Apple's Arguments Against Sideloading on iOS: All Your Questions Answered

[ridddder55]

Now I thought you could download an app from a website, using the browser, and add it to your phone. I know the corporation I work often distributes apps via a special web link. Does this not work at all? Since I haven't done this in a while, and also because it is a hassle to manually type the complete web address into the browser.

 

[ridddder55]

I haven't side-loaded anything on my Pixel 6, but I did on Android 12 with my older pixel 3. You get a decent quantity of warnings (just like you do on MacOS), and you have to activate access to various areas in your phone OS (Similar to how Apple Adopted the same feature on iOS after Android had it).

Some seem to think that side loading would be as simple as downloading an EXE on Windows XP, and simply opening it. There are a fair amount of security prompts, and permission approvals before an app will work. I can only assume that when (likely not if at this point) Apple is forced to allow 3rd party app stores and similar, they will enact a comprehensive swath of warnings, approvals and prompts before any side loaded app would even function.

I wonder if this would be like when someone reverse engineers a plug in to work with a phone, and it works until Apple makes an update which breaks it again, until the company makes a patch? Can anyone imagine a war of software patching upcoming to "F" with the requirements?

 

[elmateo487]

I posted a link to one of Apples sources, pointing out it doesn't actually mention Android, there are other subjective infrances in Apples 31 page report that have nothing to do with Android.

Regarding your comment on anti-malware apps

Anti-malware apps exist on Android mainly because they are permitted, apple essentially does not allow for them due to app store policies and sandboxing apps. Android is similar but allow users to open their device up more to applications to access system files ( if they chose to do so). As a general rule, you don't need them on a supported Android device either.

Another reason they are so popular on Android is for the exact reason I outlined in my reply to you. Many devices older than 3 years don't get security patches. People buy these apps assuming it will make their device safer to use for a longer time. A flawed idea.

In this regard, Apple has a clear win , they support systems longer than Android, and provide security updates for years. That is the main reason I still hold onto my older iOS devices and enjoy using them.

That said, Google is adapting and extending security on new devices for upto 5 years, and it is expected other reputable OEMs will follow.

Regarding overall would numbers if malware on Android, Apple doesn't actually dig into reports that Google shares where they themselves outline how a majority of Infected devices are running very old copies of Android. That is the main cause of malware, not the small subset of global users that actually do install software outside of the play store.

It is not in Apples interest to detail any of that. Why silo and clarify when you can dump all in one basket and produce a higher (scarier) number to market their own products?

If alternative app sources are opened on iOS, it is likely that very few users will actually tap into it ( just like on Android ). Simultaneously, the arguments stating that major developers will ditch the apple approved app store in favor of others will likely not happen either. I can't think of one major software provider that has left the Google play store to force users to sideload. Amazon tried, but has since returned to Google play with prime video and their other apps.

Lastly,
Not going to justify my use of alternative sourced software with you. Judging by your nonsensical suggestion for my use case, and other ad hominem comments, you appear to simply be here for an argument.

I am disinterested.

Judging by you not giving a simple use case... I am disinterested.

I haven't heard a single use case yet that makes me want to give up security on my device or the devices around my device.

 

[dk001]

Judging by you not giving a simple use case... I am disinterested.

I haven't heard a single use case yet that makes me want to give up security on my device or the devices around my device.

I am puzzled. "Give up security"? Realistically, how?

I side load from F-Droid, Aurora, and Amazon Store to get access to apps that are no longer available in the Play Store, apps (good ones) that Google won't allow (for whatever reason), and other apps that have never been on the Play Store. Some darn great apps.
It's pretty much all foss and has no security risk as I have done my research. Heck, most of my app updates do not come from the Play Store.
Sorry, but except for your "sky is falling" verbiage, I fail to see your point.

 

[januarydrive7]

I am puzzled. "Give up security"? Realistically, how?

I side load from F-Droid, Aurora, and Amazon Store to get access to apps that are no longer available in the Play Store, apps (good ones) that Google won't allow (for whatever reason), and other apps that have never been on the Play Store. Some darn great apps.
It's pretty much all foss and has no security risk as I have done my research. Heck, most of my app updates do not come from the Play Store.
Sorry, but except for your "sky is falling" verbiage, I fail to see your point.

