Why Macs and iPhones should avoid installing ‘orphan’ apps

There are many reasons any business with a connected fleet of tech products needs robust security policies in place. But the need to protect the enterprise against vulnerabilities inherited with third-party software must be among the biggest motivators. While I shouldn’t need to convince Computerworld readers to keep things locked down, I want to reprise two recent reports to reinforce the warning.

Half of all macOS malware comes from one app

Elastic Security Labs (via 9to5Mac) recently estimated that half of all macOS malware is installed as a result of poor management of the MacKeeper utility app. The report said almost 50% of Mac malware arrives through its installation.

What the utility does is optimize Mac performance and monitor the internal resources of the computer; the problem is that to do so requires the user give it permission to access critical processes and files. It isn’t the app that’s at fault per se, but those permissions make it an attractive target for adversaries who seek weak points in it to undermine system security.

The impact?

Rather than being protected by all the system-level security settings inherent in Apple’s desktop platform, MacKeeper users find their systems protected only by the inherent security of the app, which seems to be less secure, given how often Elastic Security Labs claims it is used to make an attack. This is the danger of any software granted inherent system privileges, but it is also the risk you take when using any form of third-party software on a Mac, iPhone, PC or iPad that hasn’t been updated for a while.

Millions of apps are orphans

Fresh research from fraud protection firm Pixalate (full report here) claims more than 1.76 million apps currently available on either the Google Play Store or Apple App Store have not been updated in two years or more. The researchers also identified 324,000 apps that have seen no maintenance updates of any kind for more than five years.

The problem with abandoned apps is that they may contain unpatched bugs, or privacy and security vulnerabilities, which once again places your company systems at potential risk. You see, rather than target the system, criminals may target the app.

Worse, they may choose to exploit an orphaned account to mount a convincing phishing attack — that’s the kind of vulnerability exploited to attack Avast and NordVPN. A 2020 Verizon security report warned 80% of breaches used brute-force attacks or stolen credentials, and it is way easier to brute force an insecure app.

Here are some details that provide some sense of inherent risk:

• There were 1.76 million abandoned apps in Q3 22, up 8% quarter-over-quarter.
• To be fair, the number of abandoned apps Apple offers declined 1%, while Google’s grew 18%.
• 21% of abandoned apps have no detected privacy policy. That figure falls to 2% for recently updated apps.
• 14k+ abandoned apps with programmatic ads accumulated $8M+ in ad spend.
• 44% (22k+) of abandoned apps registered in Russia are abandoned, 39% (34k+) in China, and 36% (126k+) in the U.S.
• 49% of likely child-directed apps available for download in the Apple App Store are abandoned as of Q3 2022.

Consumer simple, enterprise secure

Managed device fleets in which app installation permissions are implemented, or remote app installation managed, should be more secure. But given most devices used today comprise both personal and enterprise tasks, user education is the best way for enterprises to protect themselves.

This has always been the way.

Any tech user must become a little paranoid. Just as most of us know not to click on weird links in texts and messages from strangers, so should we learn to aggressively review our installed apps to make sure they are still being updated. Businesses should also engage in regular app reviews to ensure the software mandated for use across a company is still supported and maintained. As we learned earlier this week, this extends to the software components used inside your apps.

Who watches the App Stores?

But perhaps the biggest responsibility remains with the app stores themselves. Apple is in the process of evicting non-updated apps. It’s said that any apps over three years old that have not been updated will be deleted after a warning period in which developers can update the software.

This curation is potentially why the number of such apps at the App Store has begun to decline (and remains a good reason for walled gardens to be given some protection). But, as the security challenge becomes increasingly complex, this may not be enough.

Ultimately, it should be hard to install insecure or non-updated apps, and customers attempting to do so — from any store — should be warned that the app they want to put inside their device hasn’t been updated for a while.

It’s only one piece of the endpoint protection puzzle, of course. But as we live in interesting times, the need to stay safe is intensifying and every business, and every user, should be very wary of orphaned apps. 

Please follow me on Mastodon, Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.