A threat analysis of sideloading [pdf]

Apple&#x27;s argument is basically, &quot;It&#x27;ll be chaos!!!&quot;<p>But...<p>We don&#x27;t have to wonder what it would be like. There&#x27;s been mass use of platforms that allow &quot;side loading&quot; (AKA, just regular installing) and &quot;third-party app stores&quot; (AKA, just regular buying software) for decades.<p>No, it hasn&#x27;t always been pretty.<p>Yet it just hasn&#x27;t been that bad either, and the benefits have proven to be very substantial. There are incredible amounts of great software available that doesn&#x27;t fit in to Apple&#x27;s idea of what ought to be allowed.<p>And it&#x27;s not like you can download with confidence from the Apple App Store either. They play a cat-and-mouse game with malware constantly and there&#x27;s been plenty of collateral damage.<p>I think there&#x27;s no question third-party app stores, or just direct side-loading would lead to a lot of new great software, without a ton more risk. I think the weakness of this argument document show that.

If this was actually about security instead of control, Apple could compromise: Allow third party app stores to exist, but Apple gets to sign the third party store app itself (and can set minimum requirements like app review).<p>It may sound counter-intuitive, but the whole issue here is that Apple is using their store for anti-competitive things (e.g. blocking&#x2F;slowing competitors, requiring the use of Apple&#x27;s payment infrastructure, Apple&#x27;s ads, etc).<p>If third party stores could exist, you wouldn&#x27;t need side loading, and security isn&#x27;t completely compromised as hopefully the third party store provides <i>some</i> level of assurance (Vs. essentially none with side loading).<p>This of course won&#x27;t happen because it is absolutely about <i>control</i>. Apple may one day allow side loading but will make the process incredibly unpleasant citing For Security Reasons™ as their justification.

I appreciate that requiring the use of the App Store makes security easier but I think the current situation gives Apple and Governments too much power over developers and users.<p>Side-loading should be permitted. I am okay with it not being allowed by default but it should be something a user can override.

&gt; Over the past four years, Android devices were found to have 15 to 47 times more malware infections than iPhone.<p>This reminds me of the NSO and Apple&#x27;s history of failing to cooperate with security researchers. If sideloading &quot;were possible&quot; and &quot;forced upon users by schools and jobs&quot; then I&#x27;d find it interesting that Android users by far haven&#x27;t complained about this. I used to use an Android device and never had anyone force or tell me to sideload an app that I didn&#x27;t want to use myself.<p>I&#x27;ve actually had to install more apps through the Play and App Store for my education and work.<p>All this said - my current iPhone 6s will be derelict soon and replaced by a de-googled Android device in the future.

I don’t understand why the “private” apis aren’t protected by capabilities. iOS has the facilities to lock these apis down properly <a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;xcode&#x2F;adding-capabilities-to-your-app" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;xcode&#x2F;adding-capab...</a> . Grepping App Store submissions seems obviously flawed.

&gt; Adult video chat sites lure targets into downloading spyware<p>Contrary to all the apps on the proprietary stores of smartphone manufacturers that never spy on people.<p>Information extraction is a security issue, plain and simple. Smartphones are extremely bad here compared to platforms that allow sideloaded apps. Being dependent on one manufacturer is also a security issue.<p>So I don&#x27;t understand the security argument. Apps on shops probably don&#x27;t contain malware, many of them exploit you legally. The software landscape outside of stores is far less prone to exploitation.

Remember when LinkedIn made an app that MITMed email connections just so they could add a signature to your messages? [1] Or when Facebook was distributing internal dev certificates to the general public so they could collect data on teenagers using private IOS APIs? [2]<p>Sure, most here would know not to do it, but it’s abundantly clear that the general public cannot manage technology.<p>And this is what these companies were doing publicly. Imagine if they had unrestricted access through other app stores? Data is the modern day gold rush, and it seems like every company has gold fever. They just can’t help themselves in being as intrusive as humanly possible. It’s nice to have some kind of control over it.<p>I would be open to alternate app stores if and only if they were unable to circumvent MDM restrictions. At least that way you could protect company assets.<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6600597" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=6600597</a> [2] <a href="https:&#x2F;&#x2F;www.theverge.com&#x2F;platform&#x2F;amp&#x2F;2019&#x2F;1&#x2F;30&#x2F;18203551&#x2F;apple-facebook-blocked-internal-ios-apps" rel="nofollow">https:&#x2F;&#x2F;www.theverge.com&#x2F;platform&#x2F;amp&#x2F;2019&#x2F;1&#x2F;30&#x2F;18203551&#x2F;app...</a>

Personally I think sideloading on personal computing devices like smartphones should be mandated by law, and then the big brains at Apple can figure out how to make it secure.

I think Apple makes great products and skimming through the paper, I find this analysis to be on-target. But this is coming from an obviously biased source.<p>As with most things in security, it&#x27;s a trade-off between competing goals and principles.

I use an old android phone reflashed to e.os using f-droid. I think all those threat modes are avoided by using it.<p>I don&#x27;t think it is safe for every user to do the same I did, but I&#x27;m glad I could do it.<p>I think a reasonable solution would be something like a hardware seal that unlocked the bootloader once broken. If the vendor worries about how this may affect them, breaking the seal could also void device warranty.<p>I&#x27;d gladly buy a second hand still powerful device, void its warranty and install whatever I wanted on it.

Granted, I&#x27;ve never submitted an app to the App store (outside of work) and I do have some <i>serious</i> reservations about how Apple runs the store, but I actually like the fact that the only way to slideload apps on the device is to jailbreak or compile and install the app yourself (provided you sign up as an apple developer account). I think the lack of officially sanctioned slideloading keeps the device simpler, and in my mind that&#x27;s more secure.

I am maybe the anomaly in this crowd (I also don&#x27;t develop apps for iPhones) but I appreciate the security benefits that Apple puts on people. Sure it comes at a cost of &quot;freedom&quot; of applications that I could put on my phone, but it gives me a bit of piece of mind that my aging parents and my nieces and nephews are able to use the phone without downloading very risky applications (I mean there are still risks abound, but it decreases it significantly). There are already enough security flaws that continue to be patched up on an on-going basis that it seems unnecessary to open this level of risk for their client base. One less thing I need to worry about.<p>Understand I am fairly alone in this perspective.

It’s the sharpest of all double-edged swords. Of course I would immediately sideload a Gameboy emulator but I’d want it to be signed by Apple. Maybe even Mozilla would make a proper build of Firefox for iOS.<p>Surely Apple is confident in its app sandbox security model and can properly enforce those boundaries, right?<p>I find Apple’s most convincing argument to be that schools and businesses might force you to sideload their craptacular app that didn’t pass review.

The argument about users being forced to sideload apps by their school (effectively spyware) is a good one. This has become a real issue during remote learning.<p>Ultimately, if Apple keeps insisting on digging in their heels on the supracompetitive 30% commission, then governments will have to act with a broad brush and allow sideloading as a way to force competition.

Until we can safely support native mobile code, and let the hardware and OS keep it from going rogue, we&#x27;re on the losing end of the war against general purpose computing.