mardi 2 avril 2024

Will the Apple antitrust case affect your phone’s security?

Will the Apple antitrust case affect your phone’s security?
Illustration of the iMessage behind a gavel.
Image: Cath Virginia / The Verge

Of all the allegations that the Department of Justice has laid at Apple’s door, the most contentious is perhaps its salvo over security and privacy. Apple has warned that if the DOJ gets its way, Apple products — especially the iPhone — will be less secure for users. Meanwhile, the DOJ claims that Apple’s much-touted privacy features are pretextual.

The complaint in the DOJ’s antitrust lawsuit against Apple says that the company “wraps itself in a cloak of privacy, security, and consumer preferences to justify its anti-competitive behavior.” In the press conference announcing the lawsuit, Assistant Attorney General Jonathan Kanter said Apple’s choices have actually made its system “less private and less secure.”

“Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest,” the complaint reads, “such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars a year for choosing Google as its default search engine when more private options are available.”

It’s a particularly aggressive shot at a company whose branding strategy heavily emphasizes privacy by design. In Epic v. Apple, the judge found that user privacy and device security were acceptable reasons behind some of the company’s extremely restrictive (and financially lucrative) App Store policies.

In press briefings, spokespeople for Apple have taken umbrage with the DOJ’s assertion that the company’s privacy and security features are pretextual and have asserted that the antitrust suit will ultimately harm users.

The DOJ’s attack on one of the core tenets of Apple’s brand identity relies on how broad the general concept of user privacy is, going far outside of the issue of App Store review to make its point.

The complaint emphasizes that, unlike iMessages, iPhone users’ SMS communications with Android users — i.e., green bubble texts — lack encryption.

“Apple forces other platforms to use SMS messaging. It doesn’t allow them to integrate with iMessage or another encrypted message platform built-in,” Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told The Verge in a phone interview. Since SMS messages aren’t encrypted, they’re less secure by default.

Apple has previously said its devices would begin supporting RCS, a more secure messaging protocol that will make communications with Android devices encrypted, later this year.

But the DOJ is on shakier ground once the attention shifts away from green bubble texts and back to the App Store. At the DOJ press conference, a reporter noted that a member of Congress said that stripping Apple of the ability to vet the products uploaded onto the App Store could “open the door to apps made in China and Russia, and other adversaries, if you will.”

Attorney General Merrick Garland said the lawsuit’s goal is to limit “exclusionary conduct” in the App Store, not to reduce Apple’s ability to vet apps. The lawsuit specifically asks the court to prevent Apple “from using its control of app distribution to undermine cross-platform technologies such as super apps and cloud streaming apps.”

But super apps like WeChat effectively function as app stores of their own. For the DOJ, this has less to do with privacy than it does competition. It’s not like that’s coming out of nowhere — the lawsuit notes a board of directors presentation in which Apple described super apps like WeChat as a “major headwind” to boosting iPhone sales abroad.

However, some security experts note that Apple’s App Store is indeed safer than those on Android phones.

“Our data from millions of device scans on iOS and Android devices around the world suggests that open app stores lead to more malicious activity than closed ecosystems,” said Danny Rogers, the CEO of the cybersecurity company iVerify, whose app detects malware on phones and computers. “So while opening up app stores to third parties might be good for competition, it will likely increase malicious activity as well.”

That malicious activity ranges from operating system-level compromise to the presence of spyware like Pegasus, Rogers told The Verge. “We see almost 100x more frequency of security issues pop up on Android compared to iOS,” Rogers said, even though the app has conducted more iOS scans than Android scans.

Daniel Kahn Gillmor, the senior staff technologist at the American Civil Liberties Union’s speech, privacy, and technology project, said the higher rate of malware on Android devices may be related to the phones having a “much longer shelf life” than iPhones. “You’re going to find more vulnerabilities on these old, outdated Android devices simply because those old, outdated Android devices are out there and they’re on sale,” Gillmor said. “Apple has done a good job of keeping their update process regular — and also at decommissioning old iPhones. They’ll tell you, ‘This thing is not good anymore, you have to get a new one. We cannot support it.’”

Gillmor agrees that an app store “with much looser controls” could lead to “more invasive, infectious garbage being pushed onto people’s phones,” he said. “But that risk is worth it, because it means that we also allow software that Apple might disapprove of, for whatever their political reasons are.”

Gillmor noted that Apple banned the game Phone Story, which satirized the company’s manufacturing process, from the App Store in 2011. An app that tracks US drone strikes was rejected from the app store a dozen times before Apple allowed it to go through.

“It’s unquestionable that Apple exercises tight control over its ecosystem than is necessary to have a healthy software ecosystem” on its phones, Gillmor said. “Even Apple’s computers let you install software from anybody that you want.”

For now, it’s simply too soon to say how iPhone users’ privacy will be affected — we don’t even yet know what the Justice Department wants as a remedy if it wins, let alone what it will actually get. (And all of that, of course, is contingent on it winning in the first place.) “There are so many different pieces of this,” Steinhauer said. “I don’t see how they could possibly win all or lose all.”

Aucun commentaire:

Enregistrer un commentaire

Pegasus spyware maker NSO Group is liable for attacks on 1,400 WhatsApp users

Pegasus spyware maker NSO Group is liable for attacks on 1,400 WhatsApp users Photo by Amelia Holowaty Krales / The Verge NSO Group, the ...