National Cyber Security Centre 10
National Cyber Security Centre
11
Overview of app stores
Mobile app stores
Third party app
stores
This section provides a brief introduction to
different types of app store. As mentioned
previously, users download apps from stores for
the platform they’re using, which comprise:
• mobile app stores (including third party stores)
for downloading apps to mobile devices
• IoT voice assistant stores for downloading
apps to Amazon’s Alexa and Google’s Home
devices
• IoT smart device stores for downloading apps
to devices that form part of the IoT, such as
smartwatches and smart TVs
• gaming stores for downloading games
and additional content to consoles (Xbox,
PlayStation, Nintendo) and PCs
Mobile app stores provide a centralised and
trusted repository for mobile users to purchase
apps and download them onto their devices.
Most mobile users download apps via the Google
Play Store and Apple’s App Store, the ofcial stores
for Android and iOS devices respectively, which
come preinstalled on devices. Microsoft’s mobile
devices have their own app store, though only 4%
of respondents to the Ipsos MORI consumer survey
11
said that they used the Microsoft Store (which
includes users of the Xbox Store). Non-Google
manufactured Android devices often come with
an app store operated by the original equipment
manufacturer (OEM) pre-installed, such as the
Samsung Galaxy Store for Samsung Galaxy devices
or the Huawei AppGallery.
Apple’s App Store and the Google Play Store offer
4.3 million and 2.9 million apps respectively as of
November 2020
12
. The vast majority of the apps
available on mobile app stores are produced by
third party developers. Uploading an app to an
ofcial app store requires submitting it for vetting
so the operators can check for any malicious
behaviours. Although these stores provide certain
details about their processes of vetting and
reviewing apps
13
, most of the information is not in
the public domain.
Despite these vetting processes, malware
continues to make it onto stores, as the case
studies section illustrates. Due to the sheer number
of smartphone users, mobile app stores are a
particularly attractive attack vector for cyber
criminals seeking to infect as many victims as
possible to maximise their returns, and even
nation-state actors with a narrower, more dened
targeting rationale.
In terms of the type of threat, mobile app stores
do not fundamentally differ from other types
of app stores. For example, an attacker could
upload malware to either a mobile app store or
a wearable smart device app store to track a
user’s location, given that both types of device are
portable. The sheer number of smartphone users
makes mobile app stores a more attractive target
for attackers.
Unlike iOS, the Android platform allows for third
party app stores. These are app stores that users
must download or access separately, typically
characterised by their focus on user and developer
freedom (as opposed to the safety and privacy of
users).
The only way to install third party apps on iOS is
to ‘jailbreak’ a device, a process that provides
the user and apps with access to features in the
phone which would otherwise be inaccessible. The
process uses unpatched vulnerabilities to bypass
the security controls that Apple put in place, which
leaves the device more vulnerable attacks. Apple
strongly cautions users against jailbreaking
14
.
While there’s less people using the most common
third party app stores (compared with ofcial app
stores), a lack of robust vetting processes means
that their users are especially vulnerable to threat
actors uploading malware, as the case studies
show. The threats from ofcial or third party stores
include spyware, banking malware, and malware
used for toll fraud.
IoT voice assistant
stores
Voice assistant devices such as the Echo range
from Amazon (powered by Alexa) and the
Nest devices (from Google) allow their users to
download third party apps to further enhance their
functionality. In Alexa these are referred to as ‘skills’,
though they are functionally similar to apps. Skills
can be downloaded through the main Amazon
website. After downloading a skill, Alexa users can
be informed of any updates to the skill via the
notications API.
Alexa and Google Home provide apps mainly
through one store. While Amazon has opened
up to other app providers through its Voice
Interoperability Initiative
15
(which would allow other
voice assistants to run on Alexa devices), this does
not include its main rivals in this area (namely
Google, Apple and Samsung).
As with mobile app stores, the majority of apps
available are provided by third party developers.
There are currently over 100 million skills available
to Alexa users and these cover a wide range
of functionality, such as gaming and ordering
takeaways
16
.
With over 100 million Alexa-enabled devices sold
17
as of January 2019, voice assistants represent
an attractive target for attackers, who could
use them to steal personal data and listen
in on victims’ conversations. This mirrors how
malware is distributed within mobile app stores,
with applications that conceal similar malicious
capabilities (such as recording audio via a device’s
microphone). This highlights how both types of app
stores are alike in terms of their threat proles.
Voice assistant stores also face issues in terms
of lacking robust vetting processes. A research
paper
18
published in February 2021 revealed that it
was possible to upload skills to the Alexa skills store
under the names of well-established companies,
similar to how malicious apps on mobile app
stores often attempt to spoof their true origins.
Furthermore, developers are able to update the
code of their skills, once they are approved and
published by Amazon, highlighting the systemic
vulnerability of application updating that is shared
across app stores. Amazon is responsible for
setting the requirements for its app store and
has published documentation
19
for the security
requirements developers must adhere to, but the
evidence highlights that some issues remain.
Threat report on application storesThreat report on application stores
11
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/le/978685/Consumer_Attitudes_Towards_IoT_Security_-_Research_Report.pdf
12
https://www.businessofapps.com/data/app-stores/
13
https://developer.apple.com/app-store/review/guidelines/
14
https://support.apple.com/en-gb/HT201954
15
https://developer.amazon.com/en-US/alexa/voice-interoperability
16
https://www.tomsguide.com/uk/round-up/best-alexa-skills
17
https://www.cnet.com/home/smart-home/amazon-has-sold-more-than-100-million-alexa-devices/
18
https://www.theregister.com/2021/02/25/alexa_amazon_skills/
19
https://developer.amazon.com/en-US/docs/alexa/ask-overviews/what-is-the-alexa-skills-kit.html