Checklist 60: Safety in the App Store

Our lives are on our computers and our phones: there’s no getting around that fact. One day, we might look back on that and view it as a mistake, but for now, our finances, health records, communications, family photos, videos, and more all live on these devices. Keeping that information safe is important, and there are several layers of complexity to that challenge. From password practices to two-factor authentication and even to merely protecting your screen from prying eyes, we’ve covered a lot of these tactics on this show. We’ve also talked about white hat hackers and the role of security experts.

However, there is a sort of middle layer, and that’s what we want to cover today — the app stores. Today we’ll be discussing Apple’s App Store for macOS and iOS, and we’ll look to answer a few fundamental questions:

• Why do we have these stores?
• What’s Apple watching for?
• What happens when something bad gets through the defenses?

The purpose of the app stores

Let’s start with the App Store model for both iOS and the Mac. How does it all work? It’s simple: Apple operates the App Store infrastructure, developers apply to have their products listed, and Apple takes a 30% cut of all the sales made on the store. Is this all about money, or is there something about this process that’s meant to keep us safe? Though the App Store was originally touted as a nearly guaranteed way to safely access apps for your phone or Mac, it’s mostly about creating revenue.

There is an iota of preventive safety involved: for someone to get a Developer ID, they must pay $99 per year. For most malware authors, forking over a hundred dollars for the chance to infect thousands of users is often a no-brainer. Even if their actions result in a ban for their ID, it’s not difficult for them to create another identity, pay $99 again, and start over. As for the 30% cut from Apple, most of the malware that’s made it through onto the App Store has been free, so that isn’t an issue for the malware creators.

Apple’s cut isn’t all profit — Apple offers several services that help to streamline the process for developers. From protection against piracy to the fact that Apple handles all the payment and processing needs, it can save time and therefore money for developers. The only real way for a developer to put software on iOS devices is to go through the App Store process as well.  The only other method would require users to jailbreak their phones. We’ve covered that topic a few times before, going into detail about why it’s not a great idea. Once the App Store arrived and began filling up while iOS matured as a platform, there was less and less of a reason to jailbreak.

On macOS, though, those restrictions don’t apply in the same way — we all know you can run third-party software on the Mac as much as you like. There are some layers to the possible permissions, though, in a sort of three-tiered setup. At the strictest setting, you can only install apps that come directly from the Mac App Store. On the next step down, you can use apps from the store alongside third-party apps signed with a valid Developer ID — this is the default setting and the ideal middle of the road for the average user. At the lowest level of security, any apps can run from any source. That’s not such a good idea in most situations, and High Sierra eliminates this default setting. Instead, users must click through a series of warning prompts to run unsigned software.

Why would Apple allow developers to offer apps outside the Store while still paying for this form of verification? Another good question: couldn’t Apple offer the same opportunity on iOS? In other words, why are the systems different between Mac and mobile products? Now is when things come back around to security: it boils down to the relative strength of the platform’s protections.

iOS is a very secure system, due to Apple’s security efforts; that’s why there have been very few public security incidents involving iOS. The system is thoroughly locked down, and users don’t have many ways to interact with the operating system on a direct level. On macOS, you naturally have much greater access to the computer—a legacy left over from the days before the App Store when developers would create software using Apple’s API and sell it however or wherever they wanted. For Apple to close the door on this integral part of computer ownership would have invited a user revolt. With iOS, Apple had a chance to start fresh. Whether they will move more towards locking down macOS to be more like iOS in the future remains to be seen.

Choosing apps and staying safe

With so many different levels of security for users on macOS, it’s not always easy to tell what’s a safe practice and what’s not. When should you choose applications from outside the App Store? Should you only trust apps that you can find on the official store, or can you range a little further from that? These aren’t uncommon questions.

From a security standpoint, you can trust applications that come from outside the Mac App Store if you can trust the developer. If it’s a company you know and you’ve been using their products for years, or it’s a well-known brand, it’s a pretty safe bet you can grab their app and not have to worry. On the other hand, if the software in question is some tiny app by an unknown developer, start by doing some research. Has it been around for a while? Do you know any other users, and not just those who wrote online testimonials? It’s not always a risk, but it can be — when in doubt, don’t install something you can’t trust for sure.

The benefit of downloading software from the Mac App Store is that you can know it has at least passed Apple’s major security checks. You also don’t have to worry about keeping your apps up to date manually; the store will do that for you. Given how vital staying updated is to good security, that’s a big perk. With third-party apps that aren’t configured for automatic updates, you might miss updates that correct major security flaws.

