Apple warns against sideloading iOS apps • The Register

Analysis Apple, besieged by regulators and rivals challenging its exclusive control of its iOS App Store, has published a 31-page defense against its seemingly benevolent monopoly, which warns of disastrous consequences if Cupertino is forced to allow competition.

“[S]ome urge Apple to support the distribution of applications outside the App Store, through direct downloads or third-party application stores, a process also called “side-loading”, says Apple in its treatise “Building a reliable ecosystem for millions” of applications, analysis of the threat of side loading. ” [PDF]

“Support for back-loading through direct downloads and third-party app stores would violate the privacy and security protections that made the iPhone so secure and expose users to serious security risks.”

This is the second time in the last few months that Apple has published a long-term defense of its highly profitable business model [PDF]. In June, Apple CEO Tim Cook send a similar message remotely at a Viva Technology conference in Paris, France, over concerns that the EU’s proposed Digital Marketers Act would force Apple to support third-party app stores and install user-targeted apps.

Next week, Timothy Powderley, Apple’s senior director of government for North and South America, sent a letter to US lawmakers [PDF] raising similar concerns about legislation that would require competition in the app store and mandated support for side-loading.

Awkward truth

However, there is a big problem with Apple’s argument: Apple uses the term “sideload” to refer to both third-party app stores and direct application installation, suggesting the equivalence of two scenarios that are not the same.

“Sideload” is usually defined as applications installed by users of a device without the involvement of a trusted intermediary that performs some supervisory function. Like Microsoft puts it, “Side-loading apps is when you install apps that aren’t from an official source, such as the Microsoft Store.”

So downloading an iOS app from someone’s website and installing it is not the same as downloading an iOS app from, say, an app store run by Google, Epic Games, or Microsoft. Combining the two scenarios, Apple implicitly denies the ability of a third-party app store to offer better security and privacy than the App Store.

And this is possible, given that Apple only spends on average about 12 minutes preview each iOS app. Imagine, for example, an iOS app store run by Mozilla that reviewed the app in more detail, allowed the ability to pay for security audits paid for by developers, and banned all third-party analytics and ad SDKs. Such applications may cost more. But if iOS users were worried about paying for a stronger security process and some guarantees that their apps didn’t include data collection libraries from advertising companies, they could.

Ignore for a moment the fact that macOS allows side loading and that Apple EVP Craig Federighi software sacrifices macOS ‘security reputation to protect Apple’s iOS garden against a recent legal attack by Epic Games. Consider side-loading Android instead.

Apple suggests that Android has poor protection because it supports sideloading. “In the last four years, Android devices have 15 to 47 times more malware infections than the iPhone,” the Apple report said.

Still, Apple is known for not communicating openly about security and not publishing a transparency report, as Google does for Android. Apple appears to be seeking third-party research from Nokia to back up its claims without providing its own internal data in the App Store on the frequency of iOS malware. Security issues may be more visible on Android than iOS, but this should be expected when iOS is less accessible to researchers.

According to Google Transparency report only about 0.075% of current Android devices (Android 11) in the April-June quarter contained a potentially malicious application (PHA), which includes devices that load side applications.

Many of Android’s security issues are the result of Google’s inability to force the operating system on devices sold by third-party vendors, so older versions of Android with vulnerabilities stay on the market longer. This is due to the multi-Android ecosystem, not the dangers of side-loading.

The horror, the horror

Consider some of the terrible consequences that Apple suggests they would have if they were forced to allow side-loading:

  • More harmful apps would reach consumers because it would be easier for cybercriminals to target them — even if side-loading was limited to third-party app stores.

But if customers are happy with the App Store, they won’t need to change their behavior and shop. If they decide to look elsewhere for their iOS apps, they should have that freedom.

  • Users will have less information about the applications on the front and less control over the applications after downloading them to their devices.

Not necessarily. There’s no reason why a third-party app store can’t offer more information if it decides to do so. And users who choose to download iOS apps themselves have the opportunity to do as much research as possible and make installation decisions based on their own risk tolerance.

  • Some side initiatives would also require the removal of protection against third party access to proprietary hardware and non-public operating system functions.

Apple does not say what these initiatives could be, but there is no reason why any mandate to open up the iOS ecosystem cannot balance legitimate security concerns with competition.

  • Users may be forced to download an application they need for work or school.

Like Apple forced to authorize government-mandated applications in Russia? If users are forced to install unwanted applications, the problem is not the operating system or the distribution mechanism, but the legal status or power dynamics of those who are forced.

When The register asked security researcher Patrick Wardle, founder of a free security project Purpose See and director of research at Synack’s security service on whether Apple’s concerns were valid earlier this year, he admits that some of Apple’s concerns are legitimate, but also self-serving.

Side-loading, he said, increased the surface of the iOS attack to a controversial degree, even when he noted that the App Store still contained fraudulent and insecure applications. Ultimately, he argues that even if there is an additional risk, most people would prefer that Apple not be the final authority on what we can install on our devices.

Similarly, Feross Aboukhadijeh, an open source developer who works Nesthe said The register in June, that the protection provided by iOS had nothing to do with the inconsistent process of reviewing Apple’s App Store. Rather, he said, iOS security is largely due to security features built into the operating system, such as application isolation, memory security, permission prompts and the like.

Apple says, “Side charging isn’t in the best interest of consumers.” It’s a complicated way of saying you’re not responsible enough to decide what charges your iPhone. But the sideload is definitely not in Apple’s best interest. ®