Apple's Arguments Against Sideloading on iOS: All Your Questions Answered

[gaximus]

They have arguments that support their decision, but make no mistake - the only reason they care is because of Revenue.

If apps can be side-loaded, then they can circumvent AppStore fees, including In-App Purchase fees, which account for roughly 20% of their revenue. However, that 20% of revenue has a high profit margin since its digital goods and not physical hardware. I would wager that it's the biggest cash cow Apple has today. They will do anything to keep that system closed. It has 0% to do with security. The only way this will happen is court order, but that would be an overstep for the courts.

If this wasn't about money, they would easily allow side-loading how its done on Mac OS today, and how Android does it - by default on the approved store, with the option to allow side-loading in security settings.

Of course its about money, they are a company, and a company's goal is to make money, But its not just the direct money from the App Store. Apple makes most of its profits from the iPhone, and if that platform all the sudden became less secure, then Apple could lose more money from lost iPhone sales than lost AppStore sales.
There is an argument to be made, that if Apple could continue to have "The most secure device" and allow side loading, they could sell more iPhones, to make up the difference in lost AppStore sales. Because most people would continue to buy from the AppStore, but a few Android users might switch.

 

[nebojsak]

If Apple really cares about privacy and security of their poor dumb users and grandmas, why are Facebook and Google apps allowed in their AppStore in the first place?

 

[Pro Apple Silicon]

I think you're the one that doesn't quite get it. Criminals and bad guys are fundamentally lazy. One reason they don't target iOS so much is becuase getting in isn't easy. Once Apple is forced to provide them with a way in via those who sideload, the sheer amount of malware for iOS with grow exponentially. And it will find its way inside. It always does. And once it happens, it won't be fixable. Why is that so complicated to understand?

Lol, because it's NONSENSE.

 

[ctdonath]

macOS came from a lineage where unscreened apps were the norm. Closing that opening after the fact is extremely hard, there's too much momentum (i.e.: too much existing software) flowing thru that gate. Advantage is you can "side load" apps in macOS; disadvantage is the malware that all too often comes with it.

iOS had a rare fresh start, and was able to lock down app screening from the very start. Result is a very clean ecosystem, few problems with malicious software getting on iPhones. Opening "side loading" will result in a huge influx of malware.

Yes, macOS has put numerous screening systems in place - but users can STILL install infected apps, which does cause problems.

A primary concern for Apple: malware doesn't make the bad app look bad, it makes APPLE look bad. "Oh crap, all my important stuff got corrupted! Apple sucks!" with no acknowledgement that side-loading an un-screened app caused all the trouble.

 

[boss.king]

The IT team where I worked had serious email issues for a few weeks.
Turned out one person with an infected Android device would get on to our wifi and reek havoc.
Took a while to track down who it was.
Now the network has more robust firewalls and guest access is very limited.

This is what could happen with iPhones that sideload.

I'm in total agreement with Apple on this... you want to sideload? Buy an Android device.
That's your freedom of choice.

I have both types of devices. My job requires supporting users with both.
Always the worst phone calls are working out the different skins for Android and what labels and where settings are.
The app devs also seem to have more issues with Android code and find it hard to test all the devices out there.

One store I trust with my credit card to buy apps.
One store I install free things only or use a PlayStore card the few times I need something.

But that could have happened from a windows machine or a Mac too. Or does your office run solely on android and iOS devices?

 

[Ethosik]

Lets just cool it a bit with the "Its ONLY about money" talk. Every business (even hospitals) exist to make money. But, taking hospitals for example, are people really suggesting that NOBODY on the PLANET cares for patient care? That hospital wants to make money, but they also care for their patients. We have seen time and time again that Apple greatly cares about providing the best products. Otherwise we would be seeing Macs around $250 to compete with those cheapo Dell systems.

 

[Gilli7]

The approach Apple chose to avoid malware infections in their iOS ecosystem was visionary, bold and courageous at its time. I do believe that it's mainly due to this decision that malware on iPhones is a minor issue to date. That's why I do support the general approach.

