Side-loading is a gold rush for cybercriminals, says Craig Federighi

Credit: Web Summit

Craig Federighi, Apple's Software Engineering chief, gave a keynote focused on the dangers of forcing Apple to allow side-loading on iPhone at the Web Summit 2021 conference.

During a keynote speech on day two of the Web Summit in Lisbon, Portugal, Federighi touted the benefits of Apple's iOS and the built-in protections of the App Store. He also spoke out against the provision to allow side-loading in the European Union's Digital Markets Act.

"The DMA has an admirable mission: to promote competition and to make sure consumers have choice," said Federighi. "And I'm a big fan of both of these goals. But as the engineer who wants iPhone to stay as secure as possible for our users, there is one part I worry about. And that's the provision that would require iPhone to allow side-loading."

Federighi said that the provision, intended to provide more choice to consumers, would actually reduce user's choice away.

"Because in the name of giving users more choice," Federighi said. "That one provision would take away consumers' choice of a more secure platform."

The Apple SVP then reiterated some of the company's past talking points on side-loading, included in an October update to its "Building a Trusted Ecosystem for Millions of Apps" white paper.

Federighi, and that white paper, both touted the privacy and security benefits of the iPhone. They also maintain that security is essential on a user's smartphone, given the expanding amount of sensitive data stored on them.

The Apple software chief focused almost entirely on side-loading, choosing to forego talking about the other provisions in the DMA. The crux of his argument came down to the fact that allowing side-loading would, according to Apple, cripple the company's privacy and security mechanisms.

As Apple did in its research paper, Federighi gave a number of specific examples of malware and ransomware that run rampant on competing platforms like Android. All of them, Federighi said, rely on side-loading in one way or another.

"Cybercriminals' targets and strategies vary, but here's one thing that couldn't be more clear: side-loading is a cybercriminal's best friend," Federighi said. "And requiring that on iPhone would be a gold rush for the malware industry."

Follow AppleInsider on Google News

31 Comments

Cesar Battistini Maziero

said about 2 years ago

Part of the reason I give iPhones to my grandmas and aunts is because of exactly this.

No matter what they download, they will not destroy their phone.

I choose security with my eyes closed.

If you want a platform where you can do whatever, it already exists, it's called Android, just go away.

gatorguy

said about 2 years ago

An app from Apple's AppStore will be just as secure and malware-free as it is now whether 3rd party stores/sideloading is permitted or not. It changes nothing for an iPhone owner who uses only the first-party store.

No one is saying Apple needs to make it as easy to sideload as not. FWIW Google makes it fairly difficult to do so now, so even if it can be done they definitely strongly discourage it with change settings in an obscure place most people would never see. Allowing a user choice of what applications to load on their own personal $1000 expenditure puts the onus where it belongs. The only legitimate reason not to is purely profit-based and not because they're "saving us from ourselves".

We buy homes and add furniture we choose from whatever source we wish, no payment to the architect or the builder. We buy cars and change out the audio, headlights, et.al sourced from wherever we wish, no permission required from the auto manufacturer or fee to be paid. We buy computers and laptops and add programs from any developer we wish, no stipend needs to be paid to the computer vendor or manufacturer. But we buy a smartphone and can only add applications that the provider further profits from and/or offers themselves?

EDIT: As I said, it's not a simple thing to sideload on Android now. It requires more than a bit of familiarity with the system structure and so not something Cesar's grandmas and aunts would accidentally do.

Pull down from the top and tap Settings. Then nestled among a dozen or so main collections from Security (which is where I would have expected it to be) to Privacy to System, go to Apps. where you're presented with all your recently opened ones and an option to see all of them. Nothing there indicates anything about outside sources or 3rd party stores or anything else. Where they've hidden it is in yet another sub-menu; Special App Access. Even there you won't find it on the first page of options.

Down near the bottom if you scroll far enough will be "Install unknown apps", a disconcerting title. Now tapping that makes it even more difficult because you then are offered several different categories of personal devices, products, files and browsers where you will choose to allow it, but which one?? By default they are all disallowed. Yup, daunting for someone with little knowldege.

Apple can do the same, make it pretty darn hard, in fact near impossible, for mom, pop and that great aunt to accidentally load an app that comes from an unsafe place. Only the knowledgeable will be able to do so.

elijahg

said about 2 years ago

So what about the fact that you can currently side-load some apps (with an enterprise certificate) and there is no "gold rush" from cybercriminals? Apple is drunk on control.

crosslad

said about 2 years ago

The danger is when developers decide not to put their apps in the App Store, forcing you to side load from the web.

gatorguy said:

An app from Apple's AppStore will be just as secure and malware-free as it is now whether 3rd party stores/sideloading is permitted or not. It changes nothing for an iPhone owner who uses only the first-party store.

No one is saying Apple needs to make it as easy to sideload as not. FWIW Google makes it fairly difficult to do so now, so even if it can be done they definitely strongly discourage it with change settings in an obscure place most people would never see. Allowing a user choice of what applications to load on their own personal $1000 expenditure puts the onus where it belongs. The only legitimate reason not to is purely profit-based and not because they're "saving us from ourselves".

We buy homes and add furniture we choose from whatever source we wish, no payment to the architect or the builder. We buy cars and change out the audio, headlights, et.al sourced from wherever we wish, no permission required from the auto manufacturer or fee to be paid. We buy computers and laptops and add programs from any developer we wish, no stipend needs to be paid to the computer vendor or manufacturer. But we buy a smartphone and can only add applications that the provider further profits from and/or offers themselves?

EDIT: As I said, it's not a simple thing to sideload on Android now. It requires more than a bit of familiarity with the system structure and so not something Cesar's grandmas and aunts would accidentally do.

Pull down from the top and tap Settings. Then nestled among a dozen or so main collections from Security (which is where I would have expected it to be) to Privacy to System, go to Apps. where you're presented with all your recently opened ones and an option to see all of them. Nothing there indicates anything about outside sources or 3rd party stores or anything else. Where they've hidden it is in yet another sub-menu; Special App Access. Even there you won't find it on the first page of options.

Down near the bottom if you scroll far enough will be "Install unknown apps", a disconcerting title. Now tapping that makes it even more difficult because you then are offered several different categories of personal devices, products, files and browsers where you will choose to allow it, but which one?? By default they are all disallowed. Yup, daunting for someone with little knowldege.

Apple can do the same, make it pretty darn hard, in fact near impossible, for mom, pop and that great aunt to accidentally load an app that comes from an unsafe place. Only the knowledgeable will be able to do so.