The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

A close up of the blue Apple App Store logo, surrounded by other apps, on a smartphone screen

A move by European Union (EU) legislators to break open Apple’s App Store monopoly will lead to an explosion in iOS and iPadOS malware, a cyber security researcher has warned.

Although monopolies aren’t ideal, Apple has made it almost impossible to infect iPads and iPhones by gatekeeping the applications that users have access to, according to security expert and WithSecure chief research officer, Mikko Hyppönen.


Unified endpoint management solutions 2021-22

Analysing the UEM landscape


EU proposals to open up its stranglehold on the marketplace, however, might inadvertently lead to a surge in hackers pushing malware to people’s devices.

"I’m not a big fan of regulation - I think regulation almost always fails, sadly,” said Hyppönen. “I don’t like what the EU is doing regarding the App Store model.

“I can totally see why they’re doing it; it is a monopoly – clearly – and Apple is raking money in with both hands from the App Store,” he added “Of course, monopolies are bad. I can totally see why the EU wants to break that apart. But the end result is bad for security.

“As soon as you can start downloading arbitrary executables for your iOS devices, there will be more attacks.”

EU lawmakers provisionally agreed on the terms of the Digital Markets Act (DMA) in March, with the proposals targeting the services offered by tech giants like Apple and Meta.

The legislation would force these companies to open up their monopolies and, if passed, Apple could be forced to allow users of its devices to access third-party app stores, for example. This could lead to individuals sideloading unsecured apps to their iPhones and iPads.

At the moment, Apple’s hardware is highly restricted and operates under what Hyppönen refers to as the ‘security by Playstation’ model. This approach is based on the idea that games consoles are the most secure hardware systems available.

Hyppönen said the restricted computational environments adopted by Playstation and Xbox units are notoriously difficult to infect. Although users own and operate these devices, they have no right to program them unless they gain explicit permission from the manufacturer.

“This is especially obvious with Xbox because it’s made by Microsoft,” he said. “It runs Windows. Funnily enough, the most secure version of Windows is in Xbox. The biggest software company on the planet has their most secure version of their operating system inside a games console.”

“You never have malware on your Xbox or your Playstation,” he added. “You never hear of ransomware attacks on games consoles. They never get hacked. They’re very locked down, very restricted devices; devices which are not modifiable or programmable by the end user. It’s a computer that you own, but don't have the right to program.”

Malware rarely targets gaming hardware, but restricted devices are not immune to all cyber attacks. Phishing attacks can still target users through any device that accesses internet services like email and iPhones have been jailbroken to sideload apps for years.

Apple’s hardware has also been proven to be vulnerable to cyber attacks. In April, the company issued patches for the fourth and fifth zero-day vulnerabilities affecting devices in its ecosystem this year.

An increasing number of companies are pivoting to a ‘security by Playstation’ model after observing the virtually non-existent reports of malware on gaming hardware, said the CRO.

The trend is especially true among startups that are known to distribute highly restricted hardware like Chromebooks or iPad Pros to employees, rather than the traditional Windows-powered machine.

Distributing inherently restricted devices is a major shift we’ll likely see accelerate across enterprises in the next ten years, Hyppönen added.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.