Unfortunately, as @Mockletoy pointed out, Apple turned out not to be the benevolent guardian of purity - at least not any more, not in the first place anyway. Increasingly, Apple uses the power that guardian approach grants them for three purposes:

1. Control competition by limiting apps function wise (with functional limitation being one of the main reasons why many Mac app developers eventually left the App Store)

2. Control competition by controlling and limiting customer relationships of developers.

3. Ensure an insanely high revenue which would simply not be possible otherwise.

There is no reasonable security argument whatsoever when it comes to allowing alternative payment options within apps. If Apple was only concerned about security, they could for example certify payment service providers.

Apple makes sure that all their services and hardware are paid for, and they make a lot of money with it, which is fine for me because they do deliver excellent products. And given the service involved with the app store reviews and distribution, I don't mind giving them a reasonable cut of the revenue generated by my apps.

But charging 15-30% for content they have not contributed to in any way, neither creation nor distribution, just because it's consumed on their platform which has already been compensated for by their customers - that's just greedy. That's where they completely lost it, it's not an adequate or reasonable cut any more. And it wouldn't be possible for them to charge without the payment monopoly. Luckily, exactly that is presently about to be broken.

I believe that greed is the core of all the discussion - Apple would not have this dimension of trouble all over the world if they had adjusted their fees to a reasonable level (as was suggested even by Mr. Federighi at an early stage of App Store development).

 

[Ethosik]

Why is that so complicated to understand? Nothing happens to YOU personally, or your device, as a user, unless you were to make poor choices.

This is completely false. There are zero day flaws, exploits and social engineering. And if any of your FRIENDS or FAMILY gets infected, your contact information is then turned over.

 

[SFjohn]

good thing people who wouldn't want to sideload don't have to

Good thing people who want to sideload apps can purchase Android devices or simply jailbreak their iPhones.

 

[jimimac71]

Lets just cool it a bit with the "Its ONLY about money" talk. Every business (even hospitals) exist to make money. But, taking hospitals for example, are people really suggesting that NOBODY on the PLANET cares for patient care? That hospital wants to make money, but they also care for their patients. We have seen time and time again that Apple greatly cares about providing the best products. Otherwise we would be seeing Macs around $250 to compete with those cheapo Dell systems.

Now - Now. No Dell bashing needed. Microsoft is releasing a $250 (Windows 11 SE) laptop to complete with Chromebooks. Education only.
A Mac for $250! Good luck with that. It'll have a Fisher Price sticker on the bottom.
Before people slap Apple around for making money hand over fist, how about Amazon wanting all your money for everything, so Captain Kirk can go into space.
With Apple (so far) it is just Snoopy In Space.

 

[sideshowuniqueuser]

I put those answers into my translate software, and here's what it translated to:

If users can sideload apps on macOS, why can't they on iOS?
Because profits.

Why can't Apple give users a choice on whether they wish to sideload apps or not?
Because profits.

What if users were shown a prompt before being able to open a sideloaded app?
Because profits.

What if sideloading were only allowed through authorized third-party app stores?
Because profits.

Why is Apple assuming all sideloaded apps are malware or dangerous to users?
Because profits.

 

[Shirasaki]

I case people don't know already.

Even if you have been avoiding or deleting social media, many apps try to sneakily get access to your phone contacts.

Once they do that they grab and map your connections. So they know who your family, friends and relations are.

If a government ever became authoritarian enough or racist enough they have that data against you and they can hold it against your throat.

Save your family or obey?

That's why side loading and letting apps run wild is not only a privacy problem it is a deadly problem, especially in countries that have very poor human rights and dictators.

Wow……
Look no further than authoritarian country we have today, and they can change the law on the fly and force apple to pre-install dangerous app that can track iPhone users all the time wherever they go, or even force a jailbreak if they wish, and apple would’ve comply anyways, defeating your point entirely. Russia already showed how much they could bend apple to their will.

 

[vipergts2207]

This is completely false. There are zero day flaws, exploits and social engineering. And if any of your FRIENDS or FAMILY gets infected, your contact information is then turned over.

