Tim Cook: Users Who Want to Sideload Apps Can Use Android, While the iPhone Experience Maximizes 'Security and Privacy'

[wigby]

I don't see the validity of this statement, I think it's a cop-out trying to hide the real reason.
Abusing people's desire for security as a false pretend to maximize Apple's profit!

Users who are not sideloading apps on iOS would be just as safe as they are now, how is their safety affected when other users sideload? Exploits of iOS are constantly found anyways, jailbreaks keep happening. Whoever wants to attack non-jailbreakers/sideloaders won't gain much here, at least not in comparison to the gains of the iOS users who want to sideload! If the OS is truly sandboxed well, where is the harm?
These devices (iPhones) are not a connected server cluster, they're individual devices!!!

Quick question: Why would it be unsafe on phones when it's normal for computers?
Take a guess iOS basically is a variant of MacOS, they claimed so at least (LOL). Does that mean that they do sub-par security for iOS, maybe get some devs from the MacOS team over to help? LMAO
I can imagine the entire Apple board of directory having dreamt of forbidding software installs on Mac computers just as much as they did on iOS for years now.
In the end, it's just common law. Everybody is used on it on iOS, so most people believe this makes sense and must remain like it is.... think again!

I predict, Apple will lose this argument in court and will have to change their stance on this within the next few years.

"Users who are not sideloading apps on iOS would be just as safe as they are now, how is their safety affected when other users sideload?"

Malware from apps (side loaded or not) is passed from user to user. That's how it spreads. Does every contact/friend of yours understand the security implications that come from side loading apps? I do not trust my friends and family to understand the difference between weak and strong security the same way I don't trust them to not download a malicious app or take a Facebook quiz that shares all their contacts with a malware creator.

 

[boss.king]

"Users who are not sideloading apps on iOS would be just as safe as they are now, how is their safety affected when other users sideload?"

Malware from apps (side loaded or not) is passed from user to user. That's how it spreads. Does every contact/friend of yours understand the security implications that come from side loading apps? I do not trust my friends and family to understand the difference between weak and strong security the same way I don't trust them to not download a malicious app or take a Facebook quiz that shares all their contacts with a malware creator.

This is a completely separate issue. If your phone is suceptible to those sorts of attacks then its security flat-out sucks whether it has sideloading enabled or not.

But this doesn’t appear to be the case with iPhones or we would already see these types of attacks running rampant (because, surprise, developers already have access to sideloading for app testing).

 

[ninecows]

I really hope you're not doing all the rest of your "real serious work" on a Mac or a Windows computer because the security implications of this would be unthinkable!

In all honesty, just don't side load if you don't want to side load. 99% of all Android users probably manage without and the security risks that do exist in the Play Store probably have more to do with Google's review process than with side loading.

I don't have any real push right now to get apps from anywhere but the App Store, but the amount of people who want to be nannied is staggering.

Could an average non-technically minded user accidentally install an app from anywhere on android just by clicking an add/pop-up while browsing?

 

[Hoyboy]

100% agree with him.

100%

So should the Macs not allow side loading apps?

 

[spainbran]

Could an average non-technically minded user accidentally install an app from anywhere on android just by clicking an add/pop-up while browsing?

Could and average non-technically minded user click on a link in Safari?
10 years ago it was with Flash player, but they still exist.
Don't use what you don't trust, but do not prevent people doing what they want.
They take their own risks.

 

[wigby]

This is a completely separate issue. If your phone is suceptible to those sorts of attacks then its security flat-out sucks whether it has sideloading enabled or not.

But this doesn’t appear to be the case with iPhones or we would already see these types of attacks running rampant (because, surprise, developers already have access to sideloading for app testing).

All phones are susceptible to these attacks just like all PCs are. We see these attacks scale to Android because side loading is not encouraged but allowed. If Apple allowed side loading, we would see many attacks using exploits that Apple knows about and doesn't know about. And we've also seen bad developers abuse their privileges too. Opening iPhone up to side loading is welcoming a whole new breed of shady developers that offer very little value to customers in exchange for more security risks.

 

[d686546s]

Could an average non-technically minded user accidentally install an app from anywhere on android just by clicking an add/pop-up while browsing?

As far as I understand and if I remember correctly you have to explicitly enable sideloading on Android.

Could someone exploit Android security flaws for this purpose? Sure, don't see why not.

Could someone exploit iOS security flaws for this purpose? Sure, even without official sideloading support. Let me point to exhibit A "Pegasus" from NSO.

 

[macos9rules]

"Cook drew the comparison of sideloading to a carmaker selling a car without airbags or seatbelt, saying it would be too risky."

The difference is that customers who buy a car have the choice to put their seatbelt on or not. Customers who buy an iPhone don't have any choice regarding sideloading.

 

[wigby]

So should the Macs not allow side loading apps?

When the Mac App Store has the diversity and selection of the iOS App Store (which will be never), then yes, it should not allow side loading.

 

[Hoyboy]

When the Mac App Store has the diversity and selection of the iOS App Store (which will be never), then yes, it should not allow side loading.

The day that happens would be the day I leave macOS.

Edit: just to add why should side loading be stopped if the Mac App Store magically managed to do this?

 

[Wildkraut]

Dear anti-competitive Crook, it’s not in your hands anymore, your propaganda won’t help here.

Digital Markets Act is coming for you, to preserve competition and promote innovation. ??

 

[januarydrive7]

This is nonsense. No attack vectors open up if they just turn off the seven-day cert renewal. Moreover, Apple could make MORE money by allowing more functionality on the iPhone.

Let me break it down for you: if you are unable to load malware A because the OS prevent you from doing so, then you are protected from loading malware A. If the OS does not prevent you from loading malware A, then you now are able to load malware A. This PR has nothing to do with profits -- this has to do with security.

Why can't I emulate another computer/OS on the M1? Why can't I buy an app that lets me write an ISO to a flash drive? I'm willing to pay for these functions.

No one says you can't emulate another computer/OS on the M1. AFAIK, qemu works just fine, yeah? I think what you mean is "why can't M1 architecture natively run x86 (or support virtualized x86)?" -- to this I would say this isn't a privacy or locking down issue, it's an architecture issue. x86 ISA is different than arm ISA, and they are incompatible.
No amount of money you being willing to pay will change this, because it's simply not possible.
As far as writing an ISO to a flash drive... there is no limitation as far as I'm aware.

 

[CarlJ]

Users who are not sideloading apps on iOS would be just as safe as they are now, how is their safety affected when other users sideload?

The problem is, you open iOS up to other app stores, and then some popular apps decide to list only on some other app store and not on Apple's store. Then customers who bought iPhones, because they like the walled garden ecosystem, are faced with the choice of, "use this new app that everyone is adopting" OR "only use apps on Apple's app store" - they can't stay with just Apple's app store and still keep interacting with everyone else. They get dragged into loading an alternate app store to get access to some new app.

People keep making the same argument as you, that having the option to sideload would have no effect whatsoever on anyone else. That's an incorrect assertion.

 

[dumastudetto]

Nah. Tim just trying to save his fiefdom. Follow the $$$. Apple's earning call shows how much they make from being the exclusive provider of apps. "According to a CNBC analysis, Apple's App Store had gross sales of around $64 billion last year"

Most of us recognise Apple will always prioritise our security and privacy over profit. Apple has never let us down.

 

[dumastudetto]

Most of the time the vulnerable security vector is the user and not the OS or the apps.

Which is why Apple wants to keep things as locked down as possible to protect people from their own stupidity, or lack-of knowledge.

 

[d686546s]

The problem is, you open iOS up to other app stores, and then some popular apps decide to list only on some other app store and not on Apple's store. Then customers who bought iPhones, because they like the walled garden ecosystem, are faced with the choice of, "use this new app that everyone is adopting" OR "only use apps on Apple's app store" - they can't stay with just Apple's app store and still keep interacting with everyone else. They get dragged into loading an alternate app store to get access to some new app.

People keep making the same argument as you, that having the option to sideload would have no effect whatsoever on anyone else. That's an incorrect assertion.

Replace every "iOS" in your post with "Android" and it doesn't seem to quite work out that way, despite the fact that Android had sideloading from the very beginning.

