With an exponential increase in third party app store user downloads on the horizon, heeding Apple’s sideloading warnings are more important than ever.
The National Telecommunications and Information Administration’s recently published report “Competition in the Mobile Application Ecosystem” calls for Apple and Google to allow people to download apps outside of their official app stores. The goal is “open[ing] the app ecosystem to greater competition, innovation and potential benefits for users and developers,” claiming that the market is “not a level playing field, which is harmful to developers and consumers”
The EU’s recent Digital Markets Act, which becomes applicable in May 2023, will also require gatekeepers such as mobile platforms to allow end users to download apps from alternative app stores other than, for example, only the Google Play or Apple App Store.
These recent developments may be a win for developers and consumer choice alike. However, brands need to also be aware that it will likely increase the prevalence of unauthorized, if not malicious, mobile apps impersonating those of trusted brands.
Apple Allegedly Planning to Allow “Sideloading” on iOS 17
Sideloading is the download and installation of apps from alternative app marketplaces other than a platform’s official app store. Apple’s iOS 17 will likely launch in September 2023, and it’s been reported that iOS 17 will support sideloading, at least in Europe. While the tech companies themselves seem to be complying, the concerns they have communicated for years over marketplace security are more relevant than ever.
Many developers like the idea that they may soon be able to distribute their iOS apps without having to pay 15-30% of their annual sales to Apple. Fraudsters are also likely salivating knowing that increased consumer comfort with downloading apps from third-party marketplaces means they will have expanded their hunting grounds for tricking people into downloading fake mobile apps.
It remains to be seen what level of scrutiny third-party app marketplaces will apply to mobile apps submitted for publishing on their platforms. At Allure Security we regularly find unauthorized or potentially malicious mobile apps published on alternative app stores.
Third Party App Stores’ Impact on Online Brand Protection
The fact of the matter is, things are going to get worse before they start to get better.
With more alternative app stores coming online and more consumers downloading apps from third-party marketplaces, fraudsters see emerging marketplaces as prime real estate to publish fake mobile apps impersonating trusted brands.
This is particularly tough for brands, given how much of a challenge searching for impersonations already is. Each day – billions of Facebook posts are published, 100s-of-millions of Tweets are sent, millions of LinkedIn updates are posted, 100s-of-thousands of new websites go live. Any one of the billions of daily activities occurring online could be a malicious brand impersonation.
And then, consider the thousands of mobile apps released on official app stores each day. That doesn’t include third party marketplaces. So, we can expect that the number of mobile app releases — authorized or not — is poised to increase exponentially. There is already too much content published each day to try and manually monitor for online brand impersonation attacks targeting your brand and your customers across websites, social media networks, and mobile app marketplaces. With Apple allowing sideloading, the volume of content that needs review will only increase. Any brand hoping to mitigate the potential damage of a fake mobile app abusing their brand will need to automate monitoring for these threats.
While the Apple App Store and Google Play app review processes aren’t completely foolproof, at Allure Security we find a wide range in the scrutiny various third-party marketplaces apply to the apps they publish. Some marketplaces do inspect apps for appropriate security controls and intellectual property infringements. Others don’t review published apps at all.
The risks of third-party mobile app marketplace to your brand include:
- Free versions of paid apps – If your organization has a mobile app generating revenue, the impact of an unauthorized, unpaid version is obvious.
- Repackaging attacks – Scammers download legitimate apps from official app stores, insert malicious code, and redistribute them in order to steal users’ credentials, identity, or payment information. The ability to sideload apps increases the risk.
- Low quality clones – A user downloading a clone of your app that doesn’t function or is slow could quickly decide that your brand publishes low quality work and move on to download a competitors’ app.
- Out-of-date apps lacking the latest functionality or security features – The purpose of app updates are to provide the best mobile experience possible and strengthen security. An out-of-date version risks a sub-par experience or, worse, a vulnerability that exposes users to identity, payment, or account takeover fraud.
- Lack of visibility into apps purporting to from your brand – Marketing and cybersecurity teams want insight into where consumers interact with their brand online. Unauthorized apps published in places they’re not aware of run counter to that.
Tips for mitigating brand risks on alternative app stores:
- Over-communicate to staff and customers where to download your app – Education alone will not reduce the risks. Still, clearly and frequently communicate what marketplace(s) are authorized to publish your app. Ask customer support staff to try and clarify from where a mobile user has downloaded your app. Ensure those same staff know where to report unknown or unauthorized marketplaces publishing your app.
- Document impersonations – When you identify a mobile app impersonation, gather screenshots of the offending app and other relevant information for your takedown request submission
- Assess the risks and benefits associated with third party app stores – Organizations will need to decide whether or not they want customers downloading apps from third-party stores. Analyze both the business risks and benefits of allowing your apps on marketplaces other than the Apple App Store or Google Play and weigh them against the potential security/fraud risks.
- Automate continual monitoring of app marketplaces – Between the Apple App store and Google Play store, there are 36,000 iOS app releases each day and 97,000 Android app releases. With the likelihood of more third-party app stores coming online in the mainstream app market, the volume is likely to increase considerably. Manually looking for fake mobile apps will not keep your brand safe going forward.
- Evaluate the benefits of hiring an online brand protection expert like Allure Security – Online brand protection vendors have years of experience with playbooks for handling these sorts of issues and understanding the ins-and-outs of various third-party marketplaces’ abuse/takedown policies.
What You Should Do Next
- Discover another online brand impersonation trend observed by Allure Security – scammers abusing free subdomains offered by dynamic DNS service providers – on our blog.
- Compare your online brand protection efforts to modern online brand protection best practices using our free Busy Person’s Guide to Online Brand Protection.
- Learn how to find and eliminate more fake websites, deceptive social media profiles, and unauthorized mobile apps more quickly with Allure Security by contacting us.