To make sure everyone is understanding your point --- is it that the use case is fragmenting where we can get apps from?

 

[elmateo487]

I am puzzled. "Give up security"? Realistically, how?

I side load from F-Droid, Aurora, and Amazon Store to get access to apps that are no longer available in the Play Store, apps (good ones) that Google won't allow (for whatever reason), and other apps that have never been on the Play Store. Some darn great apps.
It's pretty much all foss and has no security risk as I have done my research. Heck, most of my app updates do not come from the Play Store.
Sorry, but except for your "sky is falling" verbiage, I fail to see your point.

You want me to read to you everything discussed in this case and this thread?

No thanks. You can do your own research into why sideloading on iOS is a big deal security wise, and why it is a big deal on Android too.

I love that you think because YOU do your research therefor it is safe for you, and if it safe for YOU then it should be allowed. What kind of dumb argument is that?

Picture an elderly person who gets a malicious text saying "Install this app to access your bank statement". They click a button, iOS pops up a, are you sure you want to install this app? That person says yes. They login...

That took me 3 seconds to think of. Once you stop only thinking about yourself it gets easier.

 

[MysticCow]

You know, the old Rokus could install ONE app via a side load if you activated the developer mode. This took a complicated remit sequence just to enable it for ONE app to be side loaded. Any other app would have to be “official” in the Roku Store or had to be done as a “private” channel and you had to use a special code.

We all used the sideload method to install VIDEOBUZZ, the single best YouTube alternative ever made. Small. Lightweight. Faster than the official YouTube channel…which ticked Google off to the point that a system update screwed everyone and now we can’t sideload it…because Google couldn’t code for crap on the Roku.

Apple could learn here and use “private” and “official” channels. No matter what, the app is still installed via the Roku site unless you sideloaded (and you can’t sideload there anymore).

Moral of the story—Sites that sound like Corn Hub can have a “private app” within the App Store and it wouldn’t hurt a soul.

 

[840quadra]

I wonder if this would be like when someone reverse engineers a plug in to work with a phone, and it works until Apple makes an update which breaks it again, until the company makes a patch? Can anyone imagine a war of software patching upcoming to "F" with the requirements?

That is a different subject altogether but you touch on something I tell family and friends quite often.

Make wise choices on cables, chargers and other devices you connect to your phones. While most have been proven safe under MFI, and similar certifications form Mac, windows, Android, I feel it is important to make wise choices on hardware in the same sense one should with software choices ( including those on official app stores) .

 

[Unregistered 4U]

Isn't the purpose to transfer power to the end user and remove Apple from the process?

The best way to remove Apple from the process is to just avoid anything with an Apple logo on it.

 

[Unregistered 4U]

You're not helping yourself with these links:

View attachment 1908223
The worst offenders are not from play store. Even though play store distributes more in comparison, the alternative download locations cause more damage (look at VDR).

This is VERY interesting. What this tells me is that, even on Android, the overwhelming majority just don’t care about sideloading. I mean, just based on these numbers… Google could make Google Play the only place to get software and increase the security of Android significantly as a result!

 

[TheToolGuide]

I don't know how much more explicit those prompts have to be. But if you're John Q. Public & after these prompts still proceed to open this... that's on you. You qualify as a dumbass. Why should some dumbass prohibit me from sideloading apps on my iPhone or iPad? They don't on the Mac. The point is the guardrails are there on macOS & would work on iOS/iPad OS.

One thing you might want to think about is that you did not design the iPhone or the iOS. Also you do not own iOS. You do own the hardware but since YOU did not design it you will be limited on what it can do. Now if you design your own OS and then find someway to load it onto your iPhone you can do anything you want with it. Once again you DO NOT own iOS. Once you separate the idea of owning hardware from software you may understand. I don’t own Adobe products to dictate how they function, I don’t own Microsoft Office to state how it works, I don’t own any software or service to dictate how it operates. So you can complain all you want that you own your Mac or your iPhone but you DO NOT own the software or services.

