Apple has always notoriously been against sideloading, but head of software Craig Federighi took it a step further with a dramatic statement at Web Summit 2021. He declared that “sideloading is a cybercriminal’s best friend and requiring [it] on iPhone would be a gold rush for the malware industry.”
Federighi’s comments dovetail the European Commission’s Digital Markets Act, a bill aimed at allowing third parties to work with customers without a platform owner’s interference. It also features a few other requirements, including stopping companies like Apple from making select apps uninstallable and preventing them from favoring their own apps and services on their platforms. It’s understandable why Apple would be concerned about it — but that doesn’t mean the company’s aren’t being misleading.
Federighi compared iPhones to houses and said sideloading is akin to leaving every door unlocked and open to intruders, wherase the iPhone’s default settings is like a house with sturdy doors that offers fewer opportunities for break-ins. He also claimed that it didn’t matter if a user opted to sideload apps or not because there are cybercriminals who could get around that by tricking users into accidentally sideloading malware. He even cited social media companies being able to evade the iPhone’s privacy protections via sideloading. Finally, he intimated that those who wanted the option of sideloadable apps should use rivals like Android.
Thats a lot of unpack, but here are three reasons why Federighi’s perspective is misguided,
The problem, as has been noted already several times (including by a judge in the Apple and Epic case), is that Apple itself runs a platform where sideloading is allowed in the form of MacOS. The sky has yet to fall. Certainly, one could go to Android if they wanted Android features, but Apple has done quite a bit to bring over features that its users wanted like widgets, an app drawer, default apps, and even hardware features like 120Hz displays.
Federighi’s metaphor here is also a little off. Sideloading is not akin to letting someone leave their house open for all and sundry to rush in and steal their valuables. It is giving the homeowner a choice to allow his friends in for a cup of tea or throw a house party — whether the landlord or homeowners’ association approves or not. Do those actions carry risks of property damage or loss? Of course! That is for the person to manage, not for others to dictate.
Even if Apple is correct that sideloading apps is dangerous, it is a solved problem. Granted, it may take a bit more extra work, but the issue of “what if a user is tricked into downloaded malware” has been resolved by Apple’s competition. On Android, Google’s Play Protect scans your phone to keep it safe from apps that are malicious. This applies to both the Play Store and apps that is sideloaded. If a user sideloads an app that is deemed to be malicious, then Play Protect kicks in and the app is kicked out. Microsoft offers something similar with SmartScreen, and Apple, on MacOS, has Gatekeeper.
This brings us to the last concern about social media platforms being able to evade privacy protections by simply making their apps sideloadeable. To borrow a quote from pop culture, that was always allowed. Any social media platform could become a progressive web app and opt out of Apple’s App Store at any point. Similarly, nothing has stopped those social networks from adopting the same stance on Android, where sideloading already works. If it’s to be a novel platform, well, Epic knows all about the struggles of trying to work on Android outside using the Play Store — users just aren’t interested en masse.
As has also been pointed out several times, Apple has a baked-in incentive to draw all users through the App Store in a way it does not on Macs. Its iPhones are a booming business, and the more users download apps through the App Store and sign up for subscriptions, the more of that 30% App Store cut that Apple gets to make.
But it is also not untrue that sideloading has risks, and users are exposed more to malware. The question is whether users want to take on that level of risk, and what Apple can do to mitigate that risk while preserving user freedom. That should be where the company focuses on, rather than trying to fight the inevitable.