Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's Arguments Against Sideloading on iOS: All Your Questions Answered
- Thread starter MacRumors
- Start date
- Sort by reaction score
While most people don't get this specific, I figure many people arguing for the ability to obtain iOS apps from other sources than the App Store would accept a requirement that an app is signed and notarized, similar to macOS, even though macOS has a workaround to run unsigned or non-notarized app). Speaking for myself, I would accept that requirement, possibly even with no workaround.
I think you're greatly overestimating the value of signed code. Assuming that I knew of an exploit which Apple doesn’t — of which there are assuredly many — I could easily distribute a signed and notarized macOS app with malicious code that takes advantage of that exploit. Signed code only means that my application has not been modified from the state in which I distributed it. If Apple can’t catch the malicious code through notarization (again, given that they don’t know about the exploit I’m using), macOS will run my signed malware without question.
Notarization is more substantive than code signing, but it’s contingent on Apple knowing about every active exploit on their platforms, which they don’t and can’t. Not to say it’s meaningless, of course.
These are risks that every user of every device and every platform takes on simply by using them, even under the App Store model. It’s a fact of life, and Apple being the sole arbiter of what code is and isn’t allowed to run on their platform isn’t the answer, in case all the App Store scams and privacy violations haven’t made that clear by now.
Wait, what?!
How is it then that “Android is all safe and good and sideloading works perfectly fine without serious security issues, Apple should just put the installation behind a prompt just like Android”… or how come there’s rain and fire when there’s a copycat/scam/malware app that sneaks through the iOS’s AppStore vetting process but there isn’t remotely the same outcry for all the millions of malware infections/apps/scams/phishing/etc that are happening then per month on Android.
What’s going on here? Are these numbers believable?
Free and unrestricted platforms like macOS, Windows, Linux and Android all continue to exist and thrive. My Android-using friends are not all huddled in a corner crying at how miserable and scary their phone experience is; they're just using their phones like anyone else. It wouldn't have the market share it does if it was some abysmal, god-awful security-compromised piece of crap everyone here wants to have you believe it is. Sure, it is technically less secure by the numbers, but what that doesn't tell you is that the level of acceptability is still within the range of "nobody cares".
You're more likely to get shot at Wal-Mart before anything happens to your phone (oh wait, forgive my assumption, perhaps you live under a much more safe and locked-down regime).
Last edited:
Not sure I understand your point.
If you are looking for other analysis than that tied to those specific researchers it was covered a few times in the other threads.
For many of us we were looking to Apple to provide transparency, why this solution, why not the current cloud, and a few other analysis questions that should lead to potential solutions. There needs to be some serious discussion on Apple’s thought process for this. For many it is not the tech they are building, rather the “how” they got to that specific solution.
That needs to be answered first. Designing in a vacuum is not how you do this. Until we learn otherwise that is what this looks like.
That is a cop-out solution.
Over the years there have been many apps that Apple “kicked out” as they coincided or were the pre-cursors to Apple designed items. Then there are apps like theming which could be highly beneficial and actually drive additional iOS/iPadOS new customers (or return customers).
I use both Android and iOS. On Android I primarily use alternative stores (mostly FOSS). I wish I had that option for iOS. There are a lot of potential iOS / iPadOS possibilities out there that are safe however Apple will not allow as it violates some design tenet.
People are arguing for the policy to change so that signed apps can be distributed outside of the App Store
People want to distribute outside of the App Store, but nowhere did they say they want unsigned apps
You were presented specially with a study that says Android is worse and has much more malware… and this your comment?
I feel you didn’t even read the whole article and how Craig specifically addressed you screenshot. Now if you have a counter argument to his remark maybe your comment would have some weight to it.
Also Apple tried to shut them down or make many of them change their marketing material as I haven’t not been able to find one that actually does anything or can scan anything. At best some try to load profiles to filter internet and ads but even many of those get shutdown.