Also If you’re Apple and the majority of people like the privacy you may care about the minority that want to have side loading but likely it is not in your business interest to appease them because they are the squeaky wheel. I think you are only thinking of yourself and not others just so you can run some applications on your phone that will give you some convenience that you could otherwise get some other way. You’re just a complainer.

 

[turbineseaplane]

That is a different subject altogether but you touch on something I tell family and friends quite often.

Make wise choices on cables, chargers and other devices you connect to your phones. While most have been proven safe under MFI, and similar certifications form Mac, windows, Android, I feel it is important to make wise choices on hardware in the same sense one should with software choices ( including those on official app stores) .

Same
I caught my uncle buying junk cables/chargers from Amazon and told him -- just please buy them from Apple -- I will pay the difference if that's the issue.

The price, it turns out, isn't the issue, but the lack of options and variations offered by Apple.

They should learn from that. Some people really like other shapes/sizes/more ports/combos of ports, etc.
Lots of money for additional accessories is being left on the table.

 

[Unregistered 4U]

So basically this reads like " Users are stupid and should only be allowed what we tell them.

This is not wrong, though. Everyday, users are opening email attachments, installing software and when their friends get tons of spam, they claim they were “hacked”. They’re getting random calls from “Dell” and following the instructions to the letter because if Dell says it’s the right thing to do, that’s what they should do, right?

I can put a Formula 1 racer on a tricycle, that’s not going to make the tricycle perform any better. I would actually expect the Formula 1 racer to shun the tricycle and instead drive something that’s more attuned to the way they like to get from one place to another.

The funny part is when the Formula 1 racer buys a tricycle then wonders why can’t they adjust the suspension!

 

[TheToolGuide]

please understand my argument before replying. it doesn't need to be like the mac. they could simply not allow non notarized apps. mac apps that are notarized are checked just like apps distributed on the app store and dont give you a warning. this level of security could be used on an iphone. unless "notarized" apps aren't as safe as apple claims to be and they aren't really checking them.

so no the article did not address my argument.

If this is just as secure then why don’t they just put their App onto the App Store? Why have side loading with notarization at all? If their App is good then just put it on the App Store no need to have a side loading option.

The purpose of notarizing is to scan the software for malicious content and use of unsigned code along with other things, stuff that already happens with the App Store. However if a developer‘s ID signing key is exposed to a bad actor they will then be able to distribute Apps onto your iOS devices that can compromise you data. So in this case you make a honest app that is harmless and does what its suppose to do. Someone gets your developer key and your app and inserts malicious content into it and uses your key. Now its notarized and gets on others iOS devices and does its work. Apple will likely eventually catch it but not until after it has done its damage and likely gotten loaded on many other iOS devices. You can read up on it here. However I’ve quoted Apple’s paragraph below. So yeah Apple’s notarized apps aren’t as safe. I don’t know if Apple claimed them to be safe, just better than not having anything at all.

Quoted from Apple:

Notarizing macOS Software Before Distribution​

“Notarization also protects your users if your Developer ID signing key is exposed. The notary service maintains an audit trail of the software distributed using your signing key. If you discover unauthorized versions of your software, you can work with Apple to revoke the tickets associated with those versions.”

So this means the developer has to be on top of this and Apple may not catch it first if a developer‘s key has been compromised. This is especially bad for people who don’t have large operations like Microsoft or even folks who made an App that wasn’t all that popular and basically have abandoned it but get their key used for other bad stuff.

Gatekeeper was a ban-aide that Apple came up to try and allow customers a safe way to load apps onto their Mac that would safeguard them. However its just a not completely affective which is a good motivator for Apple to not implement it on their iOS platform.

 

[dk001]

To make sure everyone is understanding your point --- is it that the use case is fragmenting where we can get apps from?

Not sure of your point.
These are quality stores I sideloaded on my Android device. Use these to procure / update quality apps.

 

[januarydrive7]

Not sure of your point.
These are quality stores I sideloaded on my Android device. Use these to procure / update quality apps.

I was simply asking if your point is that the best use case of sideloading is so that we no longer have a central hub for finding apps.

 

[dk001]

You want me to read to you everything discussed in this case and this thread?

