbreaking was common,” Dediu says. “You could do it but you took a risk as a user of bricking your phone.”
Dediu is no fan of the bill as it’s currently written. He believes it amounts to “forced insecurity” for iPhones: “The unworkability of this idea will force some absurdities we cannot yet contemplate.”
