Apple's iPhone sideloading argument has some big holes

In recent years, Apple has painted itself as a staunch defender of people's security and privacy. It has taken that hardline stance, even in the face of public opinion often tied to the investigation of heinous crimes that involved the use of an iPhone. The company also likes to highlight its track record in keeping its App Store a safe place for users, even when that is built on what some have alleged to be anticompetitive and monopolistic business practices. On a technical level, a key element in its armor is the inability of iPhone and iPad owners to install apps outside the Apple App Store, ironically a feature that could actually reveal how weak iOS' security framework might be.

Technical Merits

Sideloading is the general term now used to describe the act of manually installing an app outside of a sanctioned first-party app store, often using an independent package. In the age before app stores, or even before smartphones, this would be the normal way to install software: Windows and Mac users have long been loading .exe or .dmg files, respectively. On iOS – and even on Android – today, though, it's seen more as a security liability.

In the context of app stores like Apple's and Google's, there is some level of truth to the dangers of sideloading. You don't often know where an app package comes from or if it's still the same, unaltered version that the developer or publisher distributes. Apple pointing, cautionary, to Windows and Android infections and exploits isn't entirely unfair: that flexibility in software does often lead to devices being compromised by malware.

Sideloading has an extra complication on iOS, but one that was made by Apple itself. In order to sideload iOS apps today, you have to jailbreak an iPhone or iPad, using complicated exploits to gain access to the device's internals and circumvent Apple's protections. In other words, such iPhones would become inherently insecure, which is the argument that one of Apple's top-ranking execs is now making.

Scare Tactics

Apple SVP Craig Federighi recently delivered an impassioned speech that took issue with the proposed Digital Markets Act legislation in the European Union. Among other things, this law would force Apple to officially allow sideloading apps, an activity that Federighi says is a cybercriminal's best friend. Apple is sending the message that EU legislators are, in effect, empowering criminals to harm their citizens.

This kind of rhetoric is nothing new for Apple, and it adeptly uses very colorful imagery for shock value. In this case, Federighi is saying that the new law will force users to weaken the security of the pricey homes that they bought for high-end security. In the past, it also defended its chokehold on the App Store as a way to protect kids from society's harmful elements.

Interestingly, Apple's argument about sideloading doesn't seem to apply to macOS, which has always allowed sideloading apps and still does. Yes, that has left the door open for a few examples of malware to wreak havoc on some Macs but, so far, nothing truly catastrophic has happened. Apple even has a notarization system for third-party apps distributed outside of the Mac App Store, a strategy that the company has conveniently ignored for iOS.

Walled Garden

As much as Federighi would like people to see it that way, the sideloading issue isn't just a technical nor just a security matter. There's also the thorny subject of Apple's alleged monopoly at play in the background. It has, after all, a vested interest to keep everything inside its App Store, which also means channeling all app and in-app payments through that system. It's an ecosystem that Apple has fought tooth and nail to keep, and it isn't about to back down any time soon.

At the same time, if merely opening the doors to sideloading apps will immediately compromise iOS, then perhaps the platform isn't as strong and as secure as Apple has played it out to be. Analogies only work to a certain extent, and operating systems aren't exactly like physical houses where security is completely thrown out the window if you leave a door open. Again, the realities of macOS come up, and while it isn't as spotless as iOS, it isn't as terrible as Windows and Android either.

In the end, it's also a matter of choice, something that Apple supports but in a fairly convoluted way. The Cupertino firm says that it is giving users the ability to choose a secure platform, by not giving them a choice to make it unsecure. Of course, those who really want to sideload an app can switch to Android, but that argument doesn't really work for iOS users and some app developers. Unfortunately, only the strength of legislation will be able to make Apple change course, but expect it to fight that until the bitter end.