This letter from Apple to the Senate Judiciary Committee is dated March 3 and signed by Timothy Powderly, the company’s senior direct of government affairs. The letter was sent in response to allegations from cryptographer Bruce Schneier, who told lawmakers that Apple’s security concerns related to sideloading were “unfounded. In his own letter to the Senate Judiciary Committee, sent in January, Schneier wrote:
Apple is still fighting against impending antitrust regulations in the US that might significantly alter the App Store. Apple specifically refutes allegations that its anti-sideloading stance is “unfounded, deceitful, and dishonest” in a letter to the Senate Judiciary Committee that was obtained by 9to5Mac.
Reuters was first to report on Apple’s response to Schneier, and 9to5Mac has now obtained a full copy of the document. Apple explains that the accusations made by Schneier are “particularly disappointing” and prove that “even talented technical practitioners” can confound the issues surrounding sideloading:
I would like to address some of the unfounded security concerns raised about these bills. It’s simply not true that this legislation puts user privacy and security at risk. In fact, it’s fairer to say that this legislation puts those companies’ extractive business-models at risk. Their claims about risks to privacy and security are both false and disingenuous, and motivated by their own self- interest and not the public interest.
Throughout the letter, Apple points to a number of different examples of third-party app stores containing apps infected with malware and apps that scrape user data. One of examples cited by Apple centers around the Android ecosystem. In the Android ecosystem, which has 50 times more malware than iOS , 5 Nokia found that “the fact that Android applications can be downloaded from just about anywhere still represents a huge problem, as users are free to download apps from third-party app stores, where many of the applications, while functional, are Trojanized.
Given our general regard for Mr. Schneier, these accusations are particularly disappointing. In our experience, the work of providing leading security and privacy to a modern computing platform at billion-device scale is among the most enormously complex and challenging engineering and technical policy endeavors, and much about this work remains easy to misunderstand. Mr. Schneier’s letter underscores that even talented technical practitioners, if they have not worked on key problems in this space, can confound the issues.
In Nokia’s 2021 threat intelligence report, Android devices made up 50.31% of all infected devices, followed by Windows devices at 23.1%, and macOS devices at 9.2%. iOS devices made up a percentage so small as to not even be singled out, being instead bucketed into “other”. We consider this a triumph in protecting our users, and it could never have been done without the industry-leading last line of defense of our device security controls, working in tandem with the front-line security and privacy protections we provide our users through the App Store and App Review.
As expected, Apple also points to a number of the protections offered by the App Store, including the review process, App Tracking Transparency, and Privacy Nutrition Labels. None of these would be possible with third-party app stores, Apple says.