Apple warns of grave dangers posed by sideloading on iOS in new paper

News
By Stephen Warwick
published

App Store on iPhone
App Store on iPhone (Image credit: iMore)

What you need to know

  • Apple has warned of the massive impact sideloading could have on the iOS ecosystem and iPhone in a new paper published today.
  • The new document says Apple's approach to security on iPhone is highly effective, and that emerging antitrust legislation and chatter could jeopardize this.
  • Apple says third-party app stores could lead to apps that bypass parental controls and target user data for ransom, as well as piracy and user privacy breaches.

A new privacy paper published today by Apple has warned of the grave impact opening up the iOS ecosystem to third-party app stores and sideloading could have on iPhone security, privacy, and the user experience.

The paper, titled 'Building a Trusted Ecosystem for Millions of Apps' states that Apple's iPhone is designed in recognition that phones carry our most sensitive information about both our personal and professional lives, and that third-party app stores and sideloading (installing apps from somewhere other than the iOS App Store) could leave iPhone users vulnerable to attacks, ransoms, piracy, and more.

The paper comes following Tim Cook's interview at Viva Technology last week, in which Cook pushed back against sideloading apps on the iPhone and stated that Android has 47x more malware than iOS. Today's paper provides a deeper look at Apple's understanding of the issue.

Apple says that its approach to security and privacy on iPhone has been "highly effective", and that malware on iPhone is extremely rare. It also says that sideloading on iOS "would degrade the security of the iOS platform and expose users to serious security risks not only on third-party app stores but also on the App Store."

In the paper, Apple contrasts its own App Store with Android, stating that third-party app stores without review processes "are much riskier and more likely to contain malware as opposed to official app stores", according to official research from Symantec published in 2018.

Apple claims that sideloading on iOS would mean users "would have to constantly be on the lookout for scams", never knowing who to trust and that developers would suffer from fewer app downloads as a result.

In the paper, the company says there are a few main areas of vulnerability for sideloading, notably parental controls:

"It would also make it more difficult for users to rely on Ask to Buy, a parental control feature that allows parents to control their children's app downloads and in-app purchases, and Screen Time, a feature to manage their and their children's time with their devices. Scammers would have the opportunity to trick and mislead kids and parents by obfuscating the nature of their apps, making both features less effective."

This is because Apple says that its parental controls would not necessarily work with third-party apps on the App Store, providing the real-world example of a child who downloads an app only available on a third-party app store:

Emma asks John if she can play a game that she heard about from her friends at school. John looks for the game on the App Store, but the developer has only made it available on third-party app stores. This makes John uneasy, but he downloads it because Emma really wants to try the game, and the third-party app store claims the app is appropriate for children. Later, on their way to the park, when Emma is playing the game in the backseat of the car, the app bombards her with links to outside websites and targeted advertisements. John had added his credit card information to buy Emma a starter pack when he downloaded the game, but he didn't realize that the Ask to Buy parental controls would not work with this sideloaded app. While she is playing, Emma purchases many extra turns and special items, not realizing that her dad had not actually approved those purchases.

Apple claims that sideloading would leave users vulnerable to ransomware apps that could take user data hostage, for example threatening to delete all of the photos on a user's camera if they don't pay a sum of money. Apple also states sideloading would lead to an increase in app piracy through third-party app stores, and would undermine the privacy protections Apple has worked to build into the iOS user experience. The paper warns that users would not simply be able to choose not to sideload apps because some users "may have no choice but to take a risk by sideloading an app that is not available on the App Store", or that users might be tricked into doing so.

Objections

There are some notable objections to Apple's stance on sideloading thrown around by developers and commenters, for example, the fact that macOS users can sideload apps from a number of different locations whereas iPhone users can't. Yet Apple says in the paper that the scale of iPhone use (well over a billion people use iPhones every day), as well as the information contained on those devices (banking data, health, family photos, location, etc), make the iPhone a much more lucrative target for bad actors and scams:

"This large user base would make an appealing and lucrative target for cybercriminals and scammers, and allowing sideloading would spur a flood of new investment into attacks on iPhone, well beyond the scale of attacks on other platforms like Mac."

Apple is also not satisfied with the state of Mac security. At the Epic Games trial Craig Federighi told the court that Apple had a level of malware on Mac that the company didn't find acceptable and that malware hidden in apps on the internet on Mac was a regularly exploited vulnerability. Apple sees macOS security moving more towards iOS in the long-term, not the other way round.

Some critics say that the presence of a small number of scam apps on the iOS App Store undermine Apple's arguments about security, however, whilst some apps do sneak through Apple's review process, it believes that its control of the App Store means it is well placed to deal with these issues as quickly as possible where a third-party run app store might not.

With emerging antitrust laws that could try to force platforms like iOS to allow third-party app stores and sideloading, Apple is pulling out all of the stops to convince people that this would be a huge blow to iOS. It emerged earlier today that CEO Tim Cook has even called Speaker Nancy Pelosi and other members of Congress personally to warn of the dangers of such legislation. Such legislation is still a fair way off and won't impact iOS 15 or the upcoming iPhone 13, but remains a very real threat to Apple's future iOS ecosystem. You can read the full paper here.

Stephen Warwick
Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9