Dude, most people's info is already out there through various hacks and publicly available information. The first link when Googling just my phone number takes me to a website that lists my current address, including the month and year I moved in, an old landline number I used that was my parent's during my middle school and high school years, six previous addresses (with dates), a list of possible relatives and unrelated associates (many of which are correct and of which similar information is available on as well), my neighbors names and info, and my birth month and year. About the only thing missing is my SSN, employer, bank account information, and current blood oxygen concentration. Notably one phone number and one address are not correct. Google your own phone number and you may be surprised by what's already out there. Apple can't protect you, even if they wanted to.

 

[bn-7bc]

The arguments against sideloading on iOS/iPadOS are throughly unconvincing since we can already sideload apps on macOS.

View attachment 1908188​

Well that "side-loading" and rge side-liading on IOS/IpadOS are not exactly the same thing due to the history of macos ws the others. MacOS was never locked to an app stote before IOS ( fair enigh ther was no real wide soread consept of app stores before then, but kats not go down that oeticular rabbit hole) do udf Apple gad trued to lock down macos thst far they would have aluanated wy to manu of ther long time users and 3.d party devs. And anyway the identified developer simply means thst if enugh people report a certain developer the developer accoubt gets canceled and rge signstures revoked, Not shore what hapoens when oeople try to run an ap signed with a revoked dev cert, i suspect they get a nasty warning if the app runs at all. Just out of interrest do side loded apks on android need to be signed at all for them to rin or js it enable side loafing and it's a free for all?

 

[visualseed]

I put those answers into my translate software, and here's what it translated to:

If users can sideload apps on macOS, why can't they on iOS?
Because profits.

Why can't Apple give users a choice on whether they wish to sideload apps or not?
Because profits.

What if users were shown a prompt before being able to open a sideloaded app?
Because profits.

What if sideloading were only allowed through authorized third-party app stores?
Because profits.

Why is Apple assuming all sideloaded apps are malware or dangerous to users?
Because profits.

Well it's a good thing that Apple's motivation for profits are totally inline with providing me with the goods and services I desire as a customer.

 

[Shirasaki]

This is false. The mere ability to run unsigned code makes users who don't side load apps more vulnerable. zero-day exploits can infiltrate much deeper, whether you have the toggle checked or not.

As if iOS right now has no zero day exploits heh. Tell you what? Hackers may have an easier time hiding their malicious code from iOS security system because security researcher probing inside iOS would have a much harder time finding those malicious software thanks to iOS security system.

 

[vipergts2207]

Well that "side-loading" and rge side-liading on IOS/IpadOS are not exactly the same thing due to the history of macos ws the others. MacOS was never locked to an app stote before IOS ( fair enigh ther was no real wide soread consept of app stores before then, but kats not go down that oeticular rabbit hole) do udf Apple gad trued to lock down macos thst far they would have aluanated wy to manu of ther long time users and 3.d party devs. And anyway the identified developer simply means thst if enugh people report a certain developer the developer accoubt gets canceled and rge signstures revoked, Not shore what hapoens when oeople try to run an ap signed with a revoked dev cert, i suspect they get a nasty warning if the app runs at all. Just out of interrest do side loded apks on android need to be signed at all for them to rin or js it enable side loafing and it's a free for all?

Damn, you must be using one of those expensive MBP's with a broken butterfly keyboard like me. Thanks Apple..

 

[visualseed]

Dude, most people's info is already out there through various hacks and publicly available information. The first link when Googling just my phone number takes me to a website that lists my current address, including the month and year I moved in, an old landline number I used that was my parent's during my middle school and high school years, six previous addresses (with dates), a list of possible relatives and unrelated associates (many of which are correct and of which similar information is available on as well), my neighbors names and info, and my birth month and year. About the only thing missing is my SSN, employer, bank account information, and current blood oxygen concentration. Notably one phone number and one address are not correct. Google you're own phone number and you may be surprised by what's already out there. Apple can't protect you.

Personal information is an entire universe more than your address and some bio facts about you. If it were not the case, then companies would just buy census data on CD-ROMS and be done with it.

 

[ACHD]

So. Apple is making a good argument here to convince the consumers? How Tim Cook tried to explain it. Have to agree with him 100% on this.

