Apple argues in a position paper that sideloading apps poses a major security threat to its users, as many lawmakers and technologists criticize its App Store as a monopoly.

6 Min Read
Icon for Apple's App Store
Source: PSL Images via Alamy Stock Photo

Apple released a position paper on Oct. 13, arguing that forcing the company to open its App Store software-distribution platform to allow third-party software sellers to install software — a process often called "sideloading" — would undermine the security of iOS devices.

The arguments come as Apple faces extensive discussions aimed at forcing the company to allow other software vendors to install software on Apple-branded devices. In a background conversation with members of the media on Tuesday, the company argued that the security of iOS devices would be undermined by such as move. In its position paper, published the next day, Apple pointed to third-party reports that showed that the competing Android platform, which allows sideloading, had anywhere from 15 times to 47 times more malware infections over the past four years.

In the paper, the company argues that allowing third-party app stores and third-party software installation would allow more harmful apps to reach users. In addition, Apple argues that users would get less information about applications upfront, such as privacy and permissions data, and that allowing access to proprietary hardware elements — as called for by proposed legislation — would undermine iOS devices' core security.

"[S]ome are demanding that Apple support the distribution of apps outside of the App Store, through direct downloads or third-party app stores, a process also referred to as 'sideloading,'" Apple states in the report. "Supporting sideloading through direct downloads and third-party app stores would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks."

The latest round of calls for breaking up Apple come as a lawsuit between Epic Games and Apple heats up. In August 2020, Epic updated its popular Fortnite game to allow players to pay the company directly using in-app currency, a mechanism that skirted Apple's 30% fee for in-app purchases (IAP). Apple pulled the game from the App Store, and Google followed suit, pulling the game from its Google Play Store. The next day — on Aug. 13, 2020 — Epic sued Apple for unfair business practices.

Lawmakers had already been investigating large online companies and technology firms for unfair business practices. A 16-month bipartisan investigation led to the US House of Representatives' "Investigation of Competition in Digital Markets" report, published in October 2020. In August, three US senators introduced a bill, the Open App Markets Act, that would force Apple and Google to open up their app stores, give consumers more control over their devices, and give developers more power in negotiating with app stores.

"We need to pass federal legislation on app store conduct to protect consumers, promote competition, and foster innovation," US Sen. Amy Klobuchar (D-MN), chairwoman of the Senate Judiciary Subcommittee on Competition Policy, Antitrust, and Consumer Rights, said in a statement in September. "I introduced legislation with Senators Blumenthal and Blackburn to do exactly that last month, and I am working hard with my colleagues on both sides of the aisle to move it forward, along with other legal reforms we need to reinvigorate competition throughout our economy."

While the closed nature of Apple's App Store has led to fewer security incidents overall, its monopoly over the sale and distribution of iOS applications has led to significant profits for the company. Apple's App Store made an estimated $15.5 billion in 2018, on sales of nearly $50 billion, and is expected to make nearly $19 billion in 2022, according to the US House of Representatives' "Investigation of Competition in Digital Markets" report. The cost of running the App Store and making those billions? Less than $100 million, according to a House committee interview with Phillip Shoemaker, the former senior director of App Store Review.

As a separate company, Apple's App Store would rank No. 64 on the Fortune 500 list of companies, the House report stated.

The Apple Paper
The Apple position paper — "Building a Trusted Ecosystem for Millions of Apps" — argues that the threat landscape has never been worse. Developers and advertisers are targeted by cybercriminals, cybercriminals have become more skilled, and the coronavirus pandemic has raised the stakes.

There is some truth to the arguments. In 2011, Apple's devices — combined with its software ecosystem — had already attained a reputation for being the most secure. However, a decade makes a lot of difference. Google has had a — relatively — open software distribution platform for Android and has managed to quash most apps that harbor malware or malicious functionality, but not all. Steam — a third-party platform for distributing games and software to Windows, Mac, and Linux systems — has taken off and has had few incidents of malware.

Apple argues, however, that the company is best suited as the gatekeeper for every app that runs on Apple-branded devices.

"By reviewing every app before it becomes available on the App Store to ensure it is free of malware and accurately represented to users, and by swiftly removing apps from distribution if they are found to be harmful and limiting the spread of future variants, Apple protects the security of the ecosystem and provides peace of mind to customers," the report states. "Sideloading is not in the best interest of users."

However, the position paper focuses on a very narrow definition of security. Using the App Store — either for iOS or for the Mac — results in patch delays, Cabel Sasser, co-founder of software maker Panic, wrote to Philip Schiller, who heads Apple's App Store team, in a 2016 email that surfaced during the Epic v. Apple trial.

"There is a constant drumbeat of background stress when developing pro applications customers rely on that are distributed through the App Store — we have a great QA team, but shit happens, right?" he wrote in 2016. "And when shit happens, it is fifty times worse due to the sometimes-lengthy review process."

When Panic sold its game Firewatch, it moved away from the App Store and over to the Steam Store, a popular third-party game platform operated by Valve Software, that currently hosts almost 110,000 games and applications. The difference was night and day, Sasser wrote.

"On Steam, after our initial approval, all future patches are NOT manually approved and are automatically posted, limited to one every 15 minutes," he wrote. "Stress gone. Instantly."

Overall, the App Store review process results in significant headaches for software publishers, Sasser wrote, making customer support, security and quality updates, and refunds "more stressful and difficult, in exchange for giving Apple 30% of our revenue." 

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights