iOS sideloading, the pros and cons
Update February 3, 2022 at 2:33:32 PM:
The U.S. Senate Judiciary Committee today approved the bipartisan Open Markets Act, an antitrust bill that would allow for sideloading and alternate app stores on the iPhone. The bill will now head to the Senate floor for a vote.
Julie Clover, writing for MacRumors
The U.S. Senate Judiciary Committee will on Thursday consider the Open Markets Act, an antitrust bill that would allow for sideloading and alternate app stores.
Ahead of the meeting, Apple’s head of government affairs in the Americas Tim Powderly sent a letter to committee members, urging them to reject the bill reports Bloomberg. Powderly repeated a privacy and security argument that Apple executives have made many times before about the dangers of sideloading. “Sideloading would enable bad actors to evade Apple’s privacy and security protections by distributing apps without critical privacy and security checks. These provisions would allow malware, scams and data-exploitation to proliferate.”
Bruce Schneier, writing for Schneier on Security
Letter to the US Senate Judiciary Committee on App Stores
Dear Chair Durbin, Chair Klobuchar, Ranking Member Grassley, and Ranking Member Lee:
I am Bruce Schneier, a longtime security technologist, author, speaker, and thinker; and author of many books, papers, and articles on the topic both Internet security and privacy. I currently teach cybersecurity policy at the Harvard Kennedy School. I am writing in support of S.2992 and S.2710, which are attempts to redress the power of dominant technology firms.
I would like to address some of the unfounded security concerns raised about these bills. It’s simply not true that this legislation puts user privacy and security at risk. In fact, it’s fairer to say that this legislation puts those companies’ extractive business-models at risk. Their claims about risks to privacy and security are both false and disingenuous, and motivated by their own self-interest and not the public interest. App store monopolies cannot protect users from every risk, and they frequently prevent the distribution of important tools that actually enhance security. Furthermore, the alleged risks of third-party app stores and “side-loading” apps pale in comparison to their benefits. These bills will encourage competition, prevent monopolist extortion, and guarantee users a new right to digital self-determination.
Alternatives to an app store monopoly will enhance user choice, and will not lead to a wave of malware attacks.
In another section of the letter, Apple attacks S.2710’s interoperability requirements, claiming that its requirement to allow “side-loading” of apps will likely lead to “millions” of new malware attacks on Americans. It also claims that this requirement prevents users from “choosing” a secure and private device.
First, nothing in S.2710 requires Apple or anyone else to open its devices to side-loading. (Sideloading refers to the installation of apps that have not been verified by any app store.) The bill only requires that the company “allow and provide the readily accessible means for users of that operating system to… install third-party Apps… through means other than its App Store.” This interoperability does not require one-click installation of random apps from the Internet, only that companies relinquish their monopoly control over app stores. Alternative stores could have the same, or even more, security restrictions than Apple. And instead of one app store controlled by Apple, users would be able to choose between many.
Second, Apple’s reasoning regarding side-loading is self-interested, oversimplified, and dishonest. Side-loading is not a means for bad actors to vault over a platform’s secure walls and into user’s private lives; it’s a way for users to exercise agency over their own devices. Sideloaded apps bypass the app store moderation process, but moderation is not the only level of protection between users and malware. Sophisticated malware often relies on technical exploit to get around operating system-level restrictions on its behavior, and side-loading wouldn’t affect Apple’s ability to restrict what rogue apps are capable of doing.
Apple tries to imply that users who want to stay within its trusted ecosystem will be forced to take on new risks, or that non-technical users will be blindsided by new malware. This is simply not true. Side-loading could be implemented in a way that ensures users are aware of the risks they take on before installing a piece of unverified software. Users who do not want to side-load apps can easily choose not to, just as users today can choose not to jailbreak their phones. (Jailbroken phones are ones that have been modified in a way that contravenes Apple’s rules to allow the installation of software that Apple prohibits.)
Finally, Apple’s assertion that it is defending user “choice” gets it exactly backwards. Our devices are our own, and interoperability will allow us to use them as we choose. Any user who prefers to use only Apple-approved applications will have no trouble doing so. But S.2710 will finally give users the freedom to leave the walled garden: to build, share, and install software that hasn’t been approved by Apple’s moderation machine.
We already know what a platform that allows any software to be installed looks like: it’s how our computers work. Whether we use Windows, or MacOS, or Linux, there is no monopoly dictating what software we can or cannot use. We can run our computers securely, or we can choose not to. Far from it being the dangerous hellscape we’re told to fear, the results are actually pretty good. Yes, there is malware. Yes there are attacks. But there is security and safety as well. Hundreds of companies innovate in this space, developing new security and privacy technologies that we are free to install if we choose.
Out in the real world, we give people the freedom to choose their own level of risk. It might be objectively true that Disneyland is safer than a public park, but that doesn’t mean we should outlaw all public parks and give Disney a monopoly on park-like gathering places. People are free to visit Disneyland, and pay for the privilege. They are free to visit other companies’ commercial parks. And they are free to visit any of our nation’s public parks. Our laptops are like public parks, that we can arrange with whatever amenities and safeguards we choose. There is no reason our phones should not be as well.
cc: Senate Judiciary Committee
Many of the apps that I regularly use on my Mac are not in the Mac App Store. But they are apps signed by Apple. I can therefore use them with confidence.
App code signing process in macOS
In macOS 10.15, all apps distributed outside the App Store must be signed by the developer using an Apple-issued Developer ID certificate (combined with a private key) and notarized by Apple to run under the default Gatekeeper settings. Apps developed in-house should also be signed with an Apple-issued Developer ID so that users can validate their integrity.
If Apple allowed sideloading on iOS, they could use the same procedure as the Mac to protect users from bad actors trying to evade their privacy and security protections..