Apple Argues Against Allowing App Sideloading By Pointing Out Android's Malware Figures

Apple said today that one of the reasons it does not allow app sideloading or the use of third-party app stores on iOS is because of privacy and security reasons, pointing to the fact that Android sees between 15 to 47 times more malware compared to its app ecosystem. The Record reports: Apple says that the reason its iOS devices are locked into the App Store as the only way to install applications is for security reasons, as this allows its security teams to scan applications for malicious content before they reach users. Apple cited statements from multiple sources (DHS, ENISA, Europol, Interpol, NIST, Kaspersky, Wandera, and Norton), all of which had previously warned users against installing apps from outside official app stores, a process known as app sideloading.

Apple's report then goes on to list multiple malware campaigns targeting Android devices where the threat actors asked users to sideload malicious apps hosted on internet sites or third-party app stores. [...] The list includes a host of threats, such as mundane adware, dangerous ransomware, funds-stealing banking trojans, commercial spyware, and even nation-state malware, which Apple said threat actors have spread by exploiting the loophole in Android's app installation process that allows anyone to install apps from anywhere on the internet. Today's 31-page report (PDF) is the second iteration of the same report, with a first version (PDF) being published back in June, shortly after EU authorities announced their investigation.

yeah right!

[bloodhawk]

Apple says that the reason its iOS devices are locked into the App Store as the only way to install applications is for security reasons

ROFL, seriously Apple at least be fucking honest, the reason is firstly and foremost profit and lockin as Apple repeatedly demonstrates security is always a secondary concern on Apple devices. having said that yes that lockin does give the extra benefit of more security but I don't think you are fooling anyone into believing that is your primary concern.

Re:

[Anonymous Coward]

They don't even end to end encrypt iCloud backups. So much for security and privacy. The endgame is always about less control for the user, more invasive privacy violations and more profit (subscription models where they can change price at will and essentially force updates are great for this - no more using old but useful versions). The only question for these companies is how much users can be pushed while tolerating these decisions. The answer is quite far and much more than they were willing to first r

Re:yeah right!

[omnichad]

income security

Re:yeah right!

[thegarbz]

as Apple repeatedly demonstrates security is always a secondary concern on Apple devices

[Citation needed]. While it's obvious that their security is not perfect, especially the security of the walled garden I think it's clear as day that Apple do actually take security on their devices quite seriously which can be easily seen in the evolution of the security options they provide users over the many years, and in some cases security options that remain unmatched by other devices (e.g. FaceID vs Windows Hello vs Androids even worse than Microsoft's system, SecureEnclave in all their devices, corporate security isolation features being the reason iPhones used to be the only allowed device in a company, etc).

The fact that they have profit motive as well doesn't change that they pay more than just lip service to security.

Re: yeah right!

[dwater]

*secondary*

Re:

[Rob Y.]

That may be true, but it mostly concerns tracking and other forms of 'legal' cyberstalking that Google's business kind of depends on - giving Apple an advantage there. But sideloading... I seriously doubt that very many Android users do that at all - and that it is a significant source of malware. So yeah, Google should screen apps in their store better - and one of these days they're going to be forced to be less of a stalker. But sideloading is a red herring. Apple could even allow alternative app st

Re:

[monkeyxpress]

Also their PR speak is terrible these days. I remember when the App Store was originally released and faced the same criticism about being a walled gardens, Jobs made the quite sneaky point of saying Apple was supporting two systems - Web Apps and the App Store. He made it sound like users and developers could choose which way they wanted to go, so that Apple wasn't restricting freedom but actually expanding it. The faithful and the media lapped it up.

That is how you do PR. The reality distortion field was

Re:

[mrfaithful]

In fairness at the time it sort of made sense. The iphone had a proper browser that could do this new "web app" thing as opposed to the barely functional javascript enhanced web forms that your pre-android phone would have had. Plus the early *public* SDK was really barely more capable than what you could achieve in Safari. I remember all the good apps were jailbreak only... Hell, apple even provided hacky mobile Safari proprietary hacks to allow webapps to behave more like native apps with home screen icon

Re:

[drinkypoo]

The reality distortion field was in many ways Jobs' greatest creation.

In every way, really. If Jobs had his way no Macintosh would have been openable by the owner, nor have an expansion bus. Jobs' darker desires always had to be moderated by conscientious underlings lest he fuck everything all up.

Re:

[mark-t]

If that were the case, wouldn't Apple prohibit free apps that do not contain any monetization whatsoever from being allowed on the store? I do not recall seeing that anywhere in their tos.

why don't they lock the Mac?

[fred6666]

With the same logic?

Re:why don't they lock the Mac?

[Anonymous Coward]

They're trying. They introduced GateKeeper, then they changed the default to only allow apps signed by Apple, then they removed the option to allow unsigned apps from the GateKeeper settings altogether and introduced the dark pattern of having to Command+Click to bring up the context menu and then select 'Open' and this only works in Finder, there's no way to this in Launchpad.

Re:

[diffract]

true. I have a macbook and I hate having to go to system preferences every time I download an app from the internet to allow it to run. I don't even use the app store to install anything on the laptop

Re:

[iampiti]

I recently found that Microsoft is doing a variation of this: In many cheap laptops the installed OS is now Windows 10 S. What's the "S"? It's a version of Windows 10 that only lets you install apps from the MS store. Yes, exactly like a smartphone. There's apparently a way of switching that to a regular Windows 10 but MS must be betting on many people not caring or not realizing so they get those sweet app store revenues.

Re: why don't they lock the Mac?

[666999]

Not Command-click, itâ(TM)s Control-click to open the contextual menu.

Re:

[Coren22]

s/stolen/copied/g

Xbox canâ(TM)t play stolen games.

I am not even sure how that would work. How would an Xbox even know that I stole your game disk and put it in mine? It however won't play a copied disk, which is different from stolen in that the original owner is not deprived of their copy.

Re:why don't they lock the Mac?

[thegarbz]

With the same logic?

What makes you think they aren't heading down this path? Ever installed Mac software which hasn't been signed by Apple? If you have you may have heard of something called Gatekeeper. https://en.wikipedia.org/wiki/... [wikipedia.org]

Note that Gatekeeper gave the option to allow only Mac Store software, Mac Store + Any Signed by Apple software, or any software at all. Most notably, that last option has been hidden from the user 5 years ago and now required the user to actually jump through some hoops to install software that hasn't been given the Tim seal of approval.

Re:

[Anonymous Coward]

This is total and utter garbage. If it was true MS would be paying out settlements everyday. No court would find Apple liable for a user going to $randomshadywebsite and choosing to install $random malware. This is one of the most pathetic justifications I've ever seen for Apple's behaviour.

Meanwhile back in the real world the *more* you curate the *more* liable you are likely to be sued sucessfully. "I downloaded this app from *Apple's own store* and it was *curated and scanned by Apple* but it *still* con

Re:

[fred6666]

With the same logic?

What makes you think they aren't heading down this path?

Oh I can't wait they go down this path. Apple fanboys have been telling me for years that they aren't going this path. I'll just laugh if they do.

Re:

[flink]

It's really not as onerous as you make it out to be. You try to launch the app, you get a popup that it is untrusted and to go to security settings, you open the control panel and click a button that says allow. I don't particularly like it, and I only run MacOS for work, but it's not like they've locked anyone out.

Re:

[thegarbz]

It's really not as onerous as you make it out to be.

I didn't say it was onerous, I said they were heading down that path. 5 years ago you could disable Gatekeeper completely. Now you need to either on a case by case basis go through the hoop you describe, or fire up a command line to re-enable to option to disable Gatekeeper.

What do you think Apple will do 5 years from now? Reintroduce the checkbox or make you slaughter a goat in a pentagram while muttering Job's name backwards while simultaneously clicking install?

No company is making things easier or impli

Re:

[fred6666]

I don't particularly like it, and I only run MacOS for work, but it's not like they've locked anyone out.

...yet!

They've locked iOS. By applying the same logic (keeping malware out), they should lock Mac OS as well. We all know the real reason is not malware but the 30% fee, though.

Re: why don't they lock the Mac?

[xavdeman]

Windows should have such a feature for most users.

Re:

[Anonymous Crowded]

Well, if you consider a desktop in a single-family home, you've got a lot less vectors of attack.

Your phone is almost always exposed - it's closer to taking an out-of-the box, not updated laptop into an airplane terminal and try to send an e-mail at CarBlox coffee . . .

I think we're beyond the point of any super gains to be had from an open iPhone. The only thing I would consider over a top-end iPhone is the Librem 5 (which I occasionally drool over but go back to work after that). To me, gaining addi

Re:

[fred6666]

Well, if you consider a desktop in a single-family home, you've got a lot less vectors of attack.

Most Macs are laptops. Most laptops are being carried arround, including in airports and Mc Donalds. So I don't see your point.

Re:

[Anonymous Crowded]

Well, if you consider a desktop in a single-family home, you've got a lot less vectors of attack.

Most Macs are laptops. Most laptops are being carried arround, including in airports and Mc Donalds. So I don't see your point.

None are so blind as those who refuse to see. -Tony Danza

Bad logic

[Gabest]

Apps should be run by the OS in their own little environment limited by the API they are allowed to access. If a certain app can do damage to others its the fault of the OS. And I load as many malwares on MY PHONE as I want.

it's not YOUR computer

[Anonymouse Cowtard]

You purchase an iPhone but you do not own it. It's that simple. If that is acceptable to you then good luck.

Re:

[Brannon]

You purchased your microwave but I bet you haven't rewritten the SW on it once. What about your refrigerator? What about your car? Wow, congrats on being a SW sheep, dude.

Re:

[Don'tJoin]

Difference being a pocket computer is meant to run software, a microwave is meant to heat food, a fridge to cool it, and your car's raison-d'être is taking you from point a to point b.

Re:

[sysstemlord]

Exactly, now what would you think if the shop that sold you the refrigerator and microwave, locked you to buying food from them to prevent say.. food poisoning?

Re:

[thegarbz]

If that is acceptable to you then good luck.

Luck is reserved for users put some idealised form of ownership above their own security self interests. We as a human race outsource our protection in every way.

Except those who live in Texas, they rather build up an arsenal to defend themselves and theirs. Me I outsource that to the police. My parents lived in South Africa for a time in a very literal walled garden, and that worked well for them too. I doubt they'd fair as well if they took their security into their own hands.

Remember there are 0.7billion

F-Droid

[Anonymous Coward]

The only thing I side loaded is F-Droid which gives me far better apps and recommendations than other app stores

Like Parler, amirite?

[bill_mcgonigle]

Hell, I could sideload the infowars app if I wanted to.

But Apple will protect you from the zany man, Fortnite and Republicans.

Pssst - it's called censorship.

Re:

[Brannon]

Parler violated ToS by operating as a forum for hate groups and violent extremists. You're right that there's a lot of overlap between those groups and Republicans. I agree that's a problem, just don't think that it is Apple's problem.

Re:

[technosaurus]

As did Facebook and Twitter to an even greater degree, yet they were left alone.

Re:

[Freischutz]

As did Facebook and Twitter to an even greater degree, yet they were left alone.

Their turn is coming, in front of Congress, live streamed on any number of media platforms.

Re: Like Parler, amirite?

[EirikFinlay]

On my device, a device that i bought and that hence i own, i should be able to run any software i want and use it for any purpose i like, legal or even illegal.

It is not Apple's business what an adult does with his things, I'm old enough to decide with my own brain, thank you.

All about control and NOT user choice

[Anonymous Coward]

It's not like sideloading would be the expected and normal way to install apps. A person would have to willingly go out of their way to do it. They'd be aware of the risks. Leaving the walled garden would not be an accidental decision so what's Apple's argument here? No one's being fooled.

BTW: W10 is also incredibly obnoxious about updates - to the point of having to edit the registry to disable forced updates. I like to be in control of MY computer even if I were to apply all the updates. What if some futu

Re:

[account_deleted]

Comment removed based on user account deletion

Mac os

[tiananmen tank man]

Remember that time apple set the root password on MarOS as blank

Re:

[mrfaithful]

They didn't set it as root, it was even worse than that. The login service would fail to login as root with any password because the root account didn't technically exist, but as part of that failure sequence it would CREATE the root account with a blank password and then allow subsequent password-less root logins to succeed. Why the account would be created during a failure suggests someone was making hacky workarounds where they shouldn't and then forgot to get rid of it. You now have to wonder what else

Re:

[ArchieBunker]

AIX still does that.

It depends on what you see as malware

[Casandro]

For Apple and Google malware obviously is anything that goes against their business models as that's what they primarily care about.
For the user this is completely different. For them something like "adware" or "user metrics" is clearly malware, even though Apple or Google don't mind that in their stores.

Or put bluntly, the official stores are full of malware while on Android you at least have a chance of ditching the Google store and use only fdroid.

Virus scanner on iPhone?

[SmaryJerry]

My PC literally scans everything I download the moment it is downloaded. Why does that need to be done by Apple? Why can’t they have a scanning system like a PC again? Or even a Mac with anti malware software, and leave the fibal option to install to the user.

Re: Virus scanner on iPhone?

[EirikFinlay]

Because the only security they care about is the security of their own income. Take away the Apple store from the iPhone and they will lose control and with it a ton of money.

Lame argument

[DrXym]

Apple's ecosystem is a walled garden. Android's ecosystem is a walled garden with a gate that you can open to go outside.

But going through the gate is the user's choice to make and so too are the risks that come with it. Yeah a user be an idiot and install some warez. But just as likely they might install some reputable 3rd party appstore through this route. Or other apks that reside outside of the Play store for their own reasons. e.g. the Fortnite installer is an external apk because Epic want to keep

Re:

[iampiti]

Yeah, spot on. I really much prefer the Android way: Equally safer for most users (since they'll never even find out that they can install things from outside Google Play) and flexible for those who want it or need it.
I personally install apps from F-Droid and also have bought apps from other places (Humble Bundle being one) and I can just dowload the apk and install it myself.
I suspect most people being infected are downloading pirated versions of commercial apps, and frankly, if you're doing that you sh

Re:

[DrXym]

I definitely think that warez are the most common point of malware in Android. If someone is dumb enough to install an apk they got off e-bay or some dodgy Chinese website they will reap what they sow.

Re:

[DrXym]

Doh I meant Pirate Bay. Brain not work so good first thing in morning.

Apparently not counting spyware as malware

[drinkypoo]

Because the Apple store has an absolute shitload of spyware.

Of course, Apple is now in the spyware business that they always claimed they weren't and wouldn't be in, so they have to claim spyware isn't malware so they can claim their software isn't malware.

Photos makes me want to switch to Android

[omfglearntoplay]

#1 most important phone feature as a parent... pictures on my phone. And Apple has made backing them up to a PC or thumbdrive or external drive abso-Fucking terrible.

Every time I buy a new phone, I consider switching to Android because the photo file backup and copy options from iPhones to Windows gets worse EVERY single time I turn around. Back in the Windows XP days, you could plug in an iphone and have windows auto-copy all photos to your C: drive. Today? I have to fight with it over and over again, then

A man can dream..

[RealNeoMorpheus]

That Apple was forced to also allow the customer that PAID for their device, to do as they wished with them.

Sideloading is not enough, I demand to be able to install whatever OS I want, so force them to also unlock the bootloader.

We paid for these things, I dont get why the apple white knights keep defending Apple and other companies by asking for LESS options, instead of more.

Android is a bigger market

[jddimarco]

Android has nearly 3 billion devices in use, there are about one billion iPhones, so at least some of that malware difference reflects the greater attractiveness of the larger Android marketplace to malware writers. Apple is at least partially right, though, in that the restriction to the Apple store does makes it more difficult for malware (and other software) to get onto iPhones.