Apple’s latest China App Store problem is a warning for us all

Ask anyone who knows, and they’ll tell you that when it comes to security, the weakest point is always people. Yet, as pressure grows for Apple to allow app purchases from outside the App Store, the fact the company fired App Store staff for “business misconduct” is cause for alarm.

As first reported by The Information, the Apple story is pretty simple.

As a result of those “interactions,” it sounds likely some apps were given prominence on the App Store home pages, which helped boost sales.

The report doesn’t delve deeply into what actions these employees actually did, but I don’t think that matters much.

What matters is that App Store employees were compromised to provide business benefit to certain apps.

Now consider this. Apple runs a well-policed App Store. The fact these problems were identified and action taken proves this, and while we don’t know how long these events were taking place, the fact that the company was able to slam the brakes on things is a good thing.

The matter exposes one of the biggest threats to App Store security: people.

People can be corrupted or misled, so at what point will staff within these teams become targets for criminals, hackers, or worse? After all, if you can get your app promoted at the App Store with a few meals and a little entertainment, what will it cost to bribe members of the team to get an app carrying a malware payload into the store?

What will the affect be on those maverick nations that are effectively legislating to make digital platforms less secure?

Apple has lots of protections against that, of course. And as of now, I can’t recall a single App Store incident of this kind. As far as I know, malicious developers haven’t been able to bribe bad apps into the Apple stores. Some have managed to trick their way in, and some have managed to break into the OS via different routes.

But…

While Apple’s protection isn’t perfect, what about the other stores? We know App Stores are going to proliferate soon. The EU will force Apple to support third-party stores, and once it does, the company will be forced to do so on a global basis over time.

But not all those competing stores will be as well resourced, managed, or policed as Apple’s own digital retail outlet — and there will be a lot of them, at first. Obviously, the cost of running these stores and the challenges of attracting customers to them mean that in a relatively short time, just a handful will remain in business; the so-called benefits of “free market competition” will only mean a slightly larger number of people share the cash.

That’s how these things work.

Most of the time when people arguing over money talk about “freedom,” the only liberty they really crave is freedom to grab as much of it as possible. Your insecurity is far less important than their profit.

With a lot of stores in open competition for apps and customers, money will be tight and most smaller operators won’t be able to deliver the same degree of protection larger retailers provide.

Staff turnover will likely be frequent, salaries low, and business stakes high. This is a perfect environment in which nation state or organized criminal gangs will approach staff to find out what they can get for a few meals and a little “entertainment.” It’s really a no-brainer that at least one store will be compromised and at least one app containing malware and/or surveillance code given a high profile on one of these independent stores. 

While the relative reach of smaller stores may be much less than Apple’s, you can bet your last dollar that the first company customers tricked into installing such malware will go to for help will be the one headquartered in Cupertino.

It’s a nightmare waiting to happen, and this latest Apple App Store story shows how likely this dark dream will be realized.

(This already happens on some Android stores, of course).

Given the sheer quantity of data on digital devices, and the vast difference in tech knowledge across the globe’s billions of users, the impact of such theft will be a quantum scale worse than a hacked PC.

As the App Store economy gets ‘liberalized,” IT would do well to mandate which stores should be used by managed devices. And it seems plausible that enterprise tech will need to closely examine each store’s privacy and security policy before permitting employees to get software there.

That’s particularly true as more and more Apple devices are used across the enterprise.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss