Consumers download millions of mobile apps each year because they trust that the apps available on app stores have been vetted for malware, comply with the law, respect users’ privacy, and actually work like advertised. Apple, Google, and other companies that operate official app stores dedicate significant resources to making this a reality—catching hundreds of thousands of malicious mobile apps before they reach consumers each year. Unvetted apps available at unofficial stores are much more likely, however, to contain malware and other malicious hidden features.
Despite the known dangers of unvetted apps, pending legislation in Congress would force Apple and Android to remove any limits on sideloading. This would ignore cybersecurity experts at the National Security Agency, Department of Homeland Security, and other agencies in the U.S. and around the world, all of whom agree that users should avoid sideloading and only download apps from official app stores.
FOR GOVERNMENT EMPLOYEES AND CONTRACTORS, BUSINESSES, AND ORDINARY CITIZENS, THE U.S. GOVERNMENT HAS ONE MESSAGE: DON’T SIDELOAD
- The Federal Trade Commission: “Use official app stores. To reduce the risk of installing potentially harmful apps, download apps only from official app stores, such as your device’s manufacturer or operating system app store. Also, research the developer before installing an app.”
- The Small Business Administration (guest post on official SBA blog): “If an app isn’t from a trusted source, you could potentially be downloading malware or some other security threat to your device. The major app marketplaces such as Google Play and Apple Store have gotten good at screening apps for security issues. Before you download an app, though, do some research to be sure other users aren’t reporting security issues.”
- The General Services Administration: “Applications available through approved methods (provided with the operating system – Apple iTunes and Google Play, respectively). Installation of applications from unknown sources is not authorized. These unknown sources include third party application sources, such as the Amazon App store… Allowing mobile apps to be loaded from an unknown source presents one of the greatest risks to GSA’s environment when using mobile devices.”
- DHS’s Science and Technology Directorate: “Third-party stores also exist…but the reliability and security of apps from these sources may vary widely and the vetting process may be opaque or less robust than is the case for the public stores of OS vendors… [U]sers should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores. Android’s built-in Verify Apps feature or third-party, mobile threat protection solutions for both Android and iOS can help identify potentially harmful apps installed on devices.”
- DHS’s Cybersecurity & Infrastructure Security Agency: “Avoid potentially harmful apps (PHAs). Reduce the risk of downloading PHAs by limiting your download sources to official app stores, such as your device’s manufacturer or operating system app store. Do not download from unknown sources or install untrusted enterprise certificates.”
- FBI’s Criminal Justice Information Services Division: “One of the few effective attack vectors to compromise mobile operating systems is to manipulate the device user to install a malicious application… Unsigned or untrusted apps are cryptographically prevented from executing on non-jailbroken iOS devices… On either platform, it is highly desirable to limit allowable applications to a pre-approved pool of apps via MDM or organizational App store structures and device policy.”
- Commerce Department’s National Institute of Standards and Technology: “Application stores pose an additional threat vector for attackers to distribute malware or other harmful software to end users. This is especially true of third-party application stores not directly supervised by mobile OS vendors… Third-party application stores may be completely legitimate, but may also host applications that commit substantial copyright violations or ‘cracked’ versions of applications that allow users to install and use paid applications for free.”