Apple warns: Sideloading apps threatens an iCrime wave

Apple is fighting back against growing pressure to support sideloading on its App Stores with an extensive 28-page white paper in which it offers stark security and privacy warnings.

The risks of sideloading

The white paper, “Building a Trusted Ecosystem for Millions of Apps – a Threat analysis of Sideloading” argues that because iPhones and other devices capture so much personal information about people, maintaining privacy and security is critical.“Supporting sideloading through direct downloads and third-party app stores would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks,” the company said.

The European Commission, in addition to lawmakers in some European states, the US, and elsewhere seem at present inclined to make Apple support app sideloading. The EC’s proposed Digital Markets App could force the company to do so. Apple rejects this on the grounds of the potential harm to its customers and its platform.

Apple published a similar document explaining the benefits of its curated App Store in June, warning of significant dangers to the lack of curation. Critics of sideloading argue that while curation isn’t perfect, it is far, far better than nothing.

The paper cites a Nokia study that showed Android suffers up to 47 times more malware than iPhone.  It also reprises a European regulatory agency that reported 230,000 new mobile malware infections per day.

Threat of a new iCrime wave

“Android smartphones are the most common mobile malware targets and have recently had between 15 and 47 times more infections from malicious software than iPhone. A study found that 98 percent of mobile malware targets Android devices.

“This is closely linked to sideloading: In 2018, for example, Android devices that installed apps outside Google Play, the official Android app store, were eight times more likely to be affected by potentially harmful applications than those that did not,” the paper says.

The paper discusses malware that posed as a security update for a spoof Android version of the Clubhouse app which asked users to turn off security settings that would prevent the malicious code being installed.

The company also warns criminals may attempt to create fake app stores to trick consumers into sharing payment details, the company warns. “Sideloading would make it easier and cheaper to execute many attacks that are currently difficult and costly to execute on iOS,” it says.

The risk to consumers is amplified, as in some cases App developers may force consumers to sideload their apps by refusing to offer them via that App Store. “Users may not get accurate information about apps they sideload through third-party app stores or via direct downloads because these app stores would not be required to provide the information displayed on the App Store product pages and privacy labels. And features like App Tracking Transparency and parental controls,” Apple rightly notes.

Security experts seem to agree

The report supports Apple’s arguments with statements from Europol, the European Agency for Cybersecurity, the US Department of Homeland Security, Norton, Interpol and NIST. The latter warns that “Sideloading, if done incorrectly, could make a mobile device extremely vulnerable to attack.”

It also quotes security vendor Norton:

“One way to minimize danger from third-party stores is to avoid them.”

“If Apple were forced to support sideloading via direct downloads and through third-party app stores, iPhone users would have to constantly be on the lookout for scams, never sure whom or what to trust, and, as a result, users would download fewer apps from fewer developers,” Apple said in its report. 

[Also read: Apple makes a quiet transition to post-consumerism]

To sum up what it is trying to do, the Apple report repeats a 2007 statement by founder Steve Jobs: “We’re trying to do two diametrically opposed things at once: provide an advanced and open platform to developers while at the same time protect iPhone users from viruses, malware, privacy attacks, etc. This is no easy task.”

Real risks for real people (and businesses)

“Many iOS users use mobile banking and payment apps, and purchase goods and services on their devices. Employees also commonly connect to corporate networks on their mobile devices for work- related tasks. App Store users come from all walks of life and all age groups, speak different languages, and live all over the world. But one thing they have in common is that they are all protected by the App Store safeguards,” the company says.

While Apple’s arguments will almost certainly be rejected by rivals who want to force it to support sideloading, it’s possible they will be taken seriously enough by regulators that they will seek a more secure compromise for the platform.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.