Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Sideloading Bill Would Allow 'Malware, Scams and Data-Exploitation to Proliferate,' Says Apple
- Thread starter MacRumors
- Start date
- Sort by reaction score
so i’m careful at what I download , all sideloaded apps are from github being able to see every option. What should be done is have a pop up telling you to go into settings to allow side load like on MAC and warn you about virus and whatever else I bet you 99.5% of people would not sideload but give the 0.5% literally no issues but a easier way to sideload without the whole altstore mumbo jumbo
so you were dumb enough to get a virus and that is sideloading fault lol
from your little link
The software has been traced through German websites, which have been closed down, to the Russian online payment ChronoPay. Mac Defender was traced to ChronoPay by the email address of ChronoPay financial controller Alexandra Volkova.[19]The email address appeared in domain registration for mac-defence.com and macbookprotection.com, two web sites Mac users are directed to in order to purchase the security software. ChronoPay is Russia's largest online payment processor. The web sites were hosted in Germany and were suspended by Czech registrar Webpoint.name. ChronoPay had earlier been linked to another scam in which users involved in file sharing were asked to pay a fine.[20][21]
Yeah and everyone is a security expert? This is the reason I had to get my grandparents an iPad because they kept getting their Windows 10 computer infected. Not everyone is as careful as we are because the fact we are even on this website puts us in an entire different category as grandparents and most parents.
It cannot be denied if side-loading/installing from other sources exist, malicious software will exist. It will bypass Apple's review process.
it’s called common sense, if you don’t have it then don’t sideload tada
And you are asking those that DON'T have common sense to sacrifice the walled garden environment.
You need to get out more, sounds like you don't have a lot of tech-challenged people in your life. Just the other day I had someone get a facebook message "Look what YOU were doing in this video I took the other day!". And they clicked on the link. Good thing it downloaded an exe file while on an iPad.
picture this, There is a cool store at an alley, but the alley is pretty sketchy, if you are careful you will make it safely to the store, but if you are afraid you might as well go to another store that is more safer and reliable. Just use common sense it’s your choice
Most of the general public doesn't have that common sense, that is the problem. About a month or so ago I dealt with a company that went down because one person clicked on an attachment in an email they received. Good thing there was a backup, but it was Ransomware so the entire network folder was encrypted. Still costs the company money because they were down while we restored from backup.
It still exposes the risk on my iPhone and every one of my family and friends that are NOT security concerned. I once got my entire Windows infected by simply mis-typing a URL and it exposed a flaw in the browser. Which is why to this day, even if I know apple.com, I still go to Google first and type it to prevent mis-types.
Unless I am missing something this IS NOT sideloading. It’s abusing developer agreements and their app profiles which is against their TOS.
Yes, as someone with a developer account i can totally build any code I want and get it running on my device (assuming it’s not jailbreak style and using root and stuff).
But the actual process of getting these apps installed involves installing the developer profile, rebooting the device, then downloading the apps that can be validated by the cert in said development profile.
This is NOT an accepted use of a developer profile and multiple developers have lost their access by abusing it. Public betas and such are meant to be distributed via the test flight app.
AltStore just wrote an abstraction layer to handle all the steps to do this in a more userfriendly manner. But it’s still not sideloading because it requires the custom profile. The profile can be remotely disabled at any time. There are caps on the number of registered devices. etc.
In addition to adhoc distribution (which requires registered devices), if you are a true enterprise customer (way more hoops to jump through) you can join their enterprise program for another 299 IF your organization is eligible. This allows for creating “universal” apps that DO NOT require a special profile or registered device. But again are bound by strict TOS, and abusing them again will get your dev account or enterprise account punted.
For example, ALL of facebooks internal apps got killed when they distributed their profile to end users to let them test a child tracking app: https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
And straight from the dev program terms of service:
Oh thanks for clarifying. Sounds like there is a lot of mis-information around here. Last I developed for iPhone was on the 3GS and I had to do the whole development profile thing. I have gotten so confused when a few people on this site started throwing this AltStore around like it doesn't do anything special.
If I was apple, I would simply integrate a like “Jailbreak” toggle. Make it require pin and encryption password just so some rando can’t turn it on. And make it clear you are ‘reducing security’ by using this mode.
Jailbreaks have already been ruled legal so there is no real reason to make people jump through hoops.
The main point is it should flag your device as “insecure” and be at least somewhat difficult to reverse. Perhaps only via a full device reset.
Ultimately I have no interest in sideloading, but it should be possible to support it such that normal users who do NOT go through the steps to enable it initially have devices that work as they do. If they do, then you can give some sort of expanded permissions control for those users. And make it clear Apple holds no liability for anything that happens while the device is in this mode.
