Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

Do App Stores Help Your Privacy & Security?

Published 2020-Aug-24 |An icon depicting a retail tag with a heart for 'favourite'PrivacySocial MediaSecurity

Watch the episode on YouTube

Epic Games is current waging war on Apple and Google over the right to distribute apps to mobile users. There’s been a ton of excellent coverage of the issues, but it’s usually missing one key perspective; what do we as users get from the App Stores?

This episode if Impact Assessment looks at the cybersecurity and privacy impacts of the App Store model. Do App Store delivery do anything to improve the security of our devices? Can Apple or Google help protect our privacy? Will they?

Index

References

Transcript

[00:00:00]: Epic games is currently using Fortnite to wage a war on Apple and Google for the right to distribute apps to mobile users. This is an issue that's been bubbling in the background for a long time business dominance aside. What type of security and privacy benefits, if any, do the app stores provide users.

[00:00:25]: Last week Epic games launched the mega drop a permanent 20% discount on some Vbox purchases. Now Vbox are the end game currency for Fortnite and the sales of it bring in about $300 million a month across all the available platforms with most of that money going to Epic. The catch for the 20% discount, you have to buy the Vbox directly from Epic for mobile users on Android or iOS.

[00:00:53]: The purchase screen shows the default in app purchase method and directly next to it, the option to purchase directly from us, but for a 20% discount, as you might imagine, this is in direct violation of the Apple and Google play store policies that Epic has agreed to. Now, these policies, state that inept purchases have to go through the purchasing mechanisms made available by Apple and Google.

[00:01:16]: Both providers take a 30% cut of each transaction, though, that does drop a bit after the first year. For a long time. This has been a business issue brought up by larger developers, though. It does save smaller developers from the massive investment required to set up proper payment processing this video.

[00:01:34]: Isn't about the business side of this dispute or the complexities of app store policies. For that, I recommend this excellent video by Renee Richey, which you can view by clicking here, uh, from a gamer's point of view, this video, uh, starring noted streamer muse ALK is a great way to come up to speed.

[00:01:52]: This video is going to look at the security and privacy benefits of Apple forcing software distribution through the app store. We're also going to look at and contrast Google's slightly more lenient approach. Apple's policies have been billed as anti competitive, restrictive. Yeah. Even draconian, but what do they actually do?

[00:02:13]: Well, the app store policy that everyone is talking about is actually called the app store review guidelines. These guidelines fall into five main categories, safety, performance, business design, and legal. The business category has caused most of the outrage, but it's actually the safety and design categories that are of the most interest for this exploration.

[00:02:37]: Now while the safety category focuses mainly on the type of content your app presents to users, the kids category section actually provides some restrictions on third party analytics and third party advertisers. This is primarily to comply with the U S children's online privacy protection rule or CAPA.

[00:02:57]: This is the same role that caused quite a stir [00:03:00]: here on YouTube at the start of 2020. Now buried in the safety section is also a vague note about data security. Here's a quote from the guidelines apps should implement appropriate security measures to ensure a proper handling of user information collected pursuant to the Apple developer program license agreement, and these guidelines see guideline 5.1 for more information and prevent its unauthorized use or disclosure or access by third parties.

[00:03:28]: Huh? What does that mean? Like specifically do your best. Isn't exactly a great guideline. Thankfully, if we dive into guideline 5.1, it provides a lot more insight into what Apple expects from developers. And then this is the key part in forces that for all apps in the app store, Apple requires developers to have a clear privacy policy that lays out what information they collect, the third parties that they use, how you can request the correction or removal of that information.

[00:03:58]: And every way that the developer's going to use that data. As a user, this is fantastic, especially in a jurisdiction like the United States, where there are no legal requirements to do this at a national level in Canada, Japan, the EU and more, this is already standard practice as it's typically legally required at the national level.

[00:04:19]: The guidelines take things further by requiring explicit consent from users for any type of data collection. And the developer can not tie that consent to the functionality of the application. So you can't say, please provide this information or you can't use this app. Now that last one isn't enforced at the level.

[00:04:37]: It should be. Most of the time consent is really buried in a complex terms of service agreement or privacy policy, but at least it's a start. Now there's a lot more in this section of the guidelines around data privacy, but most of it is to handle specific types of data where possible use cases. The end result is that this is where Apple makes it every day apps designed for your privacy marketing tagline or reality.

[00:05:01]: Is it perfect? No, but it's a step forward for user privacy. Now in addition to enforcing the privacy guidelines, Apple also ensures that every app only uses documented application programming interfaces, or API APIs. This means there's no shortcuts or clever hacks to get around the strong security protections built into iOS.

[00:05:22]: The app store review process also looks to make sure that apps aren't using the interfaces and features provided by Apple to break iOS security or the user expectations of privacy in unexpected way. So there's a lot of things that are going on behind the scenes to protect the privacy and security of iOS users.

[00:05:40]: Yeah. That's Apple's approach. What about Google? Well, I think that Google actually has a more developer friendly approach when it comes to their guidelines. Their developer policy center is easy to browse and has videos to explain each requirement. Looking past that though, Google's play store policies are very similar to apples when it comes to security, the policies aimed [00:06:00]: to prevent malware stopped the use of undocumented API APIs and other poor practices that lead to security issues.