Bottom line it all comes down to…

'Security and Privacy’

Tim Cook: Users Who Want to Sideload Apps Can Use Android, While the iPhone Experience Maximizes 'Security and Privacy'

Amid a heightened amount of scrutiny and tension surrounding the App Store and how users download and install apps on the iPhone, Apple CEO Tim Cook said today that customers who wish to sideload apps should consider purchasing an Android device as the experience offered by the iPhone maximizes...

forums.macrumors.com

Sucks how apple does allow sideloading using the MDM method.

Go to a popular site. download the profile then boom you can use a website to install whatever you want from wherever you want. no jailbreaking needed.

Also whats sad is that while on android you can just install an app with multiple warnings from google its just that one app and it has limited damage.

Where as on iphone the current sideload method is SUPER SUPER easy... and sadly it makes you install a profile that can give extensive access to the device and its data. It also allows the remote service/app store to just install anything with out you even knowing about it.


So tell me.... If they care about security and privacy then why do they keep this method open? why have they not closed it and why do they not close it faster? Apple knows what apple generated MDM profiles are downloading and know they are downloading to devices that have a history of many different MDM profiles in order to keep this side loading open. Apple keeps it open and willingly exposes peoples data?
WHY? because its not about security and privacy. Apple has one of the biggest loopholes in sideloading out of all of the mobile devices. If there was a REAL sideload option then one wouldn't need to install a MDM Profile that can report data of what's on your device, remotely install whatever it wants as well as view anything the 3rd party wants to if they want to abuse it.


Apples message on sideloading only holds water if they actually did not allow sideloading on iphones in this manner AND they haven't done anything AND there hasn't been major reports because even though this is EASILY abuseable... its not as abused as apple wants you to think it is. Nor is security compromised as much as they want you to believe in this manner.

Why??? because even though the MDM method allows cracked apps/paid apps for free theres a alack of abuse going on with it, and a lack of security muckery.

This is the reality. To many people fall into this privacy and security gambit yet do not realize that its actively and OPENLY doing the opposite by keeping these methods alive.



For these stores apple might take months or years to revoke MDM profiles despite it being easily identifiable that its being used for this purpose and the fact apple can see what apps are being sent for remote installation/unattended remote installation of applications.

Yet with android unless you root the phone an app will need permission to initiate another app download if it wants to be a shady as hell application...... Funny... How android wins with that one and the MDM method CAN do it silently.

 

[Shirasaki]

They should listen and read comments from their faithful user on MacRumors.

It is Apple's App Store. Apple can do whatever they want with it.

Apple should have the courage to stand its ground. Even under the rule of law, if they were forced to have side loading, they should pull out of those market. That is EU, UK, Australia, South Korea, Japan and Russia. ( But not US, no Macrumors user has ever suggested to leave US for some reason ) There is also an Anti-Trust Case in India as well, but I guess the market is too small no MR comments have ever suggested to leave the market. May be they dont care.

I really want Apple to have the courage to follow MR comments. Pull out of those market.

Heh. If apple ever have “a spine” so to speak, apple would’ve left China years ago, rather than still trying to stay in China as long as they can. Besides, what if US stands against apple’s stance somehow? Retreat to Ireland where apple actually is located in?

Also, just because it’s apple’s App Store doesn’t mean they have unlimited privilege and can do whatever they want. Even Walmart can’t do whatever they want despite they own their damn supermarket. Stop this “apple should be able to do whatever they want without consequences” argument already. Absolute freedom is and will never be a thing.

 

[SFjohn]

since you can't sideload the only way for an app to scam someone is to be downloaded through the app store of which there are many scams

Apple’s tightly controlled App Store is teeming with scams

Apple claims its App Store is carefully curated so that only the best apps get through. The truth is, the App Store is littered with scams and "fleeceware," which uses fake user ratings to trick customers into paying for something they don't want.

www.washingtonpost.com

And yet there are at a minimum 15 times more on Android. Apple doesn’t claim to be perfect, just better because they are.

 

[dk001]

I couldn't care less. I'll call out BS when I see it, whether it's been spoken about before or not is besides the point.