 

[I7guy]

"Cook drew the comparison of sideloading to a carmaker selling a car without airbags or seatbelt, saying it would be too risky."

The difference is that customers who buy a car have the choice to put their seatbelt on or not. Customers who buy an iPhone don't have any choice regarding sideloading.

However, customers who buy a car have no alternative and must get the car with seatbelts and airbags, even if one doesn't want them. Of course, they could jailbreak the car and remove them.

 

[boss.king]

All phones are susceptible to these attacks just like all PCs are. We see these attacks scale to Android because side loading is not encouraged but allowed. If Apple allowed side loading, we would see many attacks using exploits that Apple knows about and doesn't know about. And we've also seen bad developers abuse their privileges too. Opening iPhone up to side loading is welcoming a whole new breed of shady developers that offer very little value to customers in exchange for more security risks.

But developers can already sideload. Why are we not already seeing these being widely abused? Do you think the people creating malware are just too cheap to get a developer ID or something?

If we're still discussing the situation you raised of malware going from user to user, this should already be rampant. But it's not, nor would it be an issue with a MacOS style of outside app installation permissions.

 

[Wildkraut]

However, customers who buy a car have no alternative and must get the car with seatbelts and airbags, even if one doesn't want them. Of course, they could jailbreak the car and remove them.

You can sideload third-party seatbelts, it’s no problem, and you can even improve it, by installing a 5-point seatbelt.

Crooks comparison is nonsense.

Same for iOS, the first thing i will sideload is a firewall.

 

[hans1972]

I don't see the validity of this statement, I think it's a cop-out trying to hide the real reason.
Abusing people's desire for security as a false pretend to maximize Apple's profit!

Why can't it be both?

If Apple saw that focusing on security and privacy would make them more money, I have no problems with that.

 

[hans1972]

Quick question: Why would it be unsafe on phones when it's normal for computers?
Take a guess iOS basically is a variant of MacOS, they claimed so at least (LOL). Does that mean that they do sub-par security for iOS, maybe get some devs from the MacOS team over to help? LMAO

Both Windows and macOS have subpar security and privacy for non-technical users.

There is a reason why Windows has a built in anti-virus tool and why ransomware happens all the time on Windows, and even macOS, but not really on iOS.

Why do (large) companies lock down their Windows PCs? Because the default security is not good enough when you have users of all kinds of skill levels.

 

[boss.king]

Why can't it be both?

If Apple saw that focusing on security and privacy would make them more money, I have no problems with that.

It could be both if sideloading presented a real threat to security. But it doesn't.

To be clear, I have no issue with restrictions that enhance security and/or privacy, but this simply isn't one of them. It's 100% about protecting their app store cut.

 

[hans1972]

Said “malware” would have to have a signed security certificate to run provided Apple allows apps to be sideloaded similarly to the default settings on macOS (App Store & Trusted Developers).

If the user downloads Office from Microsoft’s website, it won’t be an issue.

Why?

Such a solution would still allow Apple control. Isn't the point with side loading to allow installing apps without any interference from Apple?

 

[hans1972]

It could be both if sideloading presented a real threat to security. But it doesn't.

To be clear, I have no issue with restrictions that enhance security and/or privacy, but this simply isn't one of them. It's 100% about protecting their app store cut.

Just look at the security problems of Windows and macOS to see what happens when you allow users to install software from any source.

The less choice and changes a user can make to a device, generally the more secure it is.

Ransomware is the worst example of what happens when you have an open system and it plagues Windows, but I don't think it has ever happen on iOS.

 

[Mockletoy]

The problem is, you open iOS up to other app stores, and then some popular apps decide to list only on some other app store and not on Apple's store. Then customers who bought iPhones, because they like the walled garden ecosystem, are faced with the choice of, "use this new app that everyone is adopting" OR "only use apps on Apple's app store" - they can't stay with just Apple's app store and still keep interacting with everyone else. They get dragged into loading an alternate app store to get access to some new app.

People keep making the same argument as you, that having the option to sideload would have no effect whatsoever on anyone else. That's an incorrect assertion.

The situation you’ve just described is called “healthy competition.”

Nothing strikes greater terror in a monopolist’s heart than that.