Apple explains security & privacy risks of side-loading in detailed new paper

Credit: Andrew O'Hara, AppleInsider

The whitepaper, "Building a Trust Ecosystem for Millions of Apps," is an update on a previous version released in June. It leaves behind the approach of using fictional characters to explain security threats in favor of a more academic tone.

From the start, the paper takes a hard stance against side-loading, claiming that the practice would "cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks."

Apple says that being forced to allow side-loading on iOS would allow harmful apps to proliferate among users, take away user control once apps are already downloaded onto their systems, and mandate removing protections from sensitive areas on an iPhone. The company claims these risks would be present even if side-loading was only available through third-party app stores on a device.

"Users could be forced to sideload an app they need for work or school," Apple writes. "Users also may have no choice other than sideloading an app that they need to connect with family and friends because the app is not made available on the

App Store."

The rest of the paper takes a deep dive into the current mobile threat landscape, using statistics and examples of current spyware that leverage side-loading or tricking users to spread.

Apple gives specific malware examples too, including adware HiddenAds, ransomware CryCryptor, and surveillance app FakeSpy. Notably, those mobile threats are all present on Android, which Apple used as an example of the dangers of allowing side-loading.

The Cupertino tech giant highlights research suggesting that the iPhone is the most secure mobile consumer device. It also details some of the methods that make malware rare on the platform, including the App Review process and an iPhone's built-in layers of protection.

Forcing Apple to support sideloading on iOS through direct downloads or third-party app stores would weaken these layers of security and expose all users to new and serious security risks: It would allow harmful and illegitimate apps to reach users more easily; it would undermine the features that give users control over legitimate apps they download; and it would undermine iPhone on-device protections. Sideloading would be a step backwards for user security and privacy. Supporting sideloading on iOS devices would essentially turn them into "pocket PCs," returning to the days of virus-riddled PCs.

The research paper comes in response to increasing talk of side-loading as a potential remedy for antitrust concerns. Both the U.S. and European Union, for example, are exploring legislation or rules that could force Apple to allow side-loading on its platforms.

Apple has argued against wide adoption of side-loading in the past, including in court during the Epic Games v. Apple trial. Company CEO Tim Cook also spoke out against the practice in the EU earlier in 2021, claiming that it would threaten iPhone security.

Individual users can side-load through Xcode now, but it requires a modicum of technical ability to do so. Enterprise certificates exist as well, but there are restrictions on what it can be used for, what volumes of installs are allowed, and more.

While Android can be configured to allow side-loading, it is not shipped with the feature enabled by default. Both Google and Samsung consider it a security risk.

Compared to previous iterations of its security research, the new white paper is much more in-depth and features expanded information on what it believes are the threats of side-loading. The paper is available to download.