Apple’s stance on sideloading apps is both good and a little crazy

Federighi is furious.

Never has Apple provided an official way to sideload an app on an iPhone or iPad. These lockdowns are in direct contrast to the more open nature of Android which, since its inception, has allowed users to sideload APKs and install them so long as they flicked on a certain security setting. Over the years, this has led to Apple’s platforms adopting the perception of being much less willing to accommodate for every users’ wants and needs in the name of privacy, and it seems the company will be keeping that mantra going forward.

Craig Federighi, Apple’s Senior VP of Software Engineering, took the stage at this year’s Web Summit in Lisbon, Portugal to talk about this topic amidst Apple’s fight against the European Commission and its Digital Markets Act. In the commission’s proposal, Apple would be required by law to allow users to install apps from other sources beyond the App Store, which translates to sideloading.

And Federighi is not happy.

Here’s the big line everyone’s been quoting: “Sideloading is a cyber criminal’s best friend and requiring that on iPhone would be a gold rush for the malware industry.” He backed this up with some slides that detailed Android’s struggle with app sideloading, citing “five million Android attacks per month.”

“There’s a clear consensus here, and it’s that sideloading undermines security and puts people’s data at risk,” Federighi continued. “European policymakers have often been ahead of the curve, but requiring sideloading on iPhone would be a step backward.”

Federighi used an analogy where your iPhone is a “really safe home” and the ability to sideload apps is “an always-unlocked side door on the ground floor.” (Transcript sourced from AppleMust.com.)

Now some of your neighbors, they love this idea. But you’re not so sure, because you know that once a side door is built, anyone can walk through it. The safe house that you chose now has a fatal flaw in its security system, and burglars are really good at exploiting it. In a nutshell, sideloading is that unlocked side door and requiring it on iPhone would give cybercriminals an easy point of entry into your device. Now, we don’t think anyone wants that, least of all the policy makers intending to give users more choice and more protections.

Instead of creating choice, it would open up a Pandora’s box of unreviewed malware ridden software and deny everyone the option of iPhone secure approach.

I emphasized the word “choice” in that quote because it’s an important word to keep in mind. An argument that seems obvious when it comes to letting people sideload apps on their iPhones is giving users a choice over what they can install, not what’s already been chosen for them by a tech overlord. Federighi takes this argument and completely spins it in the name of security.

He starts off by recognizing the “attraction” of “[letting] people choose whether or not to sideload, let them judge the risks and they can decide for themselves.” He then takes a sharp left turn and highlights the people who don’t ever intend to sideload an app. This includes people who are duped by official-looking websites claiming to be legit, only to have you install a malicious copy of the app you were looking for.

Federighi also highlights social media apps that might not opt to distribute their apps through the App Store due to “pesky” security protocols they’d need to follow. “Privacy features that go belong beyond the bare minimum legal standards, the ones that users truly rely on to keep their information safe? Well, these would no longer exist for these apps. And you’d be stuck with the alternative of losing touch with your friends online, or taking on the risks of side loading.”

Immediately afterward, Federighi speaks to those who are able to spot every potentially malicious app and are smart enough to avoid being infected.

Well, that might be true for you. But your child might be fooled, or your parents might be fooled. And even if you see through every deception, the fact that anyone can be harmed by malware isn’t something that we should stand for.

The fact is one compromised device including a mobile phone can pose a threat to an entire network.

Malware from sideloaded apps can jeopardise government systems, infect enterprise networks, public utilities, the list goes on.

So even if you never sideload, your iPhone and data are less safe in a world where Apple is forced to allow it.

This quote, said earlier in the presentation, pretty much sums it up.

As an engineer who wants iPhone to stay as secure as possible for our users, there is one part I worry about and that’s the provision that would require iPhone to allow sideloading. In the name of giving users more choice, that one provision would take away consumers’ choice of a more secure platform. All of this comes at a time where people are keeping more personal and sensitive information than ever on their iPhones. And I can tell you there have never been cybercriminals more determined to get your hands on it.

Is Craig right?

Yes and no.

On the one hand, he’ has a terrific point about the iPhone’s security. For years, Apple has capitalized on its advancements in privacy to differentiate itself from its competition. Billboards, TV commercials, and a common consensus are all in alignment with one another: Apple offers some of the best security you can get out of mobile devices.

