Sideloading apps heightens security risks for iPhone users, Apple says

Users would become easy targets for cyber criminals if the company allowed sideloading

Apple's App Store is home to over 1.8 million mobile applications. AFP
Powered by automated translation

Apple, the world's most valuable company, has continued its tough stand against the use of sideloading applications on its ecosystem, saying the process would make iPhone users more vulnerable to security risks.

Sideloading is generally defined as the process of installing an app that is not officially sanctioned by a device's app store, or comes from a third-party or an unknown source.

The process could lead to an increase in severe risks, including credential theft and billions in fraudulent transactions, according to a new white paper released by Apple on Wednesday.

"Sideloading would open opportunities for cyber criminals. Malicious actors would be galvanised to develop tools and expertise to attack iPhone users because of the additional opportunities and distribution channels sideloading would provide," Apple said. "Plainly, sideloading is not in the best interest of users."

If Apple did support sideloading, users could become easier targets for cyber criminals, have less information up front and would be forced to remove protections against third-party access.

The company implements several layers of checks and verifications on apps before they are permitted to be posted on the App Store. All apps on the App Store also need to get users’ permission before tracking them across third-party apps or websites.

The most common method of sideloading apps onto Apple devices is through jailbreaking or the process of removing security restrictions on their products, commonly used by hackers. This will allow a user to freely install apps from sources other than the App Store. However, it also exposes an Apple device to threats, while nullifying its warranty.

Sideloading on devices using the Google developed Android system is easier as users can utilise an option deep in settings that gives permission to install downloaded app packages from unknown sources. Research also shows that malware detection is higher in these devices.

A 2020 report from Finnish network gear and phone maker Nokia showed that malware detection on Android devices was at 26.6 per cent, while iPhones had a meagre 1.6 per cent.

On platforms that support sideloading, many consumers have also needed to add antivirus software on their devices to stem the problem – at a cost of $3.4 billion per year for those services. In 2021, an estimated 1.3 billion smartphones worldwide were equipped with security solutions, which is four times as many as in 2016.

The EU’s cybersecurity agency, Enisa, reported 230,000 new mobile malware infections per day – translating to about 84 million per year – in 2019 and early 2020. Cyber security firm Kaspersky Lab estimates that in 2020, nearly 6 million attacks per month affected Android mobile devices.

Consumers are often the primary targets but malware attacks can also harm and expose developers, online advertisers and even businesses that are not direct participants in the mobile app ecosystem.

Companies face potentially high costs from malware attacks, which can originate from mobile apps. A single infected mobile device can cost an organisation an average of $10,000, while data breaches can set them back anywhere from $4m to as high as $50m, according to a study by IBM. Among US companies, 46 per cent had at least one employee download a malicious app that threatened their network's security, research by Checkpoint showed.

Aside from Enisa, Apple is also citing guidance from government and international agencies globally, including the US Department of Homeland Security, the European Union Agency for Law Enforcement Co-operation and Interpol, to tackle the growing threat to app security.

The white paper is a follow-up to a study released by Apple in June this year, detailing a busy 2020 in which it rejected almost one million new apps for violating rules, expelled about 470,000 teams from its developer programme for fraud-related reasons and deactivated 244 million customer accounts due to abusive activity.

Overall, the company said this resulted in stopping over $1.5bn worth of potentially fraudulent transactions.

The App Store, which was launched in 2008, a year after the original iPhone was released, facilitated $643bn worth of commerce in 2020, up 24 per cent from the prior-year period, according to an Analysis Group study. It was one of the few companies that flourished during the Covid-19 pandemic, as demand for mobile services and content spiked because of movement restrictions that were imposed worldwide.

Apple's services revenue, which counts the App Store, reached another all-time high in the third-quarter of this year, rising 33 per cent to $17.49bn from a year ago.

Updated: October 14, 2021, 4:22 AM