The Open App Markets Act and App Store Security: What’s the Rub?
November 15, 2022
by Mike Wacker, Contributing Fellow at The Digital Progress Institute
While many critics of the Open App Markets Act (OAMA) have discovered a passion for cybersecurity, that passion has not been matched by their knowledge of cybersecurity.
For background, almost all of us download mobile apps through either Google Play Store or Apple’s App Store. OAMA would promote more competition in the app-store market, placing targeted guardrails on large app-store platforms to rein in their anticompetitive behaviors. Critics, however, don’t see it that way. Strangely, they argue that maintaining Google and Apple’s duopoly over this market is actually good for security, and that apps downloaded from elsewhere are insecure.
But is that true? Not according to Bruce Schneier, a leading voice in the field of cybersecurity. As he wrote in a letter to Congress, “It’s simply not true that [OAMA] puts user privacy and security at risk.” To see why, let’s address the most common misunderstandings and criticisms surrounding OAMA and a device’s security.
Walled Gardens Aren’t that Secure
Critics’ primary cybersecurity argument against OAMA is that apps downloaded from outside Apple and Google’s walled garden are unsafe and insecure. But both companies’ app-store walls aren’t impenetrable, far from it. Malicious apps can and frequently do sneak inside those walls.
In October 2022, Facebook identified 400 malicious apps that steal Facebook login information—all were listed in Google and Apple’s app stores. In June 2021, the Washington Post reported that nearly 2% of Apple’s top-grossing apps were scams, costing users $48 million.
Apple’s internal emails also offer an honest assessment of its app store. In 2016, the head of Apple’s fraud and risk unit said that Apple’s screening process is “more like the pretty lady who greets you with a lei at the Hawaiian airport than the drug sniffing dog,” adding, “App Review is bringing a plastic butter knife to a gun fight.” These concerns go back as far as 2013, when the head of Apple’s App Store wrote to his team, “How does an obvious rip off of the super popular Temple Run, with no screenshots, garbage marketing text, and almost all 1-star ratings become the #1 free app on the store? Is no one reviewing these apps? Is no one minding the store?”
Even worse, both Google and Apple have turned a blind eye to TikTok’s behavior. In leaked audio, a TikTok employee conceded, “Everything is seen in China.” TikTok has been caught monitoring keystrokes and taps, and they have been caught planning to use location data to spy on American citizens.
Even when TikTok refused to commit before Congress that it would stop US data flows to China, Google and Apple did not cut off TikTok’s access to their app stores. Apple has even promoted it, listing TikTok as an “iPhone essential” app. If TikTok complies with the app store guidelines for both companies, then that begs the question of what other harmful apps comply with those guidelines. If Google and Apple want their cybersecurity concerns to be taken seriously, Congress should tell them to come back after they have banned TikTok.
Security Is About More Than App Stores
Frankly, no engineer or cybersecurity expert would assume that apps in Google and Apple’s app stores are secure, while others are not. In his letter to Congress, Bruce Schneier writes that app store “moderation is not the only level of protection between users and malware.”
Securing mobile devices require a multi-layered approach. The app store offers one layer, while the operating system offers additional layers. Some security measures keep malicious apps off the device, while others ensure that a rogue app cannot compromise a device’s security even if it does run.
OAMA takes a holistic view of security, including security outside the app store. It explicitly allows actions that are “necessary to achieve user privacy, security, or digital safety.” Indeed, it makes clear that Google and Apple can protect the privacy and security of users, including by “removing malicious or fraudulent apps or app stores,” helping users “verify the authenticity and origin of third-party apps or app stores,” and letting users limit how third-party apps collect and share their data.
OAMA ensures that all apps are secure. It requires that these security measures are “applied on a demonstrably consistent basis.” If Google or Apple scan apps for malware, they can’t exclude their own apps from malware scanning. And it prohibits Google or Apple from using security as a pretext for anti-competitive actions.
So while some argue that under OAMA “Security is illegal,” nothing could be further than the truth.
The Sideloading Fallacy
Google and Apple should invest more in the layers of security outside of the app store, including the security of the operating system. Google owns not just the Google Play app store, but also the Android operating system. Apple owns not just the Apple App Store, but also iOS.
For example, before any app is installed, Android can scan it for malware—regardless of whether the app was downloaded from Google’s app store, downloaded from a competitor’s app store, or sideloaded onto the device. If that check fails, the operating system can block the installation.
Is that what Google does? No. That security feature is only included as part of the Google Play app store. But there is no plausible technical reason why this scanning cannot be included in the Android OS instead. Users would then always be secure, whether they use Google Play or not.
So the common argument against OAMA—that sideloaded apps are “not scanned for malware, privacy settings, or other security standards”—is specious. Google and Apple control the operating system. Nothing prevents them from scanning sideloaded apps.
And while critics primarily focus on sideloading, OAMA does not require sideloading. It only requires that Google and Apple “provide readily accessible means for users” to “install third-party apps or app stores through means other than its app store.” Critics have yet to explain why users would be at risk if Amazon or Google could build an app store for the iPhone.
Security, or Security Theater?
Other criticisms of OAMA follow a certain formula: mention the latest cybersecurity news, and then claim that OAMA threatens cybersecurity. It’s straightforward, it’s newsy, and it takes two seconds to make.
To wit, after a ransomware attack at hospitals, one critic tweeted “Senate literally could not pick a worse time to weaken cybersecurity via ‘competitiveness’ and ‘open app’ bills.” But if a hospital employee is reading email on a desktop at the hospital and opens an attachment with ransomware, what does that have to do with OAMA? Not much at all.
But that’s the power of this formula: It lets critics weaponize every cybersecurity incident as ammunition against OAMA—even when though most incidents have no connection.
In a twist on this formula, a pair of critics cite the Cybersecurity and Infrastructure Security Agency’s Shields Up recommendations—which were issued in response to an increased risk of cyberattacks from Russia—claiming that OAMA would render “the security and privacy shields demanded by CISA completely useless.”
For engineers like me, that was a head scratcher. Some of those recommendations are to use strong passwords and employ multi-factor authentication. Nothing to do with OAMA. Other Shields Up recommendations primarily deal with enterprise cybersecurity, not the security of consumer mobile devices. So how would OAMA impact them at all?
A similar formula has been applied for national security concerns. There, critics argue that bills like OAMA will expose us to cybersecurity threats and misinformation campaigns from malign foreign actors. But as explained by experts at the Heritage Foundation, including a former senior director at the National Security Council, “[t]here is little connection between the substance of the proposed antitrust reforms and their opponents’ purported national security concerns.”
When legitimate security issues exist, Congress does need to take them seriously. But to be quite blunt, serious critics should not cry wolf, raising spurious cybersecurity concerns to sink bills they don’t like. As even a brief review of the merits shows, OAMA is no security risk. When the wolf is real and a bill and has serious cybersecurity issues, you don’t want Congress to ignore the pleas of cybersecurity experts because critics have cried wolf on bills like OAMA.
Mike Wacker is a contributing fellow for the Digital Progress Institute. He was previously a software engineer at Microsoft and Google and a tech fellow for Congressman Gus Bilirakis. He holds a Master’s Degree in computer science from Arizona State University and holds a BS from Cornell University.