EU forces Apple to rip huge hole in iPhone security | Cult of Mac

EU forces Apple to rip huge hole in iPhone security

By

Apple being forced to a rip huge hole in iPhone security
The EU is making it easy for hackers to get malware onto iPhones.
Graphic: Ed Hardy/Cult of Mac

Criminals around the world are surely celebrating news that Apple is being forced by the European Union to enable iPhone to install applications from outside the App Store. The move will allow hackers to release a fresh tidal wave of malware, hoping to slip it onto iOS handsets. iPhone users will be forced to fend off attempts to trick them into installing this malware virtually every day.

And well-known, unscrupulous companies will take advantage of the new security hole, too.

EU law makes iPhone much less secure

Most iPhone users have never had to think much about malware. Because iOS devices get all their applications from the App Store, it’s nearly impossible for hackers to slip spyware or other nasty apps into iPhones.

That’s about to change. The European Union’s Digital Markets Act forces Apple to allow sideloading of applications. And we heard this week that Apple is preparing to implement the change, which has to go into effect by early 2024.

On the surface, that seems like a positive development for users. If there’s an app that Apple won’t approve, iPhone users can still install it if they want to (alongside any malware they might get tricked into installing). And no one is being forced to get their software from anywhere but the App Store. (Except we probably will.)

Here come the deceptive pop-up ads

The EU’s upbeat spin on its legislation ignores the barrage of deceptive online ads that undoubtedly will descend on iPhone users in droves. Expect to see fraudulent pop-up windows crafted to look as much like notices from Apple as possible in order to trick users into installing malware.

These will say something like, “Safari WebKit needs to be updated. Click here to install a new version.” Falling for the trick will sideload an dangerous app onto the iPhone. If that sounds familiar, it’s just what Mac users have to put up with every day. How many times have you been warned that Adobe Flash needs to be updated? Even though Flash is dead.

iOS has systems that prevent malicious apps from easily sucking up private info and sending it to criminals, but hackers are constantly looking for ways around these. And malware installed on an iPhone can still use plain old-fashioned fraud to attempt credit card theft, password phishing, etc.

Sideloading is why even Apple admits there’s too much Mac malware. And scammers are drooling at the opportunity to flood iPhones with their crap.

New privacy risks from big-name companies

Out-and-out criminals won’t be the only ones who’ll use sideloading to take advantage of users, either. Unscrupulous companies will, too.

Apple CEO Tim Cook said he expects the Digital Markets Act to “destroy the security of the iPhone and a lot of the privacy initiatives that we built into the App Store.” What he means is that companies like Facebook surely will pull their software out of the App Store and require users to sideload it. That will allow the app to once again track users without their permission, something the App Store forbids.

This isn’t a theory: Facebook got busted a few years ago for sideloading iPhone spyware, and that required the user to jump through hoops to install it. The EU is forcing Apple to make that process easy.

Apple might still save us some hassle

Admittedly, this is a worst-case scenario. We have only the sketchiest of facts about Apple’s plans for sideloading.

It’s possible the change to allow iPhone users to circumvent the App Store will be enabled only in the EU, not anywhere else. And wherever it is possible, the final implementation in iOS 17 hopefully will include a simple toggle switch to completely forbid sideloading. That will mean those happy to get their software from the App Store – which is almost all iPhone users – will face one less unnecessary hassle.

That said, many people will need to worry about their children or their parents sideloading malware onto their own handsets. This is something else Mac users should be familiar with.

Fortunately, Apple already worked hard to limit the capabilities malicious applications. Most notably, iOS apps run in a “sandbox” that prevents them from accessing iPhone functions they aren‘t supposed to. Hackers have found ways to escape the sandbox, but Apple closes their exploits whenever it can. It’s an ongoing battle between Apple and hackers, and one of the iPhone-maker’s most effective weapons is getting weakened for no good reason.

Think of it this way: the App Store serves as line of defense against malware. It’s not the only protection iPhone users have, but it’s an absolutely critical one. And the Digital Markets Act lets bad actors get around it in order to enable a feature that almost no iPhone users want.

Plus, even if we have the option to block sideloading, we’ll still have to endure the inevitable deceptive pop-up ads. Get used to ignoring “Update your iPhone NOW!” messages many times every day.

One of the luxuries of iPhone is that we don’t have to even think about malware. The App Store shields us from it. But the EU’s Digital Markets Act means we’re probably going to have to start worrying about it.

Thanks, EU Parliament. Thanks a lot.