Apple scrambles to quash iOS app sideloading demands with 'think of the children' defense - The Register

Apple, fearing regulators will force it to allow people to sideload whatever apps they like on their own iOS devices, has published a paper arguing about the importance of its oversight.

Last week, speaking remotely for the Viva Technology conference, Apple CEO Tim Cook decried the language in the EU's proposed Digital Marketers Act, saying that it "would destroy the security of the iPhone and a lot of the privacy initiatives that we've built into the App Store." He also said that sideloading – allowed in the Android ecosystem – would do the same.

"By providing additional distribution channels, changing the threat model, and widening the universe of potential attacks, sideloading on iPhone would put all users at risk, even those who make a deliberate effort to protect themselves by only downloading apps through the App Store," Apple claims in its report.

"Allowing sideloading would spur a flood of new investment into attacks on iPhone, incentivizing malicious actors to develop tools and expertise to attack iPhone device security at an unprecedented scale.".

Laying the groundwork for its assertion that sideloading – a freedom afforded to every macOS user since the first Macintosh computer – is an existential threat, Apple SVP of software Craig Federighi testified at the recent Epic v.

Apple trial that macOS security is terrible.

In reference to Apple's sideloading paper, Marco Arment, creator of the Overcast app, said via Twitter that the best thing Apple could do to protect the safety and security of iOS would be to lift its anti-competitive rules requiring the use of its In-App Payment mechanism.

He also expressed skepticism that sideloading would harm security, noting that if notarization – an app security process for macOS apps – is made mandatory on iOS, developers would still be submitting code to Apple for scrutiny.

For those 15 minutes, tops, of App Review, and a store page, Apple insists it deserves 15–30 per cent of your revenue.

"For those 15 minutes, tops, of App Review, and a store page, Apple insists it deserves 15–30 per cent of your revenue, for all time, and a say in everything you make or do from now on," he said.

According to Apple, 500 reviewers scrutinize 100,000 new and updated apps a week.

The security of iPhone comes primarily from security features built into the iOS operating system itself – app sandboxing, memory safety, and permission prompts to access photos, contacts, etc.

Aboukhadijeh argues that these OS-level security features exist in macOS and allow apps to be downloaded from any source and run safely.

"Nearly every macOS app offered outside of the Mac App Store uses Apple's 'notarization process, which requires developers to send a copy of their apps to Apple for inspection and malware scanning before Apple gives their seal of approval," he explained.

"When a user runs an app for the first time, macOS checks that the app has been notarized first.

Let's be honest this is largely about control and money (versus user security).

"Let's be honest this is largely about control and money (versus user security)," Wardle said.

"That is to say, apps in Apple's App Store will be better vetted, and can be quickly revoked if they are found to be fraudulent.".

Ask any user, I'm sure the resounding answer would be 'um, no freaking way.' And yes, I'm sure they'd love the same level of control on macOS along with that juicy 30 per cent cut.".

Wardle said if Apple is forced to allow sideloading, he expects the company will be able to provide parental or enterprise settings to only allow apps from the App Store, and parents or enterprises could choose to enable those settings.

Speaking at the Postgres Vision 2021 conference this week, the seasoned database expert said: “You really need to make sure you're using functions that are well established.