Apple's argument is basically, "It'll be chaos!!!"
But...
We don't have to wonder what it would be like. There's been mass use of platforms that allow "side loading" (AKA, just regular installing) and "third-party app stores" (AKA, just regular buying software) for decades.
No, it hasn't always been pretty.
Yet it just hasn't been that bad either, and the benefits have proven to be very substantial. There are incredible amounts of great software available that doesn't fit in to Apple's idea of what ought to be allowed.
And it's not like you can download with confidence from the Apple App Store either. They play a cat-and-mouse game with malware constantly and there's been plenty of collateral damage.
I think there's no question third-party app stores, or just direct side-loading would lead to a lot of new great software, without a ton more risk. I think the weakness of this argument document show that.
One may object that it's government's fault, not Apple's, as they're the ones pressuring for this kind of censorship. But it is Apple that made these chains for their own benefit, knowingly exposing their users to this risk.
This viewpoint is popular here, I think we all see that, but I find it to almost always come from the point of view of a technically competent power user who can 1) make use of the expanded capability and 2) have the knowledge and instincts to protect themselves in the face of reduced or no guardrails. That is not the profile of the average iPhone user.
For the layperson (90+% of iPhone users) I find the argument unconvincing. They don't understand how to protect themselves. And what software is it that they would substantially benefit from if only it were not for a manufacturer-controlled app store monopoly?
Don't we all have memories of looking at a relatives computer and finding half a dozen browser toolbars and some mysterious impossible-to-uninstall programs running on startup?
> For the layperson (90+% of iPhone users) I find the argument unconvincing. They don't understand how to protect themselves.
I think this is by design. Stupid users make good consumers, so big tech has ignored improving, dumbed down, and removed the tools that would help users understand how to protect themselves.
Code signing and identity could be significantly better than it is, but no one wants to invest in improving that industry because it's much more profitable to convince people they need to rely on a huge tech company like Apple, Google, or Microsoft to be a curator.
The reality for me is that identity is worse on most of those systems and they end up being great for reputation laundering. App stores are basically the equivalent of 3rd party sellers on Amazon. Apple, Google, and Microsoft all lend credibility to bad actors when they allow them in their app stores.
Personally I don't even use the app stores for discovery. I look online for recommendations and a decent company presence. Basically I try to judge a company by how much money it looks like they spent on their brand. Using a dictionary word .com? That's reliable. Using supergameofthelegendsprohd.top? No thanks.
Why can't they make side-loading work the same way loading custom ROMs used to work on Android - very impractical setup phase, but allows for ultimate freedom to those who need it?
You just need to have the setup be impractical enough for the layperson so that those who don't understand how to protect themselves don't stumble into a situation where they have to.
Don't create a false dichotomy here. Also, most of people I know of don't side-load apps onto their Android devices, and it's still a shitshow security wise. Don't conflate side-loading with bad security.
I find it ridiculous that to run a bit of iOS code I have to spend hours chasing down someone with access to authorize my signing keys. It's a fruit company laptop using a fruit company IDE and a fruit company mobile device, yet I still have to jump through all of these hoops to run my own code on devices that I own?
The instant some hugely popular app (Fortnite?) needs to be installed this way, the app maker will make videos or tutorials on how to jump through the hoops. This will normalize the practice so that people also do it for a “fart app” that is really something more nefarious. Next thing you know, we’re right back to how Windows was, with a bunch of browser toolbars and now the need to sideload an antivirus app, which itself will drown the phone in glitches.
> And what software is it that they would substantially benefit from if only it were not for a manufacturer-controlled app store monopoly?
Look at all the software that is available for MacOS that is not available for iOS.
> Don't we all have memories of looking at a relatives computer and finding half a dozen browser toolbars and some mysterious impossible-to-uninstall programs running on startup?
No one is suggesting running Windows 98 and IE 6 on phones. It's weird, we literally have an apple-to-apple comparison with MacOS and iOS and instead we're dredging up a straw man of old software designed to be insecure.
But isn't the whole point that the average layperson is never going to sideload in the first place? If you make it just difficult enough, very few people that aren't tech-savvy will dare to try it, but then the rest of us can enjoy the benefits.
But isn't the whole point that the average layperson is never going to sideload in the first place?
If Facebook pulls its app from the Apple store and only releases it on a third-party store, those laypeople will follow. And much of the noise and content in the "sideloading" campaign for iOS comes from Facebook and similar companies with a monetary interest in getting around Apple's rules.
If this is actually the case, why does Facebook keep their app on the Play Store? I'm almost certain Facebook would not choose to take the path with more resistance for its users, because a significant percentage of them will simply not install the app.
Because it can spy on people if they install from the Play Store.
Facebook has spent millions on full-page newspaper ads this year attacking Apple's App Store anti-spying policies. It hasn't said peep one about Google.
The main argument for the decision against sideloading (which they allow on macOS) is on p.6, where the idea is that your iPhone contains more sensitive and personal informations than your computer.
The "fate of the PC" thing is funny because one might think that they're just throwing a jab at themselves, but they've campaigned very effectively for their customers to think that the Mac is not in the same category.
I noticed that too. I found it very distasteful and grossly misleading. It says:
When iPhone was developed, PCs were the world’s primary computing tools, and they were riddled with viruses.
Okay, but Macs managed to buck that trend because of your superior engineering, right Apple? Right? Hello? I mean... that's what you've been telling us for decades, Apple.
Oh, you meant PCs not Macs in the above quote? That's a bit disingenuous isn't it? It's (ahem) Apples to Oranges isn't it? Are you selling oranges or apples?
Note: I'm a fan of Apple's products but am getting tired of their sleight-of-word bullsh*t. This outright deceiving behaviour is disgusting.
I think the crux of this issue is that social engineering will always be a problem on a truly free platform. No matter what mitigations Apple puts in place, nothing stops me from just sending an iMessage to a few hundred people pretending to be the government, asking them to send me their SSN. Nothing stops me from emailing them a Google Form where they punch in their credit card info, and nothing stops me from making memes about how you can charge your iPhone in the microwave. That last echelon can never be conquered, so why play for table scraps in the first place? Simply put: control.
The incredibly public lawsuits Apple has found themselves in have only demonstrated how they fight tooth-and-nail to hide the most nascent of details. They fully intend to control their narrative from top to bottom, and it blows me away when I see politicians entertain this security theater.
> We don't have to wonder what it would be like. There's been mass use of platforms that allow "side loading"
Apple is a significant vendor of such platforms.
They have an A/B experiment running on the Mac. I prefer to buy directly to send more money to the developer, but I suspect most people prefer the (confusing) store.
Kind of, in terms of sideloading restrictions; not at all in terms of software library, business model, and incentives.
Most (70%+) of Apple's iOS App Store revenue is from games (largely in-app purchases since mobile games tend to be "free to play.") In fact Apple's profits from iOS gaming are larger than the gaming profits of Sony, Nintendo, Microsoft, and Activision combined.
You can ask any poor Mac gamer about the state of the Mac game business... it isn't great, and it certainly isn't Apple's bread and butter like iOS gaming.
From the perspective of Apple's business and profits, the iPhone is largely a walled-garden game system, much closer to the PlayStation, Switch or Xbox than to the Mac.
Apple isn't wrong about potential security and privacy threats, but the threats to Apple's business and profits are most likely the driving issue.
I think that there is great software that is available on separate app stores as third parties but to be honest your perspective is truly the issue .
The primary purpose of sideloading apps is to get the app downloaded and play it for free. This in turn creates a security problem when you allow for anyone to side load apps.
We can see this in Windows and macOS where people who have full access to a computer generally get malware onto their computers.
What macOS and even Windows is moving torward is a containerized system for programs to run. This is going to be the best solution eventually. This is at the cost of performance (especially Windows which sees a 30 percent drop in gaming performance ).
I think to allow external app stores would be a vetting service and also Apple would have to create a sandbox for the apps and also possibly some analysis to make sure that the side loaded apps aren’t just someone’s else’s stolen video game. Unfortunately until some kind of law is done Apple has no incentive to actually allow this to occur.
If this was actually about security instead of control, Apple could compromise: Allow third party app stores to exist, but Apple gets to sign the third party store app itself (and can set minimum requirements like app review).
It may sound counter-intuitive, but the whole issue here is that Apple is using their store for anti-competitive things (e.g. blocking/slowing competitors, requiring the use of Apple's payment infrastructure, Apple's ads, etc).
If third party stores could exist, you wouldn't need side loading, and security isn't completely compromised as hopefully the third party store provides some level of assurance (Vs. essentially none with side loading).
This of course won't happen because it is absolutely about control. Apple may one day allow side loading but will make the process incredibly unpleasant citing For Security Reasons™ as their justification.
Yup. Trying to solve security and control with the same hammer is going to get them in trouble. If I make a calculator app, it’s fine to review it and make sure it’s secure, but to tell me that there’s too many calculator apps (or worse reject for a bullshit reason and make their own) is going to get them in trouble.
Security checks are fine, choosing who gets to enter is not.
The reason nobody wants this is that is barely moves the needle. Apple is still the de-facto "gatekeeper" if they set the rules for running a third-party app store like app review and what specifically has to be reviewed (which they need if they don't want the 3p dumbing down the review process to something like just verifying the name matches the app functionality). I don't think many developers interested in a new app store would take it if Apple randomly blocking them for not having stringent-enough app review is a possibility.
That wouldn’t be a compromise at all. Once a store was established Apple wouldn’t be able to close it because of anti-trust issues.
Facebook would start a store, data gathering would be built into every app that store sold. Apple would not be able to reject the store itself because Facebook would sue them for anti-competitive behavior.
I've thought about this too. Here's how my (admittedly half-baked) idea might work:
1. All apps are reviewed and hosted by Apple.
2. Third party app stores act as a layer on top. They pay a commission to Apple on sales (lets say 5-8%) to cover their review and hosting costs plus provide some profit.
3. The app stores set (and compete with) their own prices and services on top of that.
4. Apple maintains its own App store as well.
Here are the key bits:
A. Apple must review Apps for security and privacy issues. They can choose not to sell it in their store if they find it morally objectionable but they cannot restrict other App stores in what they sell (assuming its legal, and passes security/privacy checks).
B. Third party stores can sell whatever they want from the list of apps having been security reviewed by Apple. You'd end up with some cool niche app stores (imagine one with impartial game reviews, or one that only lists non-subscription apps, or one that serves [insert your favorite niche here]).
Benefits:
1. For users who like Apple's current model, nothing changes. However, they benefit from increased competition and (likely) better pricing.
2. Apple cannot block apps from being available in third party stores just because it doesn't like them, but it doesn't have to sell apps on its own store that it doesn't want to. Win/win.
Unanswered questions:
1. Who will handle refunds/complaints/etc? A: I'm not sure, I'd have to give that more thought.
2. How would the fees work exactly? A: Again, I'm not sure... it might require a fee per app review instead of the current model. (Otherwise Apple would be flooded with Apps to review that have no intention of appearing on Apple's store).
In summary: The security threat model is unchanged, users enjoy better selection of Apps and better pricing (and other innovative features) from stores.
Yes, it's a half baked idea but there could be the basis for a really good compromise in this sort of arrangement. One that ultimately benefits consumers first.
> It may sound counter-intuitive, but the whole issue here is that Apple is using their store for anti-competitive things (e.g. blocking/slowing competitors, requiring the use of Apple's payment infrastructure, Apple's ads, etc).
This wouldn't work; Apple's entire argument is that their standards for application review are "baseline", so to speak; they're not overbearing, and are minimally necessary for a store to have high security.
(We all know this isn't true, but this is their argument).
So, they allow alternate storefronts. Assumedly, these storefronts are allowed to enforce different rules, right?
Are the storefronts allowed to distribute porn? This literally came up in the Epic v Apple case, when Apple argued that Epic's distribution of the Itch.io game store was tantamount to Epic's implicit approval of everything Itch.io distributed, including some pretty graphic pornography. Epic argued that this wasn't the case, and they only approved of Itch.io's governance process, not all of the content.
In other words, Apple has already argued in court that there's a transitive nature to approved policies of stores-within-stores. I agree with Apple on this one! A situation with Apple approving stores-within-stores would only lead to one of two outcomes: Either these stores have to abide by the same policies the app store enforces, so there's no buff to user/developer freedom but a big debuff to user UX, or, they're allowed to make their own policies, in which case Apple is transitively forced to distribute porn (and violent content, and third party payment processors, and video game streaming services, and everything else in the area between "legal" and "Apple refuses to distribute" today).
This doesn't seem fair either, does it? To some degree, to me, it feels like forcing Disney to produce NC-17 gorey horror movies.
But, the situation is not identical, because Disney is not the only producer of movies for half of the US population. The better solution is not to force this through the App Store, and instead force what Android does; distribution over the internet (of either individual applications or entire stores, both should be allowed).
This is fundamentally less secure, but its also how every other general purpose computing platform works. Apple shouldn't be forced to carry and distribute any and all kinds of applications, but iOS itself should be open to run any and all kinds of applications. Let the open internet handle the distribution.
I appreciate that requiring the use of the App Store makes security easier but I think the current situation gives Apple and Governments too much power over developers and users.
Side-loading should be permitted. I am okay with it not being allowed by default but it should be something a user can override.
One of the salient points Apple makes in the document is that by the mere ability for sideloading to be possible, it would be forced upon users by schools and jobs. It also opens an entirely new attack vector by spoofing and other means of deceiving the user into either sideloading an app they didn't mean to.
> Apple is happy as can be to let enterprise (and schools/gov/etc) force users to install apps.
The enterprises are "forcing" the installation of apps on the hardware they themselves own. Corp A cannot force the installation of apps on Corp B's devices, or even on the personal devices of Corp A's employees.
I have an iPhone for work and my personal iPhone, and my work has no access to the latter.
I don't think there's any technical reason why you couldn't set up a MDM system for your own personal phones and have the same capabilities as an 'enterprise'.
There's nothing to stop enterprises from asking users to install their provisioning profiles on personal devices (technically the employee could say "no" but employment is "at will" in almost all of the US, so....)
And yes - I can set up an MDM system, but that doesn't provide the same utility as a store.
Nor does it work around the profile limitations built into iOS (again, I'm out of date, but previously you could only have a single provisioning profile installed on the device - this was actually the recommended way to prevent this type of attack: pre-install your own profile).
I guess it's telling in a way of the PR push if users believe that Apple is constantly and always protecting them, even when they do absolutely nothing.
Page 26, paragraph 3 seems to make exactly the claim GP made. But you're correct, I haven't read all of the 28 pages of Apple's argument here. From what I have read, they don't seem to be discussing potential benefits that come from sideloading, only costs.
> Even users who decide they don’t want to sideload, and prefer to download apps
only from the App Store, would end up being harmed. They could be forced to
sideload an app they need for work, for school, or for social inclusion if it is not made
available on the App Store. Furthermore, cybercriminals and hackers may trick users
into unknowingly sideloading an app by mimicking the appearance of the App Store,
or by touting free or expanded access to services or exclusive features.
With the NSO revelations we know that Apple can secure their own apps and from the other releases of zero days we know Apple is bad at communicating with security researchers and that their automatic security review is a joke, honestly someone motivated could implement a better security scanner that could actually catch the "private" API usage though we all know that the solution is to not have private/hidden APIs that are shared only with special apps like Apple ones and partners.
I think you deeply misunderstand what it takes to run a marketplace generating $60+ billion revenue and serving over billion users thinking “we can just run a safer store ourselves” by “simply implementing better security scanner”
>I think you deeply misunderstand what it takes to run a marketplace generating $60+ billion revenue
A monopoly is an easy way to do it, then inconsistent review and bad security scanners are irrelevant, you need to add some PR team to try to defend all the bad stuff and misdirect.
> Over the past four years, Android
devices were found to have
15 to 47 times more malware
infections than iPhone.
This reminds me of the NSO and Apple's history of failing to cooperate with security researchers.
If sideloading "were possible" and "forced upon users by schools and jobs" then I'd find it interesting that Android users by far haven't complained about this. I used to use an Android device and never had anyone force or tell me to sideload an app that I didn't want to use myself.
I've actually had to install more apps through the Play and App Store for my education and work.
All this said - my current iPhone 6s will be derelict soon and replaced by a de-googled Android device in the future.
I don’t understand why the “private” apis aren’t protected by capabilities. iOS has the facilities to lock these apis down properly https://developer.apple.com/documentation/xcode/adding-capab... . Grepping App Store submissions seems obviously flawed.
That's not what is meant by private APIs. There's a difference between the ability to call an API and getting a specific result of the API.
What you're linking to are entitlements. The APIs for these entitlements are very much public but will not yield a valid result if the entitlement is missing or the user hasn't provided access. Private APIs, on the other hand, will return valid results each time. However, they are often hidden behind actual public APIs. For example, take these two stack frames:
The reloadData call is a valid, public API call. Internally, it then calls the function in frame 9. Calling the function in frame 9 directly from within app code would be a private API violation. The Objective-C runtime makes it pretty easy to call private APIs through use of target/selectors and msgSend. I don't believe checking at runtime if a private API call is made is practical. For one, I'm not sure how technically feasible it would be but worse, there would be a performance penalty accrued with every private API. More importantly, though, the app would already be out in the wild. Compile-time and app review is really the only time to check. To the best of my knowledge, I'm not sure there's a way to force a private API call within Swift, particularly for classes that don't inherit from NSObject or are functions not tagged with @objc.
> Adult video chat sites lure targets into downloading spyware
Contrary to all the apps on the proprietary stores of smartphone manufacturers that never spy on people.
Information extraction is a security issue, plain and simple. Smartphones are extremely bad here compared to platforms that allow sideloaded apps. Being dependent on one manufacturer is also a security issue.
So I don't understand the security argument. Apps on shops probably don't contain malware, many of them exploit you legally. The software landscape outside of stores is far less prone to exploitation.
Contrary to all the apps on the proprietary stores of smartphone manufacturers that never spy on people.
At no time did Apple state that there are zero apps in its store that violate its guidelines and spy on people. You're taking one side of an argument that doesn't exist.
Too often in this debate, people think that pointing out that Apple isn't perfect somehow negates all of its legitimate arguments. It doesn't. Not even remotely.
Remember when LinkedIn made an app that MITMed email connections just so they could add a signature to your messages? [1] Or when Facebook was distributing internal dev certificates to the general public so they could collect data on teenagers using private IOS APIs? [2]
Sure, most here would know not to do it, but it’s abundantly clear that the general public cannot manage technology.
And this is what these companies were doing publicly. Imagine if they had unrestricted access through other app stores? Data is the modern day gold rush, and it seems like every company has gold fever. They just can’t help themselves in being as intrusive as humanly possible. It’s nice to have some kind of control over it.
I would be open to alternate app stores if and only if they were unable to circumvent MDM restrictions. At least that way you could protect company assets.
Personally I think sideloading on personal computing devices like smartphones should be mandated by law, and then the big brains at Apple can figure out how to make it secure.
While I don't ordinarily approve of whipping out the law hammer to solve every problem, this does provide a little food for thought.
Instead of a gub'mint telling Apple "OK, you have to let there be an app store free-for-all right now" and Apple watching its work descend into chaos overnight, there could be a middle ground: "OK, you have to let there be an app store free-for-all in five years." That could give Apple a good amount of time (and it already has the money) to harden iOS as much as it can.
(I'm only half-way through reading the Apple document, so maybe this is addressed later.)
Perhaps it might mean Apple has to slow down feature development, beef up its sandboxing, switch to memory safe languages like Swift, or do more to entice developers to its app store. All of these would be good outcomes.
I'm fine with giving Apple a bit of a lead time here, but ultimately people should have the right to do whatever they want on their own personal computing devices.
I think Apple makes great products and skimming through the paper, I find this analysis to be on-target. But this is coming from an obviously biased source.
As with most things in security, it's a trade-off between competing goals and principles.
I use an old android phone reflashed to e.os using f-droid. I think all those threat modes are avoided by using it.
I don't think it is safe for every user to do the same I did, but I'm glad I could do it.
I think a reasonable solution would be something like a hardware seal that unlocked the bootloader once broken. If the vendor worries about how this may affect them, breaking the seal could also void device warranty.
I'd gladly buy a second hand still powerful device, void its warranty and install whatever I wanted on it.
Granted, I've never submitted an app to the App store (outside of work) and I do have some serious reservations about how Apple runs the store, but I actually like the fact that the only way to slideload apps on the device is to jailbreak or compile and install the app yourself (provided you sign up as an apple developer account). I think the lack of officially sanctioned slideloading keeps the device simpler, and in my mind that's more secure.
I am maybe the anomaly in this crowd (I also don't develop apps for iPhones) but I appreciate the security benefits that Apple puts on people. Sure it comes at a cost of "freedom" of applications that I could put on my phone, but it gives me a bit of piece of mind that my aging parents and my nieces and nephews are able to use the phone without downloading very risky applications (I mean there are still risks abound, but it decreases it significantly). There are already enough security flaws that continue to be patched up on an on-going basis that it seems unnecessary to open this level of risk for their client base. One less thing I need to worry about.
You can be alone in this in the tech bubbles where developers suggest mums use Kubernetes to run their knitting blogs and complain why they can’t run Docker on their iPads.
Outside of this, while Apple has a financial incentive for the status quo, they also care about customer experience (we know Apple is laser focused about this even in the pre App Store years and decades). And on the whole, sideloading will do more harm than good.
It’s the sharpest of all double-edged swords. Of course I would immediately sideload a Gameboy emulator but I’d want it to be signed by Apple. Maybe even Mozilla would make a proper build of Firefox for iOS.
Surely Apple is confident in its app sandbox security model and can properly enforce those boundaries, right?
I find Apple’s most convincing argument to be that schools and businesses might force you to sideload their craptacular app that didn’t pass review.
The argument about users being forced to sideload apps by their school (effectively spyware) is a good one. This has become a real issue during remote learning.
Ultimately, if Apple keeps insisting on digging in their heels on the supracompetitive 30% commission, then governments will have to act with a broad brush and allow sideloading as a way to force competition.
Until we can safely support native mobile code, and let the hardware and OS keep it from going rogue, we're on the losing end of the war against general purpose computing.
But...
We don't have to wonder what it would be like. There's been mass use of platforms that allow "side loading" (AKA, just regular installing) and "third-party app stores" (AKA, just regular buying software) for decades.
No, it hasn't always been pretty.
Yet it just hasn't been that bad either, and the benefits have proven to be very substantial. There are incredible amounts of great software available that doesn't fit in to Apple's idea of what ought to be allowed.
And it's not like you can download with confidence from the Apple App Store either. They play a cat-and-mouse game with malware constantly and there's been plenty of collateral damage.
I think there's no question third-party app stores, or just direct side-loading would lead to a lot of new great software, without a ton more risk. I think the weakness of this argument document show that.