With an exponential increase in third-party app store downloads on the horizon, it’s more important than ever to heed Apple’s sideloading warnings.
The recent report “Competition in the Mobile Application Ecosystem” released by the National Telecommunications and Information Administration calls on Apple and Google to allow users to download apps outside of their official app stores. The goal is “open[ing] the app ecosystem to more competition, innovation, and potential benefits for users and developers,” claiming that the market “is not a level playing field, which is detrimental to developers and consumers.”
The EU’s recent Digital Markets Act, which will come into force in May 2023, will also oblige gatekeepers such as mobile platforms to allow end-users to download apps from alternative app stores other than, for example, only Google Play or the Apple App Store.
These recent developments can be a win for both developers and consumers. However, brands also need to be aware that this will likely increase the proliferation of unauthorized, if not malicious, mobile apps masquerading as those of trusted brands.
Apple is reportedly planning to allow “sideloading” on iOS 17
Sideloading is downloading and installing apps from app marketplaces other than a platform’s official app store. Apple’s iOS 17 is likely to launch in September 2023, and it has been reported that iOS 17 will support sideloading, at least in Europe. While the tech companies themselves appear to be conforming, the concerns they have been raising for years about market safety are more relevant than ever.
Many developers like the idea that they might soon be able to distribute their iOS apps without having to pay 15-30% of their annual sales to Apple. Scammers are also likely to rave, knowing that the increased consumer convenience of downloading apps from third-party marketplaces means they’ve expanded their hunting ground to trick people into downloading fake mobile apps.
It remains to be seen to what extent third-party app marketplaces will scrutinize mobile apps submitted for publication on their platforms. At Allure Security, we regularly find unauthorized or potentially malicious mobile apps released on alternative app stores.
Impact of third-party app stores on online brand protection
The fact is, things will get worse before they get better.
As more alternative app stores come online and more consumers download apps from third-party marketplaces, scammers see emerging marketplaces as prime real estate to release fake mobile apps posing as trusted brands.
This is particularly difficult for brands, as finding imitations is already a major challenge. Every day, billions of Facebook posts are made, hundreds of millions of tweets are sent, millions of LinkedIn updates are posted, hundreds of thousands of new websites go live. Any of the billions of daily activities that take place online could be a malicious brand impersonation.
And then think of the thousands of mobile apps released on official app stores every day. This does not apply to third-party marketplaces. So we can expect the number of mobile app releases – authorized or not – to grow exponentially. Too much content is published every day to manually monitor for online brand identity attacks targeting your brand and your customers across websites, social media, and mobile app marketplaces. As Apple allows sideloading, the amount of content that needs to be reviewed will only increase. Any brand hoping to mitigate the potential harm of a fake mobile app abusing their brand needs to automate monitoring for these threats.
While the Apple App Store and Google Play app review processes are not completely foolproof, at Allure Security we find that when reviewing various third-party marketplaces, a wide range of applications are applied to the apps they publish. Some marketplaces examine apps for appropriate security controls and intellectual property infringement. Others don’t check published apps at all.
Third-party mobile app marketplace risks for your brand include:
Free Versions of Paid Apps – If your business has a mobile app that generates revenue, the impact of an unauthorized, unpaid version is obvious. Repackaging Attacks – Scammers download legitimate apps from official app stores, inject malicious code, and redistribute them to steal user credentials, identity, or payment information. The ability to sideload apps increases risk. Low-quality clones – A user who downloads a clone of your app that doesn’t work or is slow could quickly decide that your brand is publishing low-quality work and move on to downloading a competitor’s app. Outdated apps that lack the latest features or security features – The purpose of app updates is to provide the best possible mobile experience and increase security. An outdated version risks a subpar experience or, worse, a vulnerability that exposes users to impersonation, payment, or account takeover fraud. Lack of visibility into apps claiming to be from your brand – Marketing and cybersecurity teams want to know where consumers are interacting with their brand online. Unauthorized apps that are posted in places they don’t know about work against this. Tips for mitigating brand risk in alternative app stores: Over-communicating with employees and customers where they can download your app – education alone will not mitigate risks. Still, communicate clearly and frequently which marketplaces are eligible to publish your app. Ask customer support staff to clarify where a mobile user downloaded your app from. Make sure those same employees know where to report unknown or unauthorized marketplaces where your app is published. Document Fakes – If you identify mobile app impersonation, collect screenshots of the offending app and other relevant information for your takedown request. Assess the risks and benefits associated with third-party app stores – Businesses must decide whether they want customers to download apps from third-party stores. Analyze both the business risks and benefits of allowing your apps on marketplaces other than the Apple App Store or Google Play, and weigh them against the potential security/fraud risks. Automate the continuous monitoring of app marketplaces – Between the Apple App Store and the Google Play Store, there are 36,000 iOS app releases and 97,000 Android app releases every day. With more third-party app stores likely to come online in the mainstream app market, the volume is likely to increase significantly. Manually searching for fake mobile apps will not protect your brand in the future. Evaluate the benefits of hiring an online brand protection expert like Allure Security – online brand protection providers have years of experience using playbooks to troubleshoot these types of issues and understand the specifics of the abuse/takedown policies of various third-party marketplaces. Discover another online brand identity trend observed by Allure Security on our blog – scammers abusing free subdomains offered by dynamic DNS service providers. Compare your online brand protection efforts against modern online brand protection best practices by using our free guide to online brand protection for busy people. Learn how Allure Security can help you find and remove even more fake websites, rogue social media profiles, and unauthorized mobile apps faster by contacting us.
*** This is a syndicated blog from Allure Security’s Security Bloggers Network, written by Mitch W. Read the original post at: https://www.alluresecurity.com/2023/02/22/apple-allowing-alternative-app -stores-on-iphones-online-brand-protection-will-be-complicated/