Recently there have been growing calls for Apple to allow third-party app stores for the iOS and iPadOS platforms, which would enable a process known as “sideloading”—installing an app on a device that originates outside of the official App Store.
Proponents argue that Android allows sideloading, so Apple should too. Allowing users to install apps on their iPhones and iPads without Apple serving as an intermediary would alleviate concerns about its App Store rejections and fees, which have been part of an ongoing drama since the first authorized third-party iPhone apps debuted 13 years ago. Sideloading would also weaken arguments that Apple’s control of the App Store amounts to an illegal monopoly.
But many security experts—and fans of Apple’s privacy features—find such a proposal alarming. It’s true that Android allows sideloading, but sideloading is one of the main reasons that Google’s mobile operating system is so riddled with malware. Bad actors know that if they want to attack an Android device, the easiest way to do so is to hide it in a sideloaded app disguised as, for example, a popular anti-virus app or even an Android system update. Once the app is installed on the Android device, it can then inject the malware payload, such as ransomware.
To help the public better understand Apple’s stance on sideloading, the company has released its newest privacy white paper, which focuses on the topic. In advance of the paper’s release, I spoke to Apple’s head of user privacy, Erik Neuenschwander, about the practice and why Apple—judging from our conversation—remains vehemently opposed to it.
Want sideloading? You have a choice: Android
As someone who frequently writes about privacy and security, I agree with Apple’s position on the topic. Some who argue that Apple should allow sideloaded apps say that it would provide users with more choice. Yet choice is exactly what Neuenschwander says the company is offering users by providing a platform that does not allow sideloading.
“Sideloading in this case is actually eliminating choice,” he says. “Users who want that direct access to applications without any kind of review have sideloading today on other platforms. The iOS platform is the one where users understand that they can’t be tricked or duped into some dark alley or side road where they’re going to end up with a sideloaded app, even if they didn’t intend to.”
If you’ve ever had friends contact you in a panic, telling you their phone has been hit by malware, you’ll understand just how sound Neuenschwander’s argument is. Without iOS, users wouldn’t have a mobile operating system platform they could choose from that is impossible to be targeted by malicious sideloading. In Apple’s view, in other words: Do you want the best privacy and security possible? Your choice is iOS. Do you want sideloading? Your choice is Android.
Neuenschwander wouldn’t speculate on just how much malware is floating around on the Android platform due to sideloading, but independent security experts have found a staggering amount of malware on Android devices—up to 15 times more than iOS. One of the main vectors of attack? Sideloaded apps.
Even with the App Store’s security measures in place, malware does sneak onto iPhones. But Neuenschwander contends that its quantity “would be obviously much higher” if Apple opened the iPhone to sideloading. Why? Because right now there are two security checks that protect users from malicious apps.
The first is Apple’s developer policies and processes, which regulate what an app can and cannot do. Apple can check whether a developer is following these policies, because a human reviews every app submitted to the App Store. And by the very act of uploading an app to the App Store, that app is also scanned for all known malware, protecting users from nefarious apps even more.
The second security check is the users themselves. Because Apple requires developers to ask the user for permission in a universal way before it can access such features as an iPhone’s microphone or camera, a user can identify if something shady is going on inside the app.
Users will be attacked regardless of whether or not they intend to navigate app stores other than Apple’s.”
“Today, we have our technical defenses, we have our policy defenses, and then we still have the user’s own smarts,” Neuenschwander says, referring to Apple’s App Store processes. Sideloading would negate those defenses, he contends.
Some may argue that the drawbacks of sideloading would hit only those who sideload apps. Wouldn’t those who still choose to download apps only through Apple’s App Store be safe?
But Neuenschwander points out (as does the company’s white paper) that the mere existence of sideloaded apps would encourage bad actors to target unsuspecting users more by trying to lure them to download their malicious ones from unofficial stores or sites. You might be savvy and cautious enough to know a fake app store when you see it, but is your 15-year-old nephew or 75-year-old father?
“Even users who intend—they’ve consciously thought themselves that they are only going to download apps from the App Store—well, the attackers know this, so they’re going to try to convince that user that they’re downloading an app from the App Store even when that’s not happening,” Neuenschwander says. “Really, you have to think very creatively, very expansively as an attacker would trying to go after so many users with such rich data on their device. And so users will be attacked regardless of whether or not they intend to navigate app stores other than Apple’s.”
If you think that sounds far-fetched, let me introduce you to the fake Google Play Store.
Hey, what about the Mac?
Despite Apple’s insistence that sideloaded apps and app stores would be bad for both users who choose to access them and users who don’t, it must be pointed out that Apple isn’t against sideloading altogether. As a matter of fact, Apple’s oldest platform allows it: MacOS.
MacOS offers an App Store of its own, but you don’t need to use it to download apps. You can also do so via third-party stores or websites. So why the discrepancy in policy between the Mac and iPhone when it comes to sideloading?
Part of the answer comes down to math. Neuenschwander notes that there are at least 10 times as many iPhones in the world as there are Macs, which makes the iPhone a much more enticing target to bad actors. An iPhone also likely carries much more sensitive user data than the average Mac does, and the iPhone is generally with a user everywhere they go.
“It’s the device you carry around with you,” Neuenschwander notes. “So it knows your location. And therefore somebody who could attack that would get pattern-of-life details about you. It has a microphone, and therefore that’s a microphone that could be around you much more than your Mac’s microphone is likely to be. So the kind of sensitive data [on the iPhone] is more enticing to an attacker.”
If Apple ever does allow sideloading of iOS and iPadOS apps, it might be because it has no choice.
It should also be noted that at the recent Epic Games v. Apple trial, Apple’s software chief Craig Federighi said there was an unacceptable level of malware on the Mac, an amount “that is much worse than iOS.” It’s understandable then that Apple doesn’t want the problem to propagate over to the iPhone.
If Apple ever does allow sideloading of iOS and iPadOS apps, it might be because it has no choice. Proposed laws in Arizona and North Dakota that aimed to break its App Store monopoly in those states have apparently failed. But the company remains in legislators’ crosshairs at the federal level, and antitrust remedies that would loosen its control over its platforms remain on the table.
Still, I suspect the number of iPhone users who would like to see sideloading supported on iOS is relatively small. Device security and privacy are some of the most important aspects of any gadget, and a huge selling point for Apple products. It’s hard to imagine that many iPhone users would be willing to sacrifice that for potentially dodgy sideloaded apps. And if they want to sacrifice security for sideloading, they already have that choice: They can get an Android phone.
As for Neuenschwander, his argument against sideloading boils down to the case that everyone at Apple—including Tim Cook—has been making all along. “I believe that what we’ve built and what we’re offering users now is uniformly better, because we can focus in on that smaller attack surface and our stronger protections to help keep users safe,” Neuenschwander says.
Apple’s white paper is out now and can be accessed here. It’s an interesting, nontechnical read for anyone pondering the pros and cons of sideloading and security.