No thanks. You can do your own research into why sideloading on iOS is a big deal security wise, and why it is a big deal on Android too.

I love that you think because YOU do your research therefor it is safe for you, and if it safe for YOU then it should be allowed. What kind of dumb argument is that?

Picture an elderly person who gets a malicious text saying "Install this app to access your bank statement". They click a button, iOS pops up a, are you sure you want to install this app? That person says yes. They login...

That took me 3 seconds to think of. Once you stop only thinking about yourself it gets easier.

That is the problem. All I hear are veiled or deliberate misleading “situations” that in reality have little to do with security in regards to sideloading. There is a significant Android community out there that review, recommend, warn, and do other activities for sideloading apps. Your and others “OMG!!” continued refrains are couching extreme worst case as the norm when in reality it is far from it. In most cases it isn’t specifically accurate either. Problem is you are apparently adopting that “OMG!!!” paradigm and not taking an unbiased look at what really goes on.

As for your example; BS. That scenario is far more likely a phishing item.

 

[elmateo487]

That is the problem. All I hear are veiled or deliberate misleading “situations” that in reality have little to do with security in regards to sideloading. There is a significant Android community out there that review, recommend, warn, and do other activities for sideloading apps. Your and others “OMG!!” continued refrains are couching extreme worst case as the norm when in reality it is far from it. In most cases it isn’t specifically accurate either. Problem is you are apparently adopting that “OMG!!!” paradigm and not taking an unbiased look at what really goes on.

As for your example; BS. That scenario is far more likely a phishing item.

Wait you REALLY think there is a large user base of android users who go and read about which APKs are verified and from where to get them?

You are significantly out of touch. You want to make a security change for the 0.1 percent, you.

And how does my example not work? It’s a fishing attack where the victim can now easily install apps on their phone from a link. Because you want to install pirated IPAs

 

[dk001]

I was simply asking if your point is that the best use case of sideloading is so that we no longer have a central hub for finding apps.

We don’t have a good central hub for iOS today. The App Store is very disjointed. Most times it is easier to Google/DDG for app types than try to get a good representative search in the App Store.

 

[dk001]

Wait you REALLY think there is a large user base of android users who go and read about which APKs are verified and from where to get them?

You are significantly out of touch. You want to make a security change for the 0.1 percent, you.

And how does my example not work? It’s a fishing attack where the victim can now easily install apps on their phone from a link. Because you want to install pirated IPAs

Not what I said and that statement alone shows how out of date you are.

 

[Stunning_Sense4712]

It has nothing to do with security, it is about Apple losing revenue. If you do not use the Apple Store you do not have to pay Apple any fees and you can use any payment vendor you want.

 

[Ceed]

Phishing and fraud are possible (and rather prevalent) on iOS today, right here, right now. The sky is falling, and grandma should be told to stop using iOS. Please heed this advice and let your family know to protect themselves. They can use flip phones for maximum protection. Better safe than sorry.

 

[ian87w]

People purchase iOS in spite of the fact that it's a walled garden, not because of it.

No one says "I love iOS because whenever I talk to Android users, I don't get iMessage functionality".

Yes, and the fact people don't mind using iOS for more than 10 years despite the lack of sideloading doesn't mean Apple has to allow it now. Let Apple be Apple, and let Android be Android. Choice.

Demanding ios to be open for sideloading is akin to demanding Android to disable sideloading. Making two things more of the same is not choice, it's removing choice.

 

[ian87w]

It has nothing to do with security, it is about Apple losing revenue. If you do not use the Apple Store you do not have to pay Apple any fees and you can use any payment vendor you want.

So? Developers can stop making apps for iOS if they don't like the fees. The fact remains iOS users spent more money than Android users. The greedy ones are the likes of Epic who are making a ton of money from someone else's platform but doesn't want to pay their dues.

 

[turbineseaplane]

Demanding ios to be open for sideloading is akin to demanding Android to disable sideloading. Making two things more of the same is not choice, it's removing choice.

Forcing a locked down platform more open makes it more exposed to competitive forces on key aspects and lowers barriers to switching. It increases competition and makes choice more of a practical reality for users on both sides.