We’ve also seen situations where apps from outside the Mac App Store had their update servers hijacked by hackers. That’s something that is very difficult to occur through the App Store — the distribution servers are Apple’s, after all, and we can hopefully trust that those are locked down tight. Overall, though, if the company is trustworthy, third-party apps are okay, but we would recommend you stick with those who’ve paid the $99 for their Developer ID certificate. That way, if something goes wrong with that app, Apple can revoke the ID and stop the software from running on your Mac.

The business side of the App Stores

Let’s turn our attention back to the App Stores themselves.  What are they actually doing when they review applications submitted by developers? What kind of safety checks do they put in place? Unfortunately, we don’t know all the details. Apple is somewhat secretive about the exact steps it takes in the review process.

Checking for crashes is a concern, first and foremost — they want to be sure the app isn’t going to bring down the device. Making sure the app has some kind of functional purpose is also a newer addition to the terms of service, to avoid “fake” apps or prank software. They also look to make sure that none of Apple’s private system calls are in the software. Some apps get a much closer look and can even end up stuck in review limbo for months, while others can end up cleared within hours. It can sometimes seem totally arbitrary, and you’ll often spot developers complaining about it on Twitter.

It’s safe to say a large part of the process is automated, especially given the large number of apps submitted to the store every day. There’s nothing wrong with that, of course — there’s no need for a human to review every line of code for potential crashes when an algorithm can do the same. Apple will re-review software with a more personal touch if an app receives lots of negative reports, but that’s more of an after-the-fact review. Given the nature of the process and the requirements involved, it’s clearly a significant change from the way things Apple did things in the past. What kind of effect did that have on software developers?

Hard as it is to remember, there was once a time before the App Store when software for Macs was distributed in many more ways. One of those methods was through an official download page on Apple’s site — a sort of precursor to the App Store that was more like a community hub. When the App Store debuted, Apple shut this page down; for many Mac developers who hadn’t switched over to the App Store model yet, this shutdown cut off much of their traffic.

It was the start of a major shift in the industry, but it was also tough initially to adapt to the change. Even here at SecureMac, we did not have MacScan in the new App Store due to some technical limitations. The disappearance of this old feature was a part of the maturation of the platform, but it was also a permanent change in the way developers had to approach their business.

What happens when bad things get make it to the App Store?

So, Apple puts apps through a review process, and security is supposed to be part of the benefit of using apps from the Store, especially with Apple’s ability to cut off developer IDs. Bad things do get through, though, despite Apple’s efforts. What is it that lets us know when something’s gone wrong? Up until now, it was security researchers hearing about problems in ratings or reviews, or encountering strange apps on their own that put up red flags. Today, there is more of a trend towards widespread analysis of apps to determine what they’re doing, what calls they use, and whether they could be a threat.

In many other cases, when bad apps do make it through the review process, you will see a lot of one-star reviews and users complaining about problems, like the sudden appearance of ads, or having their accounts taken over. When you look at the reviews, it’s easy to see something’s wrong — but it also seems like Apple isn’t really looking at this section of the Store. It was only recently that they began to allow developers to respond to reviews and offer solutions to users.

In other words, until the right people become aware of a bogus app, it’s hard to get the ball rolling to take action. Apple does have email addresses for their security teams available, but these general emails receive a high volume of messages. That means it’s easy for messages to get lost in the mix. To Apple’s credit, when they do become aware of a bad app, they often act very quickly to remove it from the store.

Even so, it can sometimes take weeks or months before someone notices a bad app. There isn’t much incentive to go looking, either — Apple’s invite-only bug bounty programs only extends to Apple-written code, so their focus remains on bugs in iOS itself. There aren’t any officially backed bounty programs for finding bugs in third-party apps. There isn’t even a program in place for macOS yet. Apple’s concern lies more in protecting user privacy and security on the product they directly control. Apple is also still undertaking a gradual hardening of macOS, though at the cost of some of its capabilities for power users.

Next week, we’ll take a closer look at how we deal with malware that actually makes its way onto the App Store. From uncovering the problem to reporting the issue and ultimately looking for a patch, we’ll trace the entire process from start to finish in detail. For now, that’s it for this episode of The Checklist. As always, we welcome your comments and question — just send us an email at checklist@securemac.com. Check back again next week for more of The Checklist brought to you by SecureMac.