Transcript: Apple VP Craig Federighi speaks at Web Summit 2021
Apple’s Senior Vice President of Software Engineering, Craig Federighi, appeared at WebSummit 2021 in beautiful Lisbon to evangelize the company’s message against app sideloading, which would undermine user and platform security.
The company has made this point before, and I think he’s completely right about this. The repercussions of forcing Apple to approach privacy in this way would threaten individuals, enterprises and governments. That’s a fact.
But here’s what he had to say in his own words, though I missed a little at the end.
Apple VP Craig Federighi speaks at Web Summit 2021
Hey, well it is absolutely fantastic to be here at Web Summit. My topic today is privacy and security. And it’s great to be talking about it here in Europe where so many embrace these values not just as high ideals, but as fundamental human rights.
Now, I have to say, at times, fighting for privacy in the US has felt a bit lonely but knowing that there are those in Europe who so share our ideals and policymakers in Europe that are willing to take action. Well, that’s felt like a bit of a lifeline.
Now, of course, one of the proposals that policymakers have on the table right now is the Digital Markets Act. And there’s a lot in the DMA that we can all get behind, doing right by users, promoting competition, and making sure that consumers have choice.
Today, there is one provision of the DMA that I think deserves a little more consideration.
Specifically, I want to talk today about sideloading. And why requiring it on iPhone would be a step backwards in our privacy and security journey.
Safe as houses?
So let me start with an analogy and bear with me, it’s an imperfect one. Let’s pretend you’re in the market for a new house. You have a lot of options to choose from. But you’re not just choosing for yourself, because you have a new family. And you want to get the most secure house that you can find one that has all the locks and deadbolts — a state of the art security system.
But then you get some bad news:
The city where you live has passed a law that introduces a fatal flaw into that security system, putting you and your family at risk.
Well, now this might all sound kind of ridiculous, but like I said, it’s an imperfect analogy.
But choosing a house is kind of like choosing a phone. Because in both arenas, you want something that keeps you and the things you care about private and secure.
So, I’m getting a little ahead of myself.
Federighi’s journey
To understand where I’m coming from, let me tell you just a little bit more about me. I was born in California, actually just less than an hour’s drive from where Apple would be founded just seven years later.
And at the age of 10 I had a chance run in with an Apple II. It ignited my personal passion for programming. And believe it or not, it was since that very moment that I knew I wanted to spend my life making this kind of technology useful.
At first it was to my mom and dad, later, my friends, and eventually for everyone else.
And amazingly for years now I’ve had the privilege of doing exactly that leading software engineering at Apple. Now my team builds and secures the operating systems that power, the iPhone, the iPad, the Mac, and Apple’s other products, all to create a platform that people love.
It’s fun and easy to use, that users can trust, and that developers can build on to create truly incredible apps.
It’s a really great job, but it’s not an easy one.
And to give you a sense of what my teams do. I want to take you back in time to time before iPhone even existed.
Back then Apple had a mission to create an entirely new generation of device a more personal one, one that people could trust with their most sensitive information and have the confidence that it would keep their data private and secure.
Now when we talk about privacy, there are really two major types of threats.
- One is targeted attacks from state sponsored actors who invest hundreds of millions of dollars to focus on a tiny fraction of individuals. And this threat is important but it’s something that most of us will never encounter.
- On the other hand, there’s consumer malware and it poses a threat to hundreds of millions of people. And even before iPhone existed. People were all too familiar with this problem because we’d all experienced the security failings of PCs. Malware made them slow and difficult to use and people were constantly falling prey to scams.
With iPhone we wanted to change all of that.
What Steve Jobs said
Here’s how Steve summarised the challenge back then. He said we’re trying to do “two diametrically opposed things at once, to provide an advanced and open platform to developers, while at the same time protect iPhone users from viruses, malware, privacy attacks.”
This is no easy task. And of course, Steve was right.
But our team got our arms around the malware problem and began to see the environment for what it was an industry motivated by profit and driven by return on investment and the primary tactic was social engineering, fooling people into downloading and installing something that was different than what it claimed to be.