That’s the reason so many people buy them, including myself. I store a lot of personal information on my iPhone and MacBook, and I don’t want anything to happen to it. If I’m going to trust anyone with it all, my first pick is going to be Apple.

On the other hand, Federighi could very well be blowing this out of proportion. Speaking of MacBooks, macOS has been able to sideload apps since its inception. The only requirement Apple instates is a verification developers need to receive in order for their apps to not be automatically blocked by the system. So long as that ID is checked and validated, you can install pretty much any software you want, regardless of whether it fits in with the App Store’s guidelines.

Why not do that on the iPhone? Forget about installing random IPA files like people install random APKs. Just make the experience of sideloading better than on Android with better security by using a stricter verification system. It worked on the Mac, and it remains unclear why it wouldn’t on the iPhone or iPad.

Apple shooting this idea down so harshly could also signal a level of distress within the company. Apps not being offered through the App Store means Apple loses control over them and they’ll never see a dime from them. The developer won’t have to pay for an Apple Developer account, and if they decide to offer in-app purchases, Apple won’t be getting its 30 percent cut.

The App Store is a serious money-maker for Apple, and to watch that all dwindle away in the good name of “security” isn’t worth it, at least in Apple’s world.

Federighi going onstage to preach this topic to people is an interesting choice to fight against the EU. Something so open and vulnerable isn’t something we usually see from Apple, so it’s reasonable to believe the circumstances this time around are different. Apple’s definitely shaking in its boots a little here.

Whether the DMA ever passes is still a question that hasn’t been answered, and it seems Apple’s willing to go to great lengths to ensure it never sees the light of day. I’m not sure if yesterday’s stunt will do any damage, but it at least gives us a glimpse into Apple’s reasoning for locking down the iPhone so much, if only in the context of a law they don’t like.


Facebook pulls a sneaky one on Apple

Facebook has found a way to get around Apple’s 30 percent cut to ensure creators get all the money they’ve earned (besides taxes). Mark Zuckerberg announced a new button you can add to posts that will take users directly to Facebook’s own payments system outside of the app. Any creator who uses it will keep all of the money they earn, and Facebook will even give creators bonuses as part of a $1 billion program to grow its creator economy.

If you’re wondering whether any of this is legal, it definitely seems to be. Apple was recently forced to allow developers to include external links/buttons to other payment systems if said developer didn’t want to use Apple’s system. That’s precisely what Facebook is doing here. “As we build for the metaverse, we’re focused on unlocking opportunities for creators to make money from their work,” Zuckerberg said.

Apple likely won’t appreciate this move, but there’s not much it can do to shut it down. Facebook’s legal stance seems to be sound, so it’ll be interesting to see how many companies follow in the social network’s footsteps now that the rules and regulations for the Apple App Store grow grayer and grayer.


More news

Facebook is pulling the plug on its facial recognition system after some controversy. It still says recognizing faces will be a big deal moving forward, so I assume it’ll make a return at some point. Adi Robertson at The Verge has a solid piece on it.

Zillow has confirmed it’s gonna stop trying to sell/flip homesJon Swartz at MarketWatch has a breakdown of the news.

Boeing is officially allowed to begin work on bringing its satellite internet project to life. The FCC just gave them the go-ahead to launch satellites into lower earth orbit to provide internet access to vastly more customers around the world. David Shepardson has more details at Reuters.

Amazon says it’s brining Matter support over Thread to Echo and Eero devices in the future. This has been a longed-for announcement from the company after many others pledged their support early on. Amazon has a blog post about it here, and you can read through the lines with Florence Ion at Gizmodo here.

Amazon has released its October 2021 update for Alexa devices that lets you ask the assistant to “move your music” to whatever room you’re in. The company has a blog post up that goes over all the new features in the update.

You can now see previews of Instagram posts when you share a link to them on Twitter. Why this is a feature that’s just now rolling out is beyond me.

Asus has unveiled a detachable laptop with an OLED display. Called the VivoBook 13 Slate OLED, it’s priced at $599.99 and ships with a detachable form factor and one of the best display technologies out there. Gordon Ung at PCWorld has more details.

If your Pixel 6 display has been flickering, Google says a fix is coming in December. It’s entirely a software-driven problem, apparently, so you shouldn’t have to worry about getting your phone physically repaired. Babu Mohan has more details at Android Central where these “residual light” flickering problems first surfaced.

From the Matridox newsletter. Subscribe to get articles like these directly in your inbox!