Fair Ball or Foul Play?  EU’s Digital Markets Act Puts App Security on Shaky Ground
2024-9-18 13:25:3 Author: securityboulevard.com(查看原文) 阅读量:24 收藏

Recently,  Apple Inc. announced it will fight back by blocking the release of Apple Intelligence, iPhone Mirroring and SharePlay Screen Sharing from users in the EU this year because the Digital Markets Act allegedly forces it to compromise the security of its products and services.

The EU’s DMA forces dominant technology platforms to abide by a long list of do’s and don’ts. Tech services are:

  • Prohibited from favoring their offerings over those of rivals.
  • Barred from combining personal data across their different services;
  • Blocked from using information they collect from third-party merchants to compete against them;
  • Required to allow users to download apps from rival platforms

Whether Apple’s latest features violate the DMA is TBD, but while the EU’s attempt to rejuvenate competition in the region may be admirable, the downstream effect of playing hardball with Apple is the increased vulnerabilities to application security.

Before the EU’s Digital Markets Act (DMA) advent on March 7, 2024, Apple’s App Store was not exactly a “Cathedral” of security purity. However, it did offer demonstrably more secure apps than the Google Play store. The DMA is weakening Apple’s ability to offer a relatively “pure” experience and essentially creates more of a “bazaar” for European iPhone consumers.

The DMA is the latest manifestation of a decades-long tension between digital “security” and consumer freedom. For Apple, a company synonymous with stringent app store controls, the DMA presents a blow to offering a certain kind of security. For consumers, the DMA provides a mixed bag: More freedom of choice, but more risk.

Claroty

According to Digital.ai’s 2023 Application Security Threat Report, Android apps in 2023 were approximately 20% more likely than iPhone apps to be exposed to unsafe environments, such as roots/jailbreaks or emulators. Specifically, 76% of Android apps were run in unsafe environments compared to 51% of iPhone apps. Furthermore, Android apps were over four times more likely to be executed with modified code than iPhone apps.

This disparity stems from various factors, including Android’s availability to third-party licensees, the proliferation of third-party manufacturers, the availability of free, fully-featured emulators and the ease of side-loading apps — these contrast with Apple’s tightly controlled hardware ecosystem, and most significantly, closed digital app marketplace.

The Catalysts for Change

The European Union’s motivation behind the DMA was not directly tied to security concerns but aimed to break down barriers erected by big tech companies to minimize competition within the app market. Contentious disputes between Apple and entities like Epic Games and Spotify, which revolved around app store policies and fees, underscored the need for regulatory intervention. While some would argue that Apple provided a more secure ecosystem, the company was also essentially forcing app owners to pay a “tax” on revenues collected by third parties – and those fees could rise to as much as 30% of overall app revenue. The DMA, therefore, has set the stage for increased consumer choice and fair market competition – but also denies Apple a lucrative source of revenue.

With More Power Comes Greater Security Responsibility

However, the opening of digital marketplaces, as mandated by the DMA, is not without its security pitfalls. The relaxation of app store monopolies could inadvertently pave the way for Trojans as well as a marketplace for cloned apps that masquerade as the “real thing.” The banking Trojan “Anatsa,” for example, has repeatedly surfaced in various Android app marketplaces and has been linked to attacks on more than  600 mobile banking applications worldwide. This phenomenon was limited to attacks on Android devices – but in the future, it could find fertile ground in less-regulated app ecosystems built for iPhones.

Apple’s Response and New Security Mechanisms

Apple’s rebuttal to the DMA underscores apprehensions regarding user security, by advocating for a more cautious approach to marketplace democratization. Apple has introduced a suite of new security features, including notarization for iOS apps, mandatory authorizations for marketplace developers, and transparent disclosures on alternative payments. At best, these measures only offer partial mitigation of the risks third-party app stores represent, while helping to ensure that Apple can recoup some of the monetary losses they will suffer as their Hulk-like grip on the app ecosystem loosens.

What it Means for Enterprises, Their Apps, and Their Customers

The DMA introduces new risks for enterprises developing apps, particularly the increased risk of Trojans and app cloning. To counteract this, enterprises can adopt more robust application-based security strategies that involve integrating security — specifically app hardening — into the software development lifecycle.

App Hardening provides a means to detect if and when applications are run in unsafe environments and prevent threat actors from modifying and re-publishing altered applications. It also includes protections such as signature verification and code integrity checks to stop modified applications from preying on end users who’ve unwittingly stumbled across them in a third-party app store.

Enterprises can also integrate monitoring capabilities into their apps to oversee threats to apps post-deployment. Finally, runtime application self-protection (RASP) mechanisms can empower apps to autonomously neutralize threats when operated in unsafe environments or with altered code, thus preserving app integrity in an increasingly complex market landscape.

Conclusion

The DMA attempts to turn the Apple cathedral into more of an open market bazaar. These well-intentioned efforts come with risks, and those risks embody the nuanced balance required between consumer freedom and app security in the digital age.

As the act reshapes the future of app stores and the broader digital market, enterprises creating apps for the iPhone will need to take greater responsibility for the security of their apps. While Apple’s latest security measures provide a framework for maintaining user safety, enterprises must also embrace comprehensive protective strategies to navigate this new era successfully. This shift will fundamentally require organizations to adopt more shift-left strategies toward security.

Shipping iOS applications in this new environment without comprehensive application hardening, including protections against reverse engineering, is more dangerous now than before the DMA went into effect.


文章来源: https://securityboulevard.com/2024/09/fair-ball-or-foul-play-eus-digital-markets-act-puts-app-security-on-shaky-ground/
如有侵权请联系:admin#unsafe.sh