Spend more time reading the full article and possibly Apple’s 31 page document. Then provide a good counter argument and maybe you might have a point. Otherwise you’re just are part of the noise who don’t even back up their beliefs.
Have you ever listened to one of their quarterly filings? Though the App Store does generate revenue, it is far from their most profitable source of revenue. Saying that it has 0% to do with security is also kind of narrow thinking. Remember that Apple is made up of many people. Many of them don’t even see that $$. They may not have a say in the decisions but do influence it. Nothing wrong with making money but at the same time they most definitely care about security. If they can compliment each other there’s nothing wrong with that.
Please read the whole article before responding anymore. Specifically address the issue that Crag stated about what you are posing as a pro for your argument.
Goto this Apple article and read up on the feature. https://support.apple.com/en-us/HT202491
You’ll see that the feature can be overridden and therefor a user could be compelled to install an application that is not notarized and could compromise their Mac. Which is likely why Craig said macOS has a malware problem. Just because folks have a choice doesn’t mean they’ll will make good decisions.
If you want to open an app that hasn’t been notarized or is from an unidentified developer
Running software that hasn’t been signed and notarized may expose your computer and personal information to malware that can harm your Mac or compromise your privacy. If you’re certain that an app you want to install is from a trustworthy source and hasn’t been tampered with, you can temporarily override your Mac security settings to open it.If you still want to open an app for which the developer cannot be verified, open System Preferences.*
Go to Security & Privacy. Click the Open Anyway button in the General pane to confirm your intent to open or install the app.
The warning prompt reappears, and if you're absolutely sure you want to open the app anyway, you can click Open.
The app is now saved as an exception to your security settings, and you can open it in the future by double-clicking it, just as you can any authorized app.
This argument comes up every time this topic is discussed. The problem is that you can be as careful as you want, but your information is only as safe as the least common denominator of the people you communicate/know/associate with. If anyone at all that knows you is less careful thank you are, and lets bad software access all data on their devices, then everything they know about you becomes know as well.
Example: So often I get emails sent to me by people I know. They don't say anything that makes sense, and have a link for me to click. To anyone tech savvy, we know that the email did not really originate from our friend/family member. But to less savvy people, they might click the link. That contact email they used to email you became known to some scammer somewhere. What other information did they obtain? If they had access to someone's contact list, they would know your home address, email, phone number, and what else? Photos, videos.... files... etc. Do see my point? They don't need to compromise your device in any way at all to get all that. Just the device of anyone at all that you know that has any of that info about you. I take comfort in knowing who I communicate has an iPhone and is less likely to have malignant software.
What’s the point you’re trying to make. I can’t imagine opening the wound more would heal that problem?
Actually there are lots of parents who’s kids have made unauthorized purchases on their parents accounts who didn’t set up proper controls or their own separate account. So yeah in a way it does.
But also you‘re argument is not even related.
Apple can't refuse to sign the app because they’re (generally) not the ones doing the signing. A developer can technically sign their app with any certificate they’d like, but Apple would of course require that that developer’s signing certificate comes from Apple, which means that Apple can also revoke that certificate.
Apple signing an app on a developer's behalf would be akin to the first person I find on the sidewalk on a given day signing legal documents on my behalf. In general, it’s probably not a good idea. Apple cannot attest as well as I can that the application binary I'm signing is exactly what I intended to release.
Last edited:
Love that we all have to pay the price for people who are too stupid for their own good.
No one is saying doomsaying. They are pointing out that it has flaws they don’t want to deal with. So if they don’t side load doesn’t mean they can’t be affected by it.
Just like if you enjoy sunlight in your backyard but the neighbor wants to put up a tree in their backyard blocking your sun you’ll be affected by it. Its their property so they can do what they want with it but you are still affected. You still have your house and backyard and yet you’re now mildly inconvenienced if you enjoyed that sunlight.
Sometimes these concerns (side loading) will be minor or inconvenien. Other times it could be more extreme. People all around the world are victims of whatever scam the bad actor can dream up.