State Antitrust Lawsuit Trivializes Security Threats in Mobile App Market

Last July, 36 state attorneys general filed an antitrust suit against Google focusing on app distribution for Android devices through the Google Play Store. The 144-page complaint is filled with blunders, but the allegations on security warnings that accompany third-party downloads demonstrate a particularly limited understanding of cybersecurity, open-source software, and technology in general. The lawsuit shares sentiment with the Open App Markets Act (S. 2710), which seeks to force companies like Apple to permit third-party applications. Both ignore the increased security risks to consumers.

Malware is inevitable, and large tech platforms should not be discouraged from warning their users of potential security threats. But the lawsuit takes issue with these warnings, claiming that Google adds “superfluous, misleading, and discouraging security warnings” when downloading third party apps and using other app stores, a process called “sideloading.”

The complaint acknowledges that downloading third-party software onto Android devices is a “technical possibility.” On page 28, the complaint offers examples of the security warnings:

In one, Google warns that the installation file “can harm your device.” Next, Google simply blocks the attempted download, stating “your phone is not allowed to install unknown apps from this source” and presenting to the user only “Cancel” and “Settings” options (with no indication that installation is possible through the “Settings” option). In the third, Google warns that the user’s “phone and personal data are more vulnerable to attack by” the “unknown app,” and requires the user to actively opt in to select a feature by which he agrees that he is “responsible for any damage” to the phone “or loss of data that may result” from the installation.

In other words, sideloading third-party software requires an Android user to both read and think. The plaintiffs don’t appear confident in consumers’ ability to do either.

On the next page, the complaint states: “Google makes no effort to differentiate harmful apps and app stores from the rest and instead labels all non-Play Store apps and app stores as harmful.” It points to well-known applications like Fortnite and Amazon’s App Store as examples. This sets up a damned if you do and damned if you don’t scenario. Google applies these warnings to all third-party sources, despite its perceived prowess. Would the plaintiffs prefer that these security warnings apply only to smaller, less well-known developers and startups? The contention is revealing, because the lawsuit isn’t concerned with competition or consumers.

The lawsuit ignores the security risks associated with sideloading software from third-party sources. The complaint asserts: “Google’s statements regarding the dangers of sideloading were knowingly false when made.” But the process of sideloading apps has long been known to possess a certain degree of risk. Apple, Android’s biggest competitor, has built much of its business model around not allowing it. The reality is that Google takes that risk on behalf of consumers, not to the detriment of developers and competitors. 

The complaint proclaims: “Android is now ‘open-source’ in name only.” This statement is simply disconnected from reality. Amazon’s Fire OS uses a fork of the Android Open Source Project. Amazon has sold over 150 million Fire TV devices, without paying a single cent in royalties to Google. In one of many relevant market fallacies, the complaint narrows “Android” to mean only the “Google-certified version of the Android OS.” Android is open source. The Google Play Store, however, is not.

Google’s own app store is not impervious to malware. Just last month, reports of a malicious authenticator app on Android devices circulated, leading to the app being removed from the Google Play Store. Some say the 2FA Authenticator app infected over 10,000 devices over 15 days, raising concern that users’ financial information was targeted. The developers took advantage of the open-source code of another legitimate authenticator app to create a deceptive and malicious clone of the original. This is the nature of open-source programming.

This doesn’t mean Android devices lack a healthy security system. Google’s certified version of Android comes with Google Play Protect, which runs scans on new apps. It also, quite conveniently, provides security warnings to users when downloading files from unknown or third-party sources.

If antitrust proponents get their way, these incidents are sure to continue with increased frequency and severity. It would send the message that it’s not enough for Google to provide access to the Android Open Source Project to competitors free of charge and allow third-party sideloading. Unfortunately, creating an ecosystem that benefits consumers, developers, and competitors will still bring a company under the watchful eyes of antitrust enforcers.