Your app store will not save you

applelogodohApple got the app store concept going with iOS, and extended it to the Mac; Google has its Play Store for Android and a store for Chrome apps and extensions, and Windows has its Windows Store.

The idea of all this was safety: apps were vetted by the app store owner, so rather than take your chances on downloading things from some web site, the idea was that if you stuck to the app store, you’d be safe. Apple takes this to the extreme on iOS: you have to root your phone to install anything they haven’t approved. Android is simpler: you can sideload apps by changing a few security settings (change them back after!) so you can get hold of things Google hasn’t approved (or break a Fire tablet free of Amazon by installing Google Play). Windows has what I think is probably the most useful idea here: if you are running Windows 10S, you can’t install anything else (but you can easily shift to “regular” Windows if you want). Windows 10S is not a stripped down version of Windows, it’s just gated. I really wish it had been around when Dad was around; he was constantly clicking the wrong place and getting funky stuff on his PC, and Windows 10S would have been perfect.

But, I’ve long maintained that feeling secure because of your app store is a bad, bad idea. There have been some examples of malware making it into the Google Play store, although in most cases getting pwned required you to give things some crazy permissions. Apple folks pointed at this as an example of how terrible Android is.

But now, in the macOS store, this comes along: an anti-adware app that actually scoops up your browser history and sends it to China. It was one of the most popular apps in the app store. Oops!

Contrary to some reports, Adware Doctor didn’t find some sort of hole in the sandbox that prevents apps downloaded from the Mac App Store from being able to access the entire file system. The app asked permission from the user, which is the only way Utilities like this can work. Any user who believed in the stated purpose of Adware Doctor would grant this permission though.

Usually the weakest link to attack is the user. Which is exactly why thinking “oh, the app store screens this stuff out” is just a really terrible way to think about security. You have to pay attention to the permissions that apps are asking for. Yes, even on a Mac or iPhone.

It’s also worth noting that Apple’s response to this has been fairly poor; Apple was warned by Malwarebytes about this app developer in 2015, there were reports that the app’s reviews were mostly fake a year and a half ago, and it took four weeks from the report on the app’s behavior for Apple to remove it.

So that’s the level of care you get depending on the app store that is, in theory, the gold standard. (If you believe that – I never did.)

Be smart.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s