Even root could simply be a toggle, or even something that manually must be granted per app.
My main desire is for people like me who will NOT leverage such features, I do not want any reduced security or any easy way my device might get flipped to sideload or jailbreak/root mode without my knowledge.
If apple stopped blocking all the different paths to jailbreak and made it possible to stay on the the current version and maintain jailbreak or partial jailbreak support for those who want it, would solve almost all their issues for the power users who actually care.
Ultimately these users are a tiny minority and most would never even bother, but for those to who, it’s an issue it would solve the problem.
It also would make it easier to make it remain compliant in countries where censorship is more prevalent as for example in China, the feature could just be disabled (because unlike most of the world, I’d imagine china would consider sideloading a threat to their censorship, not a consumer right), and think what you will, but if apple wants to do business in china. They gotta follow Chinese laws. Same with movies, games, etc. Apple is a business not a political organization, there is no real Justification for them to not be compliant even if the laws are super screwed up.
If Chinese hackers wanna figure out how to re-enable this feature, that’s their choice and risk to take.
Anyway, I feel like such options would address most of the issues people are worried about. Plus you could even differentiate apps running ”legit“ copies of games vs sideloaded, and while imo it’s not worth bothering trying to stop piracy, you could at least isolate the connectivity between the two versions of the app in case it’s for example a game with mods or exploits to give a player advantages.
As to requiring a device reset to disable the jailbreak or sideloading exceptions, this is mostly because it’s super hard to guarantee just revoking the apps that leveraged it would return the device to a true “secure” state.
Either way, I think native jailbreak(s) support (without compromising normal update) would address most peoples concerns. And if anything, apple could save time not trying to plug every single jailbreak hole. It would allow sideloading and even root for those who really want it and would actually use it, but by making it semi difficult to activate and a reset required to revert, you remove basically all the risks while still allowing everyone to get what they want.
Ultimately I just want to make sure that adding sideloading does not compromise my preferred more secure (argue all you want blanket enabling sideloading IS a new attack vector, even if no meaningful compromise ever surfaces) current device model. Instead you give people a proper choice and support them all.
Jailbreaks have already been ruled legal so there is no real reason to make people jump through hoops.
The main point is it should flag your device as “insecure” and be at least somewhat difficult to reverse. Perhaps only via a full device reset.
Ultimately I have no interest in sideloading, but it should be possible to support it such that normal users who do NOT go through the steps to enable it initially have devices that work as they do. If they do, then you can give some sort of expanded permissions control for those users. And make it clear Apple holds no liability for anything that happens while the device is in this mode.
Even root could simply be a toggle, or even something that manually must be granted per app.
My main desire is for people like me who will NOT leverage such features, I do not want any reduced security or any easy way my device might get flipped to sideload or jailbreak/root mode without my knowledge.
If apple stopped blocking all the different paths to jailbreak and made it possible to stay on the the current version and maintain jailbreak or partial jailbreak support for those who want it, would solve almost all their issues for the power users who actually care.
Ultimately these users are a tiny minority and most would never even bother, but for those to who, it’s an issue it would solve the problem.
It also would make it easier to make it remain compliant in countries where censorship is more prevalent as for example in China, the feature could just be disabled (because unlike most of the world, I’d imagine china would consider sideloading a threat to their censorship, not a consumer right), and think what you will, but if apple wants to do business in china. They gotta follow Chinese laws. Same with movies, games, etc. Apple is a business not a political organization, there is no real Justification for them to not be compliant even if the laws are super screwed up.
If Chinese hackers wanna figure out how to re-enable this feature, that’s their choice and risk to take.
Anyway, I feel like such options would address most of the issues people are worried about. Plus you could even differentiate apps running ”legit“ copies of games vs sideloaded, and while imo it’s not worth bothering trying to stop piracy, you could at least isolate the connectivity between the two versions of the app in case it’s for example a game with mods or exploits to give a player advantages.
As to requiring a device reset to disable the jailbreak or sideloading exceptions, this is mostly because it’s super hard to guarantee just revoking the apps that leveraged it would return the device to a true “secure” state.
Either way, I think native jailbreak(s) support (without compromising normal update) would address most peoples concerns. And if anything, apple could save time not trying to plug every single jailbreak hole. It would allow sideloading and even root for those who really want it and would actually use it, but by making it semi difficult to activate and a reset required to revert, you remove basically all the risks while still allowing everyone to get what they want.
