The EU must take on smartphone safety

For many years, Apple has been voraciously pushing back against sideloading and alternative app stores on its iOS system. Apple’s senior vice-president Craig Federigh even called sideloading the “cybercriminal’s best friend“. This, however, misses the point.

It is indeed the case that malware is more common on Android than on iOS. According to Nokia, the risk of infection on iOS was about 6 times as high on Android than on iOS in 2020. Do these observations thus prove that Android is much less secure than iOS?

The key problem on Android is that the vast majority of users still use outdated versions of the operating system: only 15% of users run the latest version of Android. By contrast, over 70% of iPhones run the latest version of iOS (version 15).

This implies that any security vulnerability on Android can potentially be used for much longer than on iOS. The widespread use of outdated versions makes Android a fruitful and easy target for hackers. To hide away the problem from the public, Google decided to just not publish statistics on the adoption of Android versions anymore since 2018.

Besides outdated app versions, a further moving target for security vulnerabilities are customisations of the Android system by device manufactures. Some of these customisations make changes to the low-level Android code and can consequently introduce further vulnerabilities that could be exploited by hackers. Conversely, the homogeneity of the iOS ecosystem makes any security vulnerability a potentially much larger threat. iOS users also tend to be wealthier and more valuable targets for cybercrime. This makes them, too, an attractive target for hackers.

Both Google and Apple manage to employ some of the best security engineers worldwide. It is thus difficult to believe why either platform should be significantly more secure than the other. However, with Android being open source, any vulnerability in the Android code might surface earlier than it would on iOS. The openness of Android’s code does, however, not make Android per se less secure than iOS.

Sideloading has actually long been possible on desktop operating systems, including Apple’s macOS. It is absurd how Apple can seemingly enable sideloading in a secure way on macOS, but not on iOS. This has also been highlighted in the ongoing Epic v Apple trials.

In terms of security features, both iOS and Android implement similar measures. If devices run the latest version of the operating system, they are both relatively safe. This is why the cost for a zero-day exploit for both platforms is high, more than 2 million US dollars.

Sideloading can help to decrease the attack surface for vulnerabilities on mobile devices. A lack of sideloading, however, also puts much more into the hands of the platform gatekeepers, and reduces competition and accountability. These conflicts need to be finely balanced in the DMA.

As a result of the locked down iOS ecosystem, there has been much less academic research into this ecosystem in the past, as compared to Android. For example, the last large-scale study in app privacy on iOS was conducted in 2013, until the recent release of a study into the topic by our research group at the University of Oxford. This lack of transparency in app platforms significantly limits our understanding of how EU legislation, like the GDPR, affects the everyday lives of citizens.

Overall, there seems to be no need for EU legislators to be overly afraid of sideloading. Security vulnerabilities usually have different roots rather than just sideloading and alternative app stores, specifically the widespread use of outdated and heavily modified versions of Android. Conversely, alternative app stores on iOS promise to spur competition and innovation, as well as foster research and platform accountability.

To increase mobile device safety, policymakers should consider that:

  • Android users have the option to use an unmodified version of the operating system. This should be easy to use and communicate that unmodified versions of Android tend to be more secure.
  • Google Treble and Generic System Image already provide a foundation upon which app developers can receive the latest Android version for their phones without the intervention of phone manufacturers; this should be extended to end-users, not just app developers.
  • The supply with security updates should last longer than 2 years and be communicated at the point of sale. Moreover, it should be explored to what extent manufacturers might bear liability for vulnerabilities within the expected time of use of their devices.
  • The locking of bootloaders by manufacturers should be limited. It makes security research much more difficult, and prevents end-users from installing more secure or more out-to-date versions of Android. The use of Google’s SafetyNet should be restricted because it hinders such community efforts and app security research.