 
 
Charlie Osborne
for Zero Day
| October 13, 2021
| Topic: Security
Apple has defended its position on the restriction of app sideloading in light of current EU discussions surrounding competition in the tech space.
On Wednesday, the iPad and iPhone maker published a new paper (.PDF) on sideloading, a process allowed by other mobile OS developers — such as Google, albeit with some friction — to install apps on devices outside of official app repositories.
Sideloading can be useful when users want access to software that is not available in official stores. Users may want to install apps that have been discontinued or when newer versions are not compatible with an existing handset, or for whatever reason — such as legal battles — an app has been pulled from an official source.
However, there are caveats to this practice. If you bypass an official store such as Google Play, Apple’s App Store, or the Microsoft Store, you may be missing out on the security protections and verification in place for an app to be hosted, and, therefore, you may be exposing yourself to mobile malware.
In June, Apple chief executive Tim Cook claimed that sideloading was not in the best interests of Apple product users, and reviewing all apps introduced into the ecosystem keeps mobile malware rates low.
“Mobile malware and the resulting security and privacy threats are increasingly common and predominantly present on platforms that allow sideloading,” Apple says.
There are a number of ways that malware can reach a handset. On occasion, malicious apps can circumvent existing protections in an official app repository; but more commonly, apps can be spread through phishing, masquerading as legitimate software or OS updates, and website spoofing.
According to Apple’s research paper, “Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading,” — which builds upon a paper published in June — there are far more malware infections on Android-based devices than on iPhones. These infections include ad fraud software, spyware, Trojans, ransomware variants, and fake apps that could result in the theft of data or funds.
The research has been published in light of discussions in Europe concerning the Digital Services Act (DSA) and the Digital Markets Act (DMA). The EU’s proposals would require tighter controls on “illegal” content online and for “gatekeepers” — such as tech and service providers — to protectively preserve and permit competition.
As previously reported by ZDNet, this could include measures such as increased interoperability between services and third-party software and banning the prevention of uninstalling pre-installed apps on mobile devices by users.
According to the Center for Strategic & International Studies, the DMA could force vendors such as Apple and Google to facilitate sideloading in the future.
While renewed regulation could be a positive force, there may be not enough discussion concerning the security of mobile device users, and the ramifications of taking away their choice to purchase a handset contained in a closed — and, therefore, potentially safer — mobile ecosystem.
Apple says that if the company was forced to support sideloading, even if limited to “third-party app stores only,” this would increase the spread of harmful applications as these sources may not have sufficient vetting procedures.
Apple claims that users would end up with less control over their apps and features including parental controls, accessibility, and app tracking transparency would be negatively impacted. In addition, Apple says that users could end up being forced to sideload apps due to work or school.
“Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions,” Apple says. “This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws.”
The tech giant added:
“Forcing Apple to support sideloading on iOS through direct downloads or third-party app stores would weaken these layers of security and expose all users to new and serious security risks: It would allow harmful and illegitimate apps to reach users more easily; it would undermine the features that give users control over legitimate apps they download; and it would undermine iPhone on-device protections.
Sideloading would be a step backward for user security and privacy: supporting sideloading on iOS devices would essentially turn them into “pocket PCs,” returning to the days of virus-riddled PCs.”
Previous and related coverage
Can you trust iOS 15.0.1?
   Apple files appeal requesting for App Store in-app payment link changes to be delayed
   Tech giants expand Australian misinformation measures week after government criticism   
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Related Topics:
Apple
Security TV
Data Management
CXO
Data Centers
                                                         
 
Charlie Osborne
for Zero Day
| October 13, 2021
| Topic: Security