Ultimately I just want to make sure that adding sideloading does not compromise my preferred more secure (argue all you want blanket enabling sideloading IS a new attack vector, even if no meaningful compromise ever surfaces) current device model. Instead you give people a proper choice and support them all.
Also a good way to make it a secure toggle is to tie it to iTunes or Finder on macOS. Could be a completely different iOS image just like how Windows N vs Windows.
Jailbreaking relies on security holes. The idea that Apple shouldn't plug those up is just... yikes.
The debate about sideloading specifically excludes root access. No one is arguing for root access or apps leaving their sandbox. If they were, Apple's security arguments would actually be relevant.
What Epic and the others want is easy to use alternative app stores. This "solution" gives no one what they want. Sideloading remains difficult, but all of Apple's security features can get overriden. Bad, bad idea.
If you wanna run an App Store on iOS, im fairly certain you need more than normal privilege, since right now there are no 3rd party apps that can install other apps as best I am aware.
I also never said they should‘t maintain security. Just do it to focus on security. Not just plugging the latest path to jailbreak. Then instead of people trying to rush out jailbreaks, they would just focus on bug bounties (hopefully lol).
Also, not sure what makes this so hard? You toggle the switch, it asks for your pin and password and then reboots. Then tada, you can sideload. The only ”hard” part is resetting the device to disable side-loading again. But if you enable it, and then don’t clean up properly and just let the sideloaded apps and whatever changes they may have made are all risks.
What part of sideloading is difficult here? Having to reboot the device once on enable? Or do you really wanna have your cake and eat it too? Enable, download, disable, repeat? Cause THAT is not a secure model.
Also you give everyone what they claim they want. Control over their personal device. I was never saying they should do this to sideload EACH app. It’s a feature you enable and then you can sideload as you please and it up to you to manage app permissions.
I also never said that root would be required. I said it would be ANOTHER switch. Perhaps even a per app one so you could for example give the epic game store root, but not the things it installs.
The scariest part to me is like in windows, AltStore gotta run in admin mode. I assume it has a legitimate reason because it needs to talk usb super low level, but… that means you are also adding a potential attack surface not just to your phone, but ALSO to your PC lol.
Last edited:
It means EULA is as just fanfiction.
Only thing that matter is copyright. If you purchase 1 windows copy. Then you have the legal right to reinstall it on a new computer as long as one copy exist.
You actually have the ability to request Microsoft to deactivate your license so you can install it on a new computer.
Microsoft can only sue you for copyright infringement for redistributing their copyright without consent.
As the nice chap above. Alt store works completely fine with normal privileges
Would be easier to be linked to your appleID. Deactivating side loading could easily just be triggered by the iPhone by removing any apps not linked to your appleID with no activation of side loading.
That’s probably because windows annoying UAC limitations and the insanity that windows always run in administrative mode.
Well is it really your business if people don’t care to be security conscious or concerned? If you don’t activate sidelong then your safety won’t ether be affected
The whole point is that if side loading (or to more accurately describe what I personally would have a problem with, installing from the open internet) can be activated via following some steps, then it becomes trivial to trick gullible, stupid or non tech savvy people into doing something they shouldn't.
As I have several times in this thread, a phone is not a computer for a normal user. They don't consider it like one, and in their eyes there are no dangers attached to it like they might have heard with normal computers.
If they receive a text message, (or a whatsapp - you would be shocked about the amount of people who understand that its a secure platform and assume that therefore the messages they receive must be genuine) - which claims to be from their bank, asking them to download the new 'secure' banking app; 'Follow these security steps ensure your app is properly installed' - an older person, or non techie person, or even a slightly stupid person - (don't tell me they should 'get educated' - its a phone. It should be as foolproof as possible) - MAY follow these steps and lose their life savings.
Phishing exists and is effective enough for people to continue to attempt it. Expose the previous unexposed and highly prized iOS user base to these unsavoury types that do this sort of thing and it WILL open a flood gate to such attempts.
That's a big danger for all users just to please a couple of vocal tech heads who, lets be fair, can get what they want on ANY other platform.
Obviously, it's more of a drive to break Apples balls on a governmental level and has sweet FA to do with consumers or anyone else. It's part of the greater drive for easier and increased surveillance, anti encryption and all the rest of it.
If this was true we would already see this running rampant on Android which has a far bigger global footprint than iOS.
We aren't.
If you have data that shows otherwise please provide. For now, using email, IM and Messages is easier to accomplish this.
But Microsoft won’t let me install 100s of computers with a single Home license per the EULA. So does that mean Microsoft is doing something illegal here?