Apple engineer likened App Store security to ‘butter knife in gunfight’

A senior Apple engineer compared the defences of its App Store against malicious actors to “bringing a plastic butter knife to a gunfight”, according to legal documents released on Thursday.

The anecdote, which was cited by Fortnite maker Epic Games ahead of a high-stakes antitrust trial in California next month, was based on internal Apple documents quoting Eric Friedman, head of the company’s Fraud Engineering Algorithms and Risk (Fear) unit.

In the papers, Friedman also likened Apple’s process of reviewing new apps for the App Store to “more like the pretty lady who greets you . . . at the Hawaiian airport than the drug-sniffing dog”. He added that Apple was ill-equipped to “deflect sophisticated attackers”.

The revelation could be a significant blow to Apple’s defence, which rests on its insistence that the contentious 30 per cent “tax” it levies on digital purchases within apps downloaded from the App Store is necessary to fund curation of the store and protect consumers from malware.

The two companies have for months been locked in a feud over the fee, with Epic suing Apple last August after Fortnite was thrown out of the App Store for launching its own in-app payment mechanism, a workaround that deprived Apple of its commission.

Apple rejects any third-party payment tools for in-app purchases, arguing they could undermine the security of the iPhone.

In hundreds of pages of newly released arguments, for which each company has been allowed access to the other’s internal documents, Epic launched a stinging attack on Apple’s promise of App Store security. It argued that the Silicon Valley giant has “no evidence” that its app review process “screens for security issues better than other methods of app distribution”.

The games maker cited numerous examples of fraudulent apps previously listed on the App Store, including fake blood pressure detection tools, scams in which users have been misled into buying sham goods, and “obvious rip-offs” including one counterfeit Minecraft sequel that cost $6.99 and became one of the five most downloaded paid apps.

In its own extensive legal documents, Apple defended its App Store, arguing that Epic was pushing unfairly to avoid fees, despite Fortnite earning $700m from its platform in the two years before it was ejected.

Apple acknowledged various forms of malware on the App Store, but cited data from 2018 showing that the iPhone platform “accounted for just 0.85% of malware infections,” whereas Android accounted for 47.2 per cent of infections and Windows and PC accounted for 35.8 per cent.

Apple maintains that its marketplace is “significantly safer” than the Android platform and it can also help developers avoid the sort of fraud that Epic “has experienced using third-party payment processors in Fortnite.”

Apple said it rejects about 40 per cent of all app submissions. It called its manual, human-centred review effort “robust” with nearly 500 Apple employees dedicated to protecting users.

However, the Epic documents detail numerous examples of other developers who have expressed dissatisfaction with the level of quality control on the App Store.

According to Epic, the chief of meditation app Headspace referred to “egregious theft” on the App Store, with copycat apps repeatedly springing up after allegedly stealing its intellectual property.

“Shockingly, Apple [is] approving these apps, and when the users buy the apps they are left with nothing but some scammy chat rooms in the background,” he wrote to Apple, according to Epic.