I'll get the ball rolling:

The major concern that has been proliferated has to do with what might happen if the database of CSAM hashes is untrustworthy. A lot fo that has to do with some derivative of this: https://www.macobserver.com/columns...ning-princeton-researchers-already-warned-us/

The researchers that started that line of thought refer to their work, where they developed something similar to Apple's proposed method, and say that it's a bad idea! Except, in their work, they describe that it actually would be possible if the database were trustworthy, and suggest a few examples of what might accomplish that. They are hesitant, but encourage further research into the area.

Just because they were incapable of thinking up a novel approach to ensuring the databases' trust doesn't mean that Apple's approach was unsound -- it seems that the researchers wanted their 15 minutes of fame, and boy have they got it. Too bad in order to get it, they contradict their own work, which suggests that if the database could be trusted through some means, then their concerns vanish.

The SL process has been looked at for a lot longer than the research analysis. To date not a single entity out there, MS, Apple, Google, Amazon, etc... has attempted to do this.
Now Apple suddenly comes up with this "solution" that has some serious potential issues, not a single security, privacy, and States that spoke out are in favor of it. NCMEC board members while collectively would like this have serious doubts as to it's privacy. Then the Apple "solution" will only address future loading but not anything already existing on the cloud while giving options to avoid it and get around it. Then there are the legal challenges that would inevitably come.
Then we have Apple saying they would never allow abuse of it but ... wait for it ... they would follow all laws of the country. Wow. Contradictory. Why project Apple personnel into the midst of the review process instead of leveraging NCMEC who deals with this?
Too much about the project logistics and proposed solution make little sense when collectively viewed as a whole.
The solution solves what? Cloud scanning (not liking but realizing it does minimally exist) is a better solution.

Note: I am not touching the technical functionality or the specific concerns, differing concerns, that were raised.

As this is off topic, I would recommend either a separate thread, or better yet utilizing one of the existing threads. Myself and many on here are more than willing to debate / discuss the topic.

 

[vipergts2207]

Personal information is an entire universe more than your address and some bio facts about you. If it were not the case, then companies would just buy census data on CD-ROMS and be done with it.

Yes...however you're completely missing the premise of the post I was responding to. The claim was that if friends and family with your contact info are hacked because of sideloading on their device, your contact info they have will then be exposed. Except that info is already out there. The only way that info that hasn't already been exposed gets out from someone else being hacked, is if you're giving that more sensitive info out to others. That would seem rather boneheaded and inadvisable. I'd suggest not handing out your SSN and medical records when giving someone your contact info, but that's just me. 🤷‍♂️ Maybe stick to just your name, address, email, and phone number.

 

[dk001]

Dude, most people's info is already out there through various hacks and publicly available information. The first link when Googling just my phone number takes me to a website that lists my current address, including the month and year I moved in, an old landline number I used that was my parent's during my middle school and high school years, six previous addresses (with dates), a list of possible relatives and unrelated associates (many of which are correct and of which similar information is available on as well), my neighbors names and info, and my birth month and year. About the only thing missing is my SSN, employer, bank account information, and current blood oxygen concentration. Notably one phone number and one address are not correct. Google you're own phone number and you may be surprised by what's already out there. Apple can't protect you.

I ordered an Apple Watch 7 on Amazon. Delivery in a week. Then canceled it the next day.
Since then I have had 3 emails from Apple on my iCloud email trying to convince me to "uncancel" and get that 7.

You are quite correct. Info is shared, scraped, hacked, pulled from public records, etc...

 

[Shirasaki]

And so they begin laying the groundwork for locking down the Mac. I mean, morally and ethically, according to everything they've said, how could they not?

They've flatly stated that sideloading is the criminal's best friend, so how could they in good conscience continue to allow it on one of their platforms?

This remains one of my main confusion point after apple silicon transition, to completely transform Mac into another iOS given everything is integrated right now. I can sense they are slowly but surely pushing their users into using MAS more than outside source and shutting down what old macOS users would love, but keep denying whenever they get a chance. Apple is utterly disingenuous from the very beginning.