Letting users bypass App Store would be security risk, says Apple

By Alex Hern

Allowing users to bypass the App Store would lead to a wave of damaging malware on iPhones and iPads, Apple has warned, as the company faces the prospect of sweeping regulatory action on both sides of the Atlantic.

Opening up iOS to “sideloading”, the name for installing software from unapproved sources, could allow malicious software to hold user data to ransom, let children bypass parental controls, or lead to rampant piracy, the company claims in a new paper.

It’s a rare direct intervention in policy from the iPhone maker, which normally declines to discuss “hypotheticals”. But it comes as legislators in the US, and regulators in the UK and EU, are considering proposals to force the company to allow sideloaded apps, limit its own ability to bundle services with the iPhone, or require it to offer equal access to its competitors, as methods of weakening Apple’s dominance over the mobile economy.

The policy paper, posted to Apple’s site on Wednesday morning, argues that the company’s strict control of the iOS App Store is crucial for the “highly effective” security and privacy of the iPhone to function. “Allowing sideloading would degrade the security of the iOS platform and expose users to serious security risks not only on third-party app stores, but also on the App Store,” the paper claims.

“Because of the large size of the iPhone user base and the sensitive data stored on their phones – photos, location data, health and financial information – allowing sideloading would spur a flood of new investment into attacks on the platform.”

Apple argues that mobile platforms are distinct from computers, which have always allowed users to install software downloaded from the internet. “iPhone is used every day by over a billion people – for banking, to manage health data, and to take pictures of their families. This large user base would make an appealing and lucrative target for cybercriminals and scammers, and allowing sideloading would spur a flood of new investment into attacks on iPhone, well beyond the scale of attacks on other platforms like Mac,” the paper says.

As well as simple malware, Apple argues that more nuanced harms would come to users, in a narrative “following the day of John and his seven-year-old daughter, Emma, as they navigate this more uncertain world”. Without parental controls on apps and games, for instance, the company says unscrupulous developers might encourage children to purchase in-game items with their parents’ credit cards, while adults may accidentally end up subscribing to pirated apps, “unknowingly supporting a fraudulent scheme that deprives developers of their earnings”.

The company’s claims are partially backed up by analysis from Google suggesting that Android, which does allow sideloaded apps, has malware installed on 0.1% of devices at any given time – about 3m phones.

But critics argue that focusing on sideloading allows Apple to dismiss the many smaller changes that could open up competition on iOS without harming user security. “I DON’T want alternative app stores or sideloading on iOS. That’ll make the platform much worse,” wrote Apple developer Marco Arment, creator of Instapaper and Overcast, last month. “I want in-app purchasing for digital goods to have the same rules as physical purchases. And if Apple continues not to bend on the latter, governments may soon force the former.”