During this week it is being celebrated the Web Summit 2021 in Lisbon, Portugal. Apple’s senior vice president of software, Craig Federighi, has come to give a conference on iOS security. And in it, the possibility of decentralizing the distribution of apps on the iPhone has been dispatched at ease against sideloading.
Side loading as a culprit for malware on other platforms
The only reason [del reducido número de ataques en iOS] is that the rest of the platforms allow sideloading. On the iPhone, sideloading would mean downloading software directly from the open internet or from a third-party store, bypassing the protections of the App Store.
We have talked about the pillars that protect customers on the iPhone. With sideloading, those successive protections are undone. There is no human review of apps and no single point of distribution for apps loaded via sideloading. The floodgates are open for malware attacks. And we are not the only ones who believe that this is risky.
In less than 15 minutes, Craig Federighi has laid out Apple’s reasons against sideloading. It is an argument similar to the one we saw last month in Apple’s attack on the risks of sideloading, which were quite forceful. The reason for this conference is the Digital Markets Act, the legislation presented in the European Union in December 2020.
In one of its sections, the European Union wants to force manufacturers to allow the download and installation of apps from sources other than the one designated by the owner of the platform. While Android already allows it (generating considerable risks according to Federighi), iOS remains centralized in the App Store. Apple wants this to remain the same for security reasons.
And for this, again released various data and arguments of third parties related to this app distribution practice. Among them:
- One company detected 5 million attacks on its customers on “another” mobile platform in just one month.
- Europol ensures that “we should only install apps from official stores.”
- The US Department of Homeland Security recommends that “users should avoid (and companies prohibit on their devices) the sideloading of apps and the use of unauthorized app stores.”
Federighi praises the DMA’s goal, which seeks to promote competition and give users more options. But criticize that in the name of “Give the user more options, this provision would remove the choice of a more secure and private device”. In other words, it is a question of legislation that would cause precisely the dangers from which it claims to protect the citizen.
It does not matter that you are not going to use sideloading
Apple’s senior vice president of software continues to criticize these measures with examples of what could happen. Among them is the argument that we should “let people choose to sideload or not, let them judge the risks and decide for themselves.” A) Yes, shows an apparently official app that allows tracking the evolution of COVID.
In reality, this Android app did not help people concerned about their health. Rather, it was “a vehicle for malware.” Not a good experience for someone seeking to protect himself and his family.
The WFD of the European Union will cause the same of what it claims to want to protect users: insecurity and reduction of options
On another occasion he mentions how security experts they have detected up to 27 malware apps that mimicked the official Google Play Store from Android. Instead, they opened the door to waves of adware. Federighi continues talking about the rest of the measures that protect our privacy, measures that are born as a result of the evaluation of each app and that in the sideloading apps would be absent.
In short, even if a user is smart enough to detect everybody fraud, that does not mean that their children, partner, parents or grandparents are also. Allowing sideloading would lead to enormous insecurity in these types of users, forever breaking trust in a secure and private app distribution. The next time they go to download an app, they would ask themselves: “Is it a real app or are my data going to be stolen?”
You can see Federighi’s conference in the following link, from 7 hours 31 minutes.