Apple is back with a lengthy whitepaper that once again claims allowing third-party app stores and ‘sideloading’ would completely undermine the security and privacy protections of the App Store and harm users. This new whitepaper expands on a similar report Apple put out in June, although this time around it takes on a more academic tone.
Before we get into some of the arguments Apple makes in the document, let’s take a few moments to understand the importance of the document overall. First, the paper comes amid Apple’s ongoing battle with regulators over the App Store. The company has been accused of abusing its control over the App Store to uphold a monopoly over software on iOS.
However, Apple has refuted allegations and defended its control over the App Store as a necessity to ensure the security of iPhone users.
It’s also worth keeping in mind that Apple has a huge financial incentive to defend the way the App Store currently operates. The company can currently take a 15 or 30 percent cut of revenue from apps available on the App Store, depending on which criteria the app meets. In most cases, developers have no choice but to comply with Apple’s revenue share program since no other app markets are allowed on the company’s platform — however, thanks to the recent Epic Games vs. Apple lawsuit, Apple must now allow apps to offer other payment processing options.
One of the possible ‘solutions’ to Apple’s alleged App Store monopoly is to have the company allow third-party app stores or sideloading of apps from other sources than the App Store. Apple is very clearly against that, which is likely why the company published this 31-page report about how sideloading would be bad.
Apple blames Android malware on sideloading
Let’s start by defining sideloading (since it’s the main thing Apple addresses in the document). Sideloading refers to downloading apps from sources other than the default app store.
For the most part, Apple argues that Android has more malware and security issues than iOS because of sideloading. By extension, Apple says it shouldn’t be forced to allow sideloading of apps since it’d introduce more malware to iOS. While Android likely does have more malware than iOS, sideloading likely isn’t entirely to blame.
Apple’s document kicks off with this claim:
“Supporting sideloading through direct downloads and third-party app stores would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”
The iPhone-maker goes on to point out how over the past four years, Android devices had “15 to 47 times more malware infections than iPhone.” Apple cites Nokia’s 2019 and 2020 ‘Threat Intelligence Report’ for that statistic.
Apple argues only it can properly vet apps
Apple then moves into explaining what would happen if regulators forced it to allow sideloading.
To start, the company claims that if sideloading were allowed, more harmful apps would reach users. The main point Apple seems to make with this argument is that only it has the ability to properly vet apps:
“The large amount of malware and resulting security and privacy threats on third-party app stores shows that they do not have sufficient vetting procedures to check for apps containing known malware, apps violating user privacy, copycat apps, apps with illegal or objectionable content, and unsafe apps targeted at children.”
Unfortunately, we already know Apple routinely fails to vet apps properly. This report from The Verge details how Apple repeatedly failed to catch scam apps that use the company’s in-app billing system to charge uses exorbitant subscription fees.
It’s also not clear which third-party app stores Apple uses for this comparison as there are no official third-party app stores for iOS. On the Android side, Google is facing its own antitrust cases over app store practices — evidence suggests the search giant worked to undermine competing app stores. There are other sources for getting apps outside of Apple’s and Google’s stores, such as for jailbroken iPhones or just for regular sideloading on Android. Whether those alternate app sources have vetting processes or not is unclear. It’s certainly possible that there is more malware on these alternative app marketplaces than on official app stores.
That said, a legitimate, properly funded, official app store would also likely be able to vet apps properly (and if it couldn’t, it would have a hard time convincing users to switch if the App Store were a safer option).
Apple claims sideloading would undermine platform security
Another argument Apple makes in the document is that sideloading would force it to remove protections against third-party access to proprietary hardware.
“This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working,” the document says.
This, however, is not how sideloading typically works. The last time Apple made this argument, we explained that apps interact with phone hardware via application programming interfaces (APIs) and other system-level software built into the operating system (OS).
Take, for example, the camera. Any app that wants to utilize a phone’s camera needs to interact with APIs, drivers or other systems to take a photo. Security features should exist in those interaction layers — sideloaded apps still need to interact with those layers. Granted, malicious developers could try and bypass these systems, but that’s a risk regardless of the source of an app. Arguably, Apple would catch malicious apps submitted to official platforms, but as mentioned up top, Apple already has a hard time with obvious scam apps.
Apple also argues that sideloading apps would undermine features like its fancy new App Tracking Transparency. However, evidence already indicates that App Tracking Transparency sometimes doesn’t do much to protect users from tracking.
Apple effectively argues against a poor implementation of sideloading
Apple’s 31-page argument against sideloading is full of reasons why it shouldn’t implement sideloading. There are good points, and there are arguments that fall flat. Ultimately, Apple successfully argues against a poor implementation of sideloading.
While sideloading could facilitate malware by potentially allowing users to download apps from unsafe sources, that’s a problem only if Apple does absolutely nothing to protect users. Look at macOS, for example — it allows users to install apps from anywhere, but also has built-in systems to protect users, like permissions and a warning system. If Apple can make that work on macOS, why can’t it do the same on iOS? And if sideloading is so dangerous, shouldn’t Apple shut down the ability to sideload apps on macOS?
It’s also worth noting that this assumes regulators want Apple to allow sideloading, but they might not. Apple’s App Store is accused of being a monopoly, in part because it’s the only source of apps for millions of iOS users. If alternate app stores were allowed on iOS, it’d introduce competition without necessarily enabling sideloading.
Update 14/09/2021 11:21am: This story has been updated with several changes and additional links.