App malware

A newly discovered malware strain GriftHorse was found on over 10 million Android devices earlier this month. It avoided detection in the Google Play app store for nearly a year. 

While the number of affected devices is notable, the malware isn’t. There are an estimated 4 million malicious apps targeting Android devices and users with 11,000 new ones released every day. 

Apple’s App Store for iOS is considered more secure, but it has also had a string of high-profile security issues: It was recently reported that a malicious app designed to transfer money out of cryptocurrency wallets was used to snag $1.6 million before being taken offline. It avoided detection by calling itself an “encryption” rather than a “cryptocurrency” app. Another series of apps billed as fitness trackers used the company’s proprietary Touch ID verification to fleece users through the App Store’s own consumer payment system.

Are app stores themselves to blame for damages to users? 

Malware itself is nothing new; it’s been a fact of life for decades. Applications will always be installed with some associated risk. For instance, an application downloaded from a shady website, or pirated, will occasionally come bundled with malware. The developers of this or that operating system can’t be held liable for the tricky ways it is exploited.

Mobile app users are more restricted in how they use their devices. Both the Android and iOS platforms require apps to be installed through their own proprietary gateways, and every new app needs to be vetted and approved before it reaches end users. Apps can be pulled at will from either store with little to no recourse for their developers, and either company can change their criteria for apps whenever they want. 

While it’s possible to “sideload” apps to Android devices (install apps outside of Google Play), Google actively discourages it, and the default setting for Android phones forbids it. Apple’s iOS products are even more restrictive; the only way to get around its app store restriction is to “jailbreak,” or hack the phone’s operating system. Doing this voids Apple’s warranty and in some cases renders the device inoperable. 

Both Google and Apple claim the tight controls and heavy-handed approach to apps is primarily, if not solely, for the security of their users.

“[U]sers can access these apps on their Apple devices without undue fear of viruses, malware or unauthorised attacks,” states Apple’s support website vaunting the security of the App Store. “On iPhone, iPad and iPod touch, all apps are obtained from the App Store — and all apps are sandboxed — to provide the tightest controls.”

Google makes similar claims about its app security vetting processes.

“Google Play Protect helps you download apps without worrying if they’ll hurt your phone or steal data. We carefully scan apps every day, and if we detect a bad one, we’ll let you know and tell you what to do next,” says the safety section of the website

Both companies neglect to mention that they receive a cut of all payments made on apps on par with Mafia-style extortion. Google and Apple both initially received 30% of every transaction from the apps they make available on their app stores. After widespread criticism, both cut their percentages to 15% for apps earning less than $1 million in annual revenue.

The profits from this walled garden approach are enormous. Google netted $40 billion and Apple $72 billion in 2020 alone from apps sold within their app stores. Outside of proprietary apps linked to their existing services, neither company had a hand in the development of the overwhelming majority of the applications; they simply vetted them and facilitated their availability to owners of their devices (another sizable source of revenue for both companies).

The combination of lack of choice for consumers and the lucrative nature of app stores points to a greater level of responsibility on the parts of both Apple and Google than it would if they were more passive in determining how their devices were used and which apps were allowed. 

If both companies insist that the primary reason for their near-monopoly on apps available on their platforms is for cybersecurity, while profiting from the situation, shouldn’t they be liable for malicious apps that manage to avoid their detection and scrutiny?