The mobile app Google Play Store and the Apple App Store are the gifts that keep on giving to Google and Apple, respectively. [I will use the lower-case “app stores” to refer to the generic portals, while capital case will refer to the specific one from Apple.] They generate revenue for the duopoly of Google and Apple through the fees assessed from all app developers for all in-app purchases, subscriptions, or paid downloads. What the app developers get are two broad benefits: security, for the end user primarily but also for the app developer, and hosting for the apps. And what is the fee that both Apple and Google charge for this functionality? The simple takeaway number is 30%, though there are several nuances which cause this number to be different for different people. And as an app developer, going through the app stores is not an option, it is a legally enforceable mandate.
So what are the arguments for keeping this current system going and what are the arguments for upending it? The legal battles are being fought as we speak, specifically for Google’s Play Store. I am far from being a lawyer and the long-winded legal arguments leave me simultaneously disinterested and stupefied, so I will restrict myself here to the technical perspective, coming from a cybersecurity researcher and practitioner.
How Lucrative is the Golden Goose?
Let us look at the revenue numbers to start. In 2023, global spending on the Google Play Store was $47B and on the Apple App Store was $89.3B. If we use the (approximate but generally accurate) 30% rate for revenue earned by Google and Apple, that nets them $14.1B and $26.8B respectively. How large of a fraction of the companies’ revenues is that? For Alphabet, that is a meager-looking 4.6% (search accounts for about 85% of its revenue) while for Apple, that is a slightly healthier 8.8%. So it is a growing revenue source, but nowhere near their largest cash generators — search for Alphabet and hardware sales for Apple. An enlightening contrast can be drawn with credit card processors who charge 3-to-5% of the transaction amount, a good 6-10X lower than these app store fees. On the other side of the spectrum, the profit margins in cloud computing (a.k.a. Amazon’s AWS, Google’s Google Cloud, and Microsoft’s Azure) are quite a bit higher, roughly 2X that of these app store fees.
Why Do We Need the Gatekeeper?
The two companies essentially act as gatekeepers for what we can get on our mobile devices. An argument has been made, with some merit I believe, that we are adults and do not need gatekeepers. I own a device, a company X has an app to offer to me that I find valueable, and I should be able to go get that app and put in on my device, a device that I own. This is the normal way of doing business on our PCs and laptops and on our servers and has been this way forever. One can argue that our assets on these devices are often more valuable than on our mobiles and therefore need stricter protection.
This standard way of doing business on PCs, laptops, and servers has created the vast product segment of malware detectors. Anyone running one of these devices puts malware detectors on every single one of them. The landscape of malware detectors is fractured and messy. Even technologists like me find this daunting. We first have to go through the bewildering array of product options, making sure that the product is not a malware itself, a technological equivalent of the fox being put in charge of guarding the henhouse. Then we have to go through the process of configuring the detectors, to walk the balance between keeping our device safe and allowing us to do real work. And we have to spend many idle hours twiddling the knobs when things change.
The Security Argument for the Gatekeeper
With mobile devices, there is none of that. The malware detector market here is miniscule. The two companies take care of hosting the apps, vetting the apps for security and privacy, and pushing the updates onto our devices. Of course, the vetting process is not a monolithic binary one and there is healthy debate as to how effective it is in protecting our security and privacy. Apple reported that for 2022, it had rooted out 428,000 developer accounts for fraud and abuse (compared to 37M registered developers, this is a little above 1%). Apple also rejected nearly 1.7 million app submissions for failing to meet the App Store’s standards for privacy, security, and content, which makes for a remarkably high 27.5% of all app submissions. [Note: By far the largest reason for Apple rejecting an app submission was performance, not security.]
Google’s Gatekeeper Role
There has been far more attention paid by academic researchers to the security of the Google Play Store compared to the Apple App Store, likely due to the stridently closed source culture of Apple. So, let us delve into the takeaways from a few such academic publications, though unsatisfyingly, the most well-done papers here are a little dated. One work from Oxford University from 2017 looked at 10K+ apps on the Google Play Store using static analysis to hunt for vulnerabilities. They found, using off-the-shelf static vulnerability analysis tools, that 3.6% of the popular category of apps had dangerous permission usages; for financial apps, this percentage was higher, at 6.4%.
One work from CSIRO and the University of Sydney in Australia from 2022 analyzed popular apps for counterfeiting — counterfeiting is the behavior in which the app masquerades as another, more popular app, likely with the objective of violating security or privacy on the device. The authors used more than five commercial antivirus tools and flagged 2% of the apps (2,040 out of 100,000) as counterfeit with high likelihood. This showed the path for a more stringent gatekeeper, one that runs a set of best-of-breed detection tools before allowing an app on its store.
Things Would Have Gotten a Lot Hotter Under the Collar
Here is the subjective argument that I would make: without the gatekeeper role played by Google, these numbers would have been much higher, and thus more alarming. It is hard for me to see that a robust malware detector business segment could sprout quickly enough to take over the role of checks that Google provides on its platform. The apps often have to use the hardware on the device in tightly coupled ways so that it becomes more reasonable for the company that builds the operating system software (the iOS or the Android OS) to vet them. Carried forward, I am arguing that a third party software would have a tougher task in vetting the app interactions with the hardware, and our personal data.
Our own research has delved into the security of the Google Play Store from the perspective of wearable devices. We found that there were some architectural blind spots in Android Wear (now Wear OS) that opened up vulnerabilities. When we worked with Google, to their credit, they were responsive, worked with us to understand the problem, and rolled out a patch quickly enough, considering the rapid iterations through versions of Android OS.
The Times They Are A-Changin’
If you live in the EU, that is. The EU Digital Markets Act (DMA) is forcing Apple to reduce its App Store fees to 17% and also to allow alternate app stores to be installable on your mobile devices, a process that is lyrically called “sideloading.” The fee structure gets complex real quick, with charges racking up for developers depending on how popular their apps are. For example, apps must pay €0.50 for each first annual install per year over a threshold of one million app installs. Nevertheless, the imposition of third-party app stores is a major move. A major legal battle is playing out in the U.S. currently whereby Google is being asked to allow alternatives to getting apps on its platform. The ink is far from dry on these legal maneuverings, which are likely to drag out for years.
To Sum
If you build the highway, and maintain it, then you are allowed to charge toll fees. That is what Apple and Google are doing through their app stores. As a consumer, my selfish instinct tells me to hate toll fees, but then my rational side takes over, as long as the fees are “reasonable.” Of course, the $15 toll fee on New York City bridges and tunnels during peak hours does not qualify as reasonable in my book, not even remotely so. Whether the 30% being charged by Apple and Google falls in the reasonable category or the usurious one is a subjective personalized decision for each of us to make. I have laid out here some of the benefits provided by the two vendors for the “toll” and how far those benefits keep us safe, secure, and private in the mobile world.
This post was originally published on Distant Whispers.
Saurabh Bagchi is a professor of Electrical and Computer Engineering and Computer Science at Purdue University, where he leads a university-wide center on resilience called CRISP. His research interests are in distributed systems and dependable computing, while he and his group have the most fun making and breaking large-scale usable software systems for the greater good.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment