Apple has always been notorious against sideloading, but software chief Craig Federighi went a step further with a dramatic statement at Web Summit 2021. He stated that “Sideloading is and requires cybercriminals’ best friend” [it] on the iPhone would be a gold rush for the malware industry. “
Federighi’s comments are in line with the European Commission’s Digital Markets Act, a bill designed to allow third parties to work with clients without the interference of a platform owner. It also features a few other requirements, including preventing companies like Apple from making selected apps uninstallable and preventing them from preferring their own apps and services on their platforms. It’s understandable why Apple is concerned – but that doesn’t mean the company claims aren’t misleading.
Federighi in comparison iPhones to houses and said sideloading is like opening every door unlocked and for intruders, while the default settings of the iPhone are like a house with sturdy doors that offer fewer opportunities for break-ins. He also claimed that it doesn’t matter whether a user has chosen to sideload apps or not, as there are cyber criminals who could get around this by tricking users into accidentally downloading malware. He even quoted social media companies that can bypass the privacy of the iPhone by sideloading. Finally, he suggested that those who want the option of sideloadable apps should use competitors like Android.
That’s a lot of unpacking, but here are three reasons Federighi’s perspective is misguided:
As already stated several times (incl. by a judge in the case of Apple and Epic), is that Apple itself operates a platform on which sideloading in the form of MacOS is allowed. The sky has yet to fall. Sure, you could switch to Android if you wanted Android features, but Apple has done quite a bit to incorporate features like widgets, an app drawer, standard apps, and even hardware features like 120 Hz displays.
Federighi’s metaphor here is also a little off. Sideloading is not like leaving their house open to anyone and everyone to rush in and steal their valuables. It gives the homeowner the choice of whether to let their friends in for a cup of tea or throw a house party – whether the landlord or the homeowners association agrees or not. Do these actions carry risks of property damage or loss? Naturally! This is for the person to manage, not for others to dictate.
While Apple is right that sideloading apps is dangerous, it’s a problem solved. Granted, it may take a little more work, but the “What if a user is enticed into downloaded malware?” Has been resolved by competition from Apple. On Android Google Play Protect scans your phone to protect it from malicious apps. This applies to both the Play Store and apps that are loaded from the side. If a user sideloads a suspected malicious app, Play Protect is activated and the app is deleted. Microsoft offers something similar with SmartScreen, and Apple has gatekeepers under MacOS.
This brings us to the final concern that social media platforms are able to bypass privacy by simply making their apps sideloadable. To borrow a quote from pop culture, that was always allowed. Any social media platform could become a progressive web app and unsubscribe from the Apple App Store at any time. Likewise, nothing has stopped these social networks from adopting the same stance on Android, where sideloading already works. When it comes to a novel platform, Epic knows all about the difficulty of working with Android outside of the Play Store – users just aren’t massively interested.
As has also been emphasized several times, Apple has a branded incentive to lure all users through the App Store in a way that Macs do not. IPhones are a booming business, and the more users download apps through the App Store and sign up for subscriptions, the more of that 30% cut in the App Store Apple gets.
However, it is also not wrong that sideloading is risky and users are exposed to more malware. The question is, do users want to take this risk, and what can Apple do to mitigate this risk while preserving user freedom. This is what the company should focus on rather than trying to combat the inevitable.