And the malware that hid behind these scams?
Well, it was as diverse as the scams themselves from adware that serves you annoying pop ups to ransomware that locks you out of your device until you pay up, to Trojans that suck up your personal data and help cybercriminals drain your bank accounts.
Now we knew we couldn’t rid the world of these scammers, but we could build a layered set of protections that would render their scams ineffective against iPhone users.
Well, we started with new on device protections, seamlessly integrating hardware and software to keep our users safe.
Now, this would help contain installed apps to only access what users authorised with features like sandboxing end to end encryption and the Secure Enclave that embeds our commitment to security all the way down to the silicon.
Humans are the weakest link
But on-device protections alone can’t protect users against well-crafted social engineering attacks. Because they trick the user into allowing that very access.
Which brings us to our second layer of defence. And that’s the App Store. The store was critical because it achieved two key things:
- The first was human app review to limit people’s exposure to scams in the first place, with real people evaluating every app to make sure that it worked as described, looking for privacy and security risks and enforcing clear and consistent standards.
- The second was a single point of distribution for software to ensure that everything users downloaded came from a trusted source. And had actually gone through those privacy and security reviews.
And you know, we achieved both of those things, while giving developers API’s SDKs and a set of systems and tools to help them build amazing and reliable apps for users around the world.
The iPhone has evolved, but these fundamentals have stayed consistent, sophisticated on device protections, and a central app store with human review. And the result has been a platform with privacy and security at its very foundations.
Now, there is of course no such thing as a perfect security system. But for the most part, the constantly improving set of protections we’ve built have managed to stay one step ahead of the bad guys.
Long story short, (the) iPhone security approach has worked.
But you don’t have to take my word for it. Because the security community regularly says things like this, quote, “Apple’s iOS devices are the most secure consumer hardware ever made.”
But let’s look some numbers because when we compare iOS to other platforms, a clear story emerges.
The data tells the story
Here’s a graph (he showed a graph which isn’t here) showing third party data on malware infections by platform and you can see iPhone barely registers but the level of attacks on other platforms is a different story.
One security firm found more than 5 million attacks per month on its clients using another mobile platform. But there’s never been this kind of widespread consumer malware attack on iOS never so what’s the difference?
Well, the single biggest reason is that other platforms allow side loading.
An iPhone sideload would mean downloading software directly from the open internet or from third party stores bypassing the protections of the App Store and we talked about the pillars that protect customers on iPhone, with sideloading those layered protections are undone.
There’s no human App Review and no single point of distribution for sideloaded apps.
The floodgates are open for malware.
And we’re not the only ones who think this is risky.
Here’s what the leading cybersecurity government agencies have to say.
According to Europol, users should quote only instal apps from official app stores. Other government agencies in Europe and the US draw exactly the same conclusion.
There’s a clear consensus here, and it says sideloading undermines security and puts people’s data at risk.
No one is an island
Now this brings us back to the DMA. But before I proceed, I do want to try a little bit of audience participation.
A quick show of hands. How many of you carry an iPhone?
Okay, a pretty good number. Thank you.
But if this group mirrored Apple smartphone market share in Europe, the answer would be about one in five of you. And that’s okay with us.
Because at Apple our goal has never been to sell the most. Instead, our mission is to provide people with the choice of what we view as the best.
Now back to the DMA. Because the DMA has an admirable mission to promote competition and to make sure that consumers have choice.
And I’m a big fan of both of these goals.
But as an engineer who wants iPhone to stay as secure as possible for our users, there is one part I worry about. And that’s the provision that would acquire iPhone to allow side loading because in the name of giving users more choice, that one provision would take away consumers choice of a more secure platform.
And all this comes at a time when people are keeping more personal and sensitive information than ever on their iPhones.
And I can tell you there have never been more cyber criminals so determined to get their hands on it.