[00:06:07]: Where the policies and the two stores really differ is around privacy while Apple's language is strong and user-focused Google's is more permissive. It's often written as suggestions or recommendations. And this comes as no surprise as Google's business is built around ad delivery, where Apple's is around hardware and service delivery.

[00:06:27]: For personal and sensitive user information. The play store recommends that developers quote, limit access collection use and sharing a personal or sensitive data through the app to purposes directly only related to providing and improving the features of their app. Developers are further told to quote, not selling personal or sensitive user data end quote.

[00:06:48]: That's okay, but there's an awful lot of wiggle room there. Google also provides a lot of wiggle room around consent stating that it's only required in cases where the users may not reasonably expect that their personal or sensitive user data will be. We required and quote, not reasonably expect is a gap.

[00:07:07]: Big enough to drive a tractor trailer through. And in fairness to Google, when it is deemed necessary, they have crystal clear requirements around how user consent must be granted. And those requirements heavily favor the users. So overall, both app stores provide strong requirements for security and privacy.

[00:07:23]: I would like to see Google enforce more strict requirements for data collection, but given their business model not really helpful. So, is there a downside for security and privacy with these app stores? Well, like everything. Yes and no. The downside has more to do with how the app stores and the operating systems are implemented.

[00:07:42]: iOS and Android have taken a different design approach to security and that's okay. Well, the differences between the two are fascinating from a technical perspective, they don't really impact this line of thinking. For this video, let's just remember that they both take things seriously and have worked to make it hard for just to compromise your device and abuse your data.

[00:08:02]: What is relevant to this video is how each operating system has chosen to ask the user for consent to access their device or data. Let's take a minute and talk about permissions in iOS. There's a limited number of permissions that can be granted by the user location. Camera, microphone, access to contacts, photos, calendar, speech recognition, reminders, home kit, and health.

[00:08:25]: Android has these or their equivalent. And a couple more, the main dish is that iOS requires developers to request these permissions one by one, where Android allows a group request here is that it's easier for the user to provide consent one. It's the downside when it applies to Android is that this also leads to users, granting applications way too many permissions time and time again, studies have shown that users essentially ignore the content of security prompts.

[00:08:54]: Be honest. When was the last time you read one? The iOS approach at least triggers [00:09:00]: a, this app is really asking for a lot kind of response. When the developers constantly prompting the user for access to their phone. Still, honestly, this isn't a huge problem. It's just another piece of the puzzle. The real issue comes from the Android ecosystem by design it permits more than one app store Samsung, LG, Amazon, and others all have their own Android app store.

[00:09:23]: Ignoring the different business model here. This raises new unique security and privacy do all of these app stores, security and privacy measures that are favorable to users. Do they allow for greater data collection by third parties? Do they make sure that the apps on their store only use approved operating system features?

[00:09:43]: There's a lot of questions that are really hard to answer. Add in the fact that Android users can also load apps directly called sideloading and the water gets very murky very quickly. Yes, there are a lot of business and antitrust issues around the app store model. That's not going anywhere, but users do gain a lot of benefit from this model as well.

[00:10:05]: That's important to remember as all this shakes out in the next few weeks and months, you can't get Fortnite on mobile anymore. That's frustrating. I know that firsthand I'm frustrated as I constantly struggle with PS4 lobbies full of players, much, much better than I am that Epic has decided to essentially sacrificed mobile players in order to make a point about the mobile software business.

[00:10:27]: That's frustrating. It's interesting. It's a fascinating business case study, but there are real security and privacy concerns here. The court filings show Epic's intent here. They want to be able to offer an app store for both iOS and Android users, or at least dramatically change the policies of both the Apple app store and the Google play store.

[00:10:48]: This is a security problem that also has privacy implications. We know that the Google play store is far more lenient about how developers handle our data. That's not the direction we need to be moving. And we could be moving there. If Epic gets its way as users, we need more protections from predatory practices like tracking and data harvesting.

[00:11:07]: We need more control over our data. On the security side, Android has had three times the amount of publicly disclosed vulnerabilities when compared to iOS over the last decade, you know, that's not actually a lot, considering the Android is relatively open and that it's incredibly difficult to research these types of issues on iOS.

[00:11:26]: So for arguments sake, for argument's sake, let's say that iOS has a similar amount of vulnerabilities over the same time with that in mind. Why is almost all mobile malware on Android? Like, it's ridiculous. It's just iOS doesn't even show up on malware charts over its entire history. iOS has really only had a few reported incidents of malware, and it's not a question of opportunity, Android and iOS both have massive user bases that are very attractive to cyber criminals.

[00:11:55]: So the underlying operating systems have different security approaches, but neither is really [00:12:00]: that far ahead of each other in this respect. So where is the difference? Well, the big difference comes down to the app stores. Android users can get software from a variety of sources that leads to differing levels of quality and protection.

[00:12:15]: That's exactly what cybercriminals take advantage of. For all intents and purposes, iOS users can only it get software from the app store software only gets on the app store after going through Apple's tumultuous review process. Are there issues with that for developers and for businesses? Yes, absolutely.

[00:12:34]: I'm not trying to argue against that, but don't get caught up in the public relations battle. That process, that app store review process protects users and their data. Just remember that the next time you're grumbling about not being able to play Fortnite on the go.