Apple says an antitrust bill aimed at cracking open the app-store market will make iPhones less secure — even though Congress and some large firms already have Apple-approved tools that let them bypass the App Store.
Although Apple says it’s the only company that can offer a secure App Store, the iPhone maker has long allowed members of Congress and large firms to bypass its strict controls and use alternatives to install third-party apps. The practice isn’t widely known, and is at odds with Apple’s opposition to the bill designed to break its mobile app-store duopoly with Alphabet Inc.’s Google.
Apple’s acceptance of some instances of so-called sideloading looms large as Congress nears a vote next month on the antitrust measures. While Apple maintains that outside apps would leave iPhone users vulnerable to malware and scams, antitrust advocates and cybersecurity specialists say the company’s protests appear to be more about defending its business model.
“Security is a giant red herring,” said Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University. “It will scare a lot of people. The goal is to protect the monopoly.”
Apple tightly controls the iPhone, requiring all mobile app downloads take place within its App Store, where it takes up to a 30% cut on digital sales. To get into the App Store, developers must submit apps for review by Apple’s team, which scrutinizes them to ensure compliance with the company’s rules on privacy and security. The company forbids developers from offering certain things like sexually explicit content, all-in-one cloud gaming services and cryptocurrency mining.
A 2020 House investigation found Apple has “monopoly power over software distribution on iOS devices” allowing it “supranormal profits.”
“Developers have no other option than to play by Apple’s rules to reach customers who own iOS devices,” the report found, just as iPhone owners “have no alternative means to install apps on their phones.”
In the wake of the House investigation, a bipartisan group of lawmakers introduced legislation aimed at opening up mobile app stores. The Open App Markets Act would require Apple and Google — whose Google Play is the most popular App Store on Android mobile phones — to make it easier for users to download other app stores and switch the apps set as the defaults on phones.
“We remain concerned that this legislation threatens to break this model and undermine the privacy and security protections our users depend on,” said Fred Sainz, an Apple spokesperson. “The legislation, as originally drafted, created unintended privacy and security vulnerabilities for users. We believe the proposed remedies fall far short of the protections consumers need.”
Computers, including Apple’s Mac, have always allowed direct downloads of software. Google’s Android also lets users install apps without going through its built-in App Store. Only Apple requires iPhone users to use its App Store for all mobile app downloads, said John Bergmayer, legal director for advocacy nonprofit group Public Knowledge.
“Proponents of these regulations argue that no harm would be done by simply giving people a choice,” Apple’s CEO Tim Cook said at a privacy conference in April. “But taking away a more secure option will leave users with less choice, not more.”
But Apple sometimes makes exceptions to allow sideloading and apps that haven’t gone through its review process.
Lawmakers and staff go to a special, secured online portal to install apps, said Dan Weiser, who works for the House’s Chief Administrative Officer. That secured portal helps ensure members use licensed apps and have the most up-to-date versions, he said.
The House and Senate app catalogs, created using VMWare’s cloud-based software, include popular apps like Webex and Zoom customized so members can securely participate remotely in hearings.
The catalog also contains custom apps specially designed for members of Congress, said Weiser. Those include apps to access the secured internal network for the House or Senate, email, live floor updates and calendars.
The House and Senate app catalogs were created as part of an effort to modernize the technology Congress uses, centralize its purchasing and ensure it’s secure from potential cyberattacks.
The Senate’s IT services are managed by the Sergeant at Arms, which didn’t respond to questions about its app catalog. But Senate aides and a contract solicitation published by the Sergeant at Arms’ office confirmed the chamber uses the same system.
Apple acknowledged during a federal antitrust trial last year that it has long allowed some companies to bypass the App Store. Craig Federighi, a top Apple executive and engineer, testified that large organizations can get permission to distribute apps directly to their employees in lieu of going through Apple’s App Store and review process. This allows them to create apps specific to the company, he said, citing a 3D-modeling app that animation studio Pixar created for its designers as an example.
“These aren’t apps they want to sell to the general public,” Federighi said. “They want to provide it just to their employees. The Enterprise program is meant to give them the ability to do that.”
Those custom apps aren’t reviewed by Apple, he said. The arrangement, called the Apple Enterprise Program, has been around since 2008.
The onus is on the company to make sure the apps are safe and secure enough to be downloaded and used by employees, he said. Apple trusts that companies wouldn’t want to harm their own employees by installing malware or other malicious apps onto corporate-owned devices, Federighi said.
Apple declined to respond to questions about how many companies in the U.S. use the program today, but said that “most” corporate clients now use Apple Business Manager — a more tightly controlled program introduced in 2019 where custom apps go through a limited review by Apple. The company also offers a service called TestFlight, where developers can distribute apps still in the works to a limited number users for testing.
Apple said it has taken steps to limit “abuse” of its Enterprise program. For example, it cited a January 2019 incident where the company suspended Facebook for distributing an app to consumers through the Enterprise program that collected users’ data. Facebook later had its access restored.
Downloading software directly is less secure than downloading an app from Apple’s App Store but not the “security apocalypse” the company makes it out to be, Schneier said.
That lesser security “is what exists on everyone’s PC right now,” he said. “It is demonstrably true that Disney World is safer than a public park. That does not mean we give Disney a monopoly on all public parks in the country.”