So now let’s return back to our favourite house. As you remember, you made a choice you wanted to protect your family so you bought a really safe home with a really great security system. And you’re really glad you did. Because since you first moved in, the burglars have never been more creative or more plentiful.
And in the real world of cybersecurity, this couldn’t be more true.
Attackers are virtually dressing up as mail men building tunnels underground. And trying to scale your backyard walls with grappling hooks.
In this world, some of your neighbours are suffering repeated break ins, but the home you have has kept you safe. But then, that new law gets passed and in the noble pursuit of a more optimised package delivery.
Your town requires everyone to build an always unlocked side door on the ground floor of their homes.
Now, some of your neighbours they love this idea. But you’re not so sure because you know that once a side door is built, anyone can walk through it. The safe house that you chose now has a fatal flaw in its security system.
And burglars are really good at exploiting it.
In a nutshell, sideloading is that unlocked side door and requiring it on iPhone would give cyber criminals an easy point of entry into your device.
Now, we don’t think anyone wants that — least of all the policy makers intending to give users more choice and more protections.
And European policymakers have often been ahead of the curve but requiring sideloading on iPhone would be a step backward.
Instead of creating choice, it would open a Pandora’s box of unreviewed malware ridden software and deny everyone the option of iPhone secure approach.
So clearly, I’m no fan of sideloading.
The fallacy of choice
But I want to address an argument that I hear a lot and it goes something like this. “Let people choose whether or not to sideload let them judge the risks and they can decide for themselves.”
And it’s easy to see the attraction of this argument.
But history shows us it doesn’t play out the way that we’d hope because even if you have no intention of sideloading people are routinely coerced or tricked into doing it.
And that’s true across the board, even on platforms like Android that makes sideloading somewhat difficult to do.
So let me just show you a few examples.
Take this official looking website, which looks like a government page where you can download an app to track the spread of COVID 19. They even provide official looking instructions on how to download it but after you download you realise you’ve been had, because instead of an app, you have a healthy dose of ransomware.
And this isn’t hypothetical.
This actually happened on Android. People who tried to do the right thing to protect their health and the health of others sideloaded an app that was a vehicle for malware.
Another example.
Let’s say that you decide to only download apps from the official app store because you’ve decided that’s the safest thing to do.
Well, which store was that?
Because one of cyber criminals all-time favourite strategies is to mimic official app stores, leaving everyone totally confused. And this happens all the time.
At one point, a security firm found 27 malicious apps that prompted users to download a fake Google Play Store infecting their phones with adware.
Criminals are clever, and they’re really good at hiding in plain sight.
What about surveillance data capitalists?
But I wish this were the end of the story. But cyber criminals aren’t the only ones we have to worry about.
So, let’s say you go to the official app store, and you’re looking for a social networking app that your friends are all on. But it isn’t there.
Because some social networking apps will probably try to avoid the pesky privacy protections of the App Store and only make their apps available via sideloading.
Privacy features that go belong beyond the bare minimum legal standards, the ones that users truly rely on to keep their information safe? Well, these would no longer exist for these apps. And you’d be stuck with the alternative of losing touch with your friends online, or taking on the risks of side loading.
Now, maybe you’re thinking all this might be true, but I’ll never download a side loading only app and I won’t be tricked into side loading.
Well, that might be true for you. But your child might be fooled, or your parents might be fooled. And even if you see through every deception, the fact that anyone can be harmed by malware isn’t something that we should stand for.
The fact is one compromised device including a mobile phone can pose a threat to an entire network.
Malware from sideloaded apps can jeopardise government systems, infect enterprise networks, public utilities, the list goes on.
So even if you never sideload your iPhone and data are less safe in a world where Apple is forced to allow it.
Cyber criminals targets and strategies vary. But here’s what couldn’t be more clear. sideloading is a cyber criminal’s best friend and requiring not an iPhone would be a gold rush for the malware industry. That one provision…
(And it was at this point someone rang so I missed the end of it. If you have the conclusion, please send it to me. Thank you).
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Dear reader, this is just to let you know that as an Amazon Associate I earn from qualifying purchases.