3 ways international regulation could change Apple
International regulation is poised to impact Apple’s ecosystem. We’ll take a look at three ways EU and UK regulatory action may mean big changes at Apple—and what those changes could mean for user security and privacy as well.
The EU has passed legislation requiring mobile device manufacturers to adopt USB-C as a universal standard for chargers and cables.
The rationale behind the law is pretty clear—it’s more practical, affordable, and ecologically friendly if consumers only need to buy one set of cables and chargers that they can mix and match with their different digital devices.
For Apple users in the EU, this means an end to the Apple Lightning Cable—and the ability to use a far wider range of third-party peripherals with their iPhones and iPads.
It remains to be seen if Apple will make USB versions of their devices for the European market while retaining Lightning everywhere else. But most observers doubt that Apple will want to invest in developing two separate sets of chargers and cables, and believe that the company is more likely to simply “take the L” and go with USB for everyone.
What it means for security and privacy: In the past, malicious third-party peripherals designed specifically for Apple products were rare—other than the occasional security researcher building homemade Lighting Cables for ethical hacking! But hardware interoperability will make it easier, in theory, for bad actors to develop cross-platform malicious cables or to port existing hacking tools to the Apple ecosystem.
However, as SecureMac’s Principal Malware Research Engineer Israel Torres points out, such threats are really nothing new:
Red team devices, both legal and illegal, have always existed. We’ve seen these since the 1980s. Back in the day, they even had keyboard-based keyloggers: full keyboard replacements with the logging chips inside! And these days, there are nation state actors that are well known for backdooring their own hardware at the silicon level.
The best advice for end users here is what it always has been: Don’t use any hardware device or peripheral if you’re unsure of the source! Only buy hardware from trusted manufacturers with good reputations for respecting user privacy.
Right to Repair
EU regulators are looking at extending “right to repair” laws to smartphones. Right to repair is pretty much what it sounds like: a legal mechanism to ensure that consumers can repair their own devices.
Right to repair laws vary in their particulars. The proposed EU law, for example, only specifies that smartphone makers have to make spare parts available for a certain amount of time after releasing a new mobile device model, along with some requirements around battery life and energy efficiency. But right to repair can also mean requiring that the tools of repair—including diagnostic devices and information about software—be made available to third parties.
What it means for security and privacy: Many legal and cybersecurity experts support right to repair—and dismiss concerns about digital security and privacy as scaremongering designed to protect the bottom lines of device manufacturers.
However, a legitimate (albeit indirect) security concern is that right-to-repair laws may greatly increase the number of small third-party repair services—in a way that Apple can’t monitor and to an extent that makes it hard for consumers to know who to trust. If you’re handing your device over to a repair shop, you’re giving them a lot of access, so that makes this a potentially serious security and privacy risk.
But as Torres notes, this is already an issue today:
In fairness, all organizations—no matter the size—need to be scrutinized if they have access to user data. There are, for example, some big-box stores that have become infamous for hiring techs who look through (and copy) personal data from customers’ computers during repair.
So what should users do if there are suddenly many more repair options to choose from? Basically, the same thing they should be doing right now.
If you need to take in a device for repair, make sure that you genuinely trust the organization doing the repairs—and keep in mind that size is no guarantee of trustworthiness. If you’re not sure, the best thing to do may be to back up your device and perform a factory reset before handing it over for service, assuming that’s possible given the type of repairs needed.
And as a general rule, try not to leave sensitive data on your device in a way that would be accessible to someone with physical access (i.e., the kind of access you give to someone repairing your computer or phone). Keep personal photos in password-protected folders or cloud accounts, and store highly sensitive information using the Secure Notes feature of your password manager.
Alternative App Stores and Sideloading
The EU’s Digital Markets Act (DMA) is a sweeping new piece of legislation aimed at so-called digital gatekeepers (i.e., Google, Apple, etc.). It comes into effect mid-2023. A recent piece in MacRumors lays out the potential impact of the law on Apple:
The DMA could force Apple to make major changes to the way the App Store, Messages, FaceTime, and Siri work in Europe. For example, it could be forced to allow users to install third-party app stores and sideload apps, give developers the ability to closely interoperate with Apple’s own services and promote their offers outside the App Store and use third-party payment systems, and access data gathered by Apple.
What it means for security and privacy: Alternative App Stores and sideloading have long been opposed by Apple on grounds of security. The argument is that they make iOS less safe, because it will be far easier for bad actors to get malicious apps onto people’s devices—and because Apple won’t be able to vet apps before they’re allowed to run on an iPhone.
In some ways it’s a reasonable concern. But it’s also a problem with a pretty clear solution—because it’s the exact same situation Mac users have had to contend with for years!
If you find yourself faced with alternatives to the App Store on iOS, you should do what you do on macOS today. If you want to be extremely cautious, only download apps from the official App Store. You’ll still have that option…even if other people are using alternative iOS App Stores or sideloading. If you want to try out a third-party app, again, just do what you do on a Mac: Only download from the official website of a developer you know and trust.
The future of Apple security
We’ve seen a lot of changes in Apple security over the years. But the most powerful defense against the bad guys has always been the same: an alert, well-informed user.
So remember, no matter what happens in the Apple ecosystem in the future, educating yourself about the latest cybersecurity threats and best practices is the most reliable way to stay safe. And we’ll be here to help you do that!