Friday, June 25, 2021

Apple Attacks Sideloading

Apple (ArsTechnica, MacRumors, 9to5Mac, Hacker News, 2, 3):

Thanks to all these protections, users can download any app on the App Store with peace of mind. This peace of mind also benefits developers, who are able to reach a wide audience of users who feel confident downloading their apps.

[…]

Allowing sideloading would degrade the security of the iOS platform and expose users to serious security risks not only on third-party app stores, but also on the App Store. Because of the large size of the iPhone user base and the sensitive data stored on their phones – photos, location data, health and financial information – allowing sideloading would spur a flood of new investment into attacks on the platform.

[…]

Studies show that third-party app stores for Android devices, where apps are not subject to review, are much riskier and more likely to contain malware as opposed to official app stores.

[…]

100,000 new apps and updates are reviewed every week on average by a team of over 500 dedicated experts, who review apps in different languages.

[…]

By providing additional distribution channels, changing the threat model, and widening the universe of potential attacks, sideloading on iPhone would put all users at risk, even those who make a deliberate effort to protect themselves by only downloading apps through the App Store.

Needless to say, I do not find this very convincing. Apple’s perspective is certainly valid, but this is, as expected, not trying to be a fair presentation of the different options. Rather, it’s a skewed framing that ignores the downsides of Apple’s approach and the upsides of the alternatives. It assumes that App Review is effective at catching scams and privacy violations. (Try calculating from the numbers above how much review time each app gets.) Apple wants you to think that with sideloading customers would be on their own in determining which apps to trust. And that the different things the App Store does are only possible if bundled together.

Sami Fathi:

Speaking to Fast Company, Apple’s head of user privacy, Erik Neuenschwander, said that opening the doors to sideloading apps on iPhone and iPad, which would enable users to download apps from the web and other app marketplaces besides Apple’s App Store, could lead users to be “tricked or duped” into “some dark alley.”

John Gruber (tweet):

I think it’s good, fair, and cogent. I highly encourage you to read it — it’s not long — then come back for my annotations below.

[…]

What the sideloading arguments ignore are the enormous tradeoffs involved. Yes, there would be benefits — a lot of cool apps that aren’t permitted in the App Store would be installable by as many iOS users as want to install them. But many non-technical users would inevitably wind up installing undesirable apps via work/school requirements or trickery that they could not be required or tricked into installing today.

There are tradeoffs either way, but I just don’t see the basis for these assertions. I don’t hear stories about lots of non-technical Android users doing this. Businesses can already force employees to install certain apps, and these apps can already bypass App Review via Apple’s enterprise program. Centralizing app distribution in the App Store makes it a magnet for fraud and scams, because it’s much easier to game the App Store than traditional marketing and distribution. This, combined with the false sense of security that Apple offers, may actually lead to more users being tricked.

Typical users install more apps on their less capable phones than they do on their far more capable PCs. This is as close as we can get to proof that Apple’s App Store model on iOS hasn’t just worked, but has proven to be wildly successful and popular with users.

Or maybe phones and PCs are just different. Controlling for that by looking at the Mac, where users have a choice between the two models, does it seem like the Mac App Store is wildly more successful?

I’ll admit it: if Mac-style sideloading were added to iOS, I’d enable it, for the same reason I enable installing apps from outside the App Store on my Mac: I trust myself to only install trustworthy software. But it doesn’t make me a hypocrite to say that I think it would be worse for the platform as a whole.

Worse because users would choose to sideload and regret it? Or because they would be forced to sideload to get key apps? I think the benefits far outweigh the downsides in the first case. The second case is I think the strongest argument against sideloading, but I think the evidence from Android is that in practice it’s not much of a concern. Users are not, in fact, sideloading an extra creepy version of the Facebook app. They still have to download it from the Google Play Store. If anything, I think this points to the benefits of sideloading maybe being less than we’d hope. The vast majority of Android users probably don’t sideload at all. With so much inertia behind the App Store, and the fear mongering and user interface nudging that Apple would inevitably apply, it may not be feasible for most businesses to succeed outside the App Store.

The above is a goal of the App Store — and I would argue that [ensuring apps are trustworthy] remains the primary goal. But clearly the App Store serves another goal for Apple: making the company money. […] That’s a conflict of interest, and it detracts significantly from Apple’s entirely legitimate trustworthiness argument defending the App Store model for distribution.

If you were designing a system primarily to protect customers, the last thing you’d want is for the entity reviewing apps to be making money on each one sold. And, just as you’d expect from such an arrangement, we see scammy apps among the top sellers and legitimate apps rejected for business rather than safety reasons.

Guilherme Rambo:

Side loading wouldn’t mean that the sandbox just suddenly goes away. The stuff described here could very well be done by an app in the App Store today with an exploit, we know how good they are at finding scams…

I think the problem is that people read “side loading” and they immediately think of jailbreaking, which allows apps with arbitrary signatures and entitlements to run on the device. That’s very different from just side loading apps as they exist today (and with notarization).

Scott:

Today’s media blitz by @Apple re: #sideloading is nothing short of appalling in the sheer amount of bullshittery.

Riley Testut:

It’s clear Apple’s very concerned w/ antitrust legislation, as this document is effectively just a scare-tactic predicated on some misleading information[…]

Marco Arment:

The best thing Apple could do to protect the safety and security of iOS touted so heavily in that sideloading PDF:

Lift the most anticompetitive IAP rules.

Without them, no government would have enough reason to force larger changes like sideloading or alternative app stores.

Apple’s continuing their gross PR strategy of conflating:

- IAP restrictions
- App Store distribution
- app review
- iOS’s technical security

…to confuse people into thinking they’re all equally required parts of the whole iOS app-security package.

But they’re not.

Nick Heer:

In a parallel universe — one in which Apple cut its commission over a period of several years, as Phil Schiller suggested, and where it was not so prohibitive with its anti-steering rules — would it be getting sued by developers over its App Store rules, investigated by governments around the world, and be facing a battery of proposed legislation that would, if passed, eliminate the most compelling qualities of its products? I cannot imagine the situation would be this heated. But we do not live in that universe; in this one, that is the gamble Apple is making, and customers and developers are left hanging in the balance.

Also — and this is a little thing — but the repeated use of the “locked Apple” privacy graphic in that report is, I think, maybe not the greatest way of disabusing people of the notion that Apple’s ecosystem is so closed-off that it entraps users.

Ryan Jones:

It makes me furious.

Apple has apparently decided it’s worth ~$5B to let politicians rewrite the App Store rules.

Or they are really confident in their lobbying.

Steve Troughton-Smith:

You’d think if Apple actually wanted to avoid regulatory pressure they would reduce their rates across the board, and stop abusing their monopoly position by unjustly interfering in other peoples’ business models, but no, they want to have their cake and eat it too 🤷‍♂️

[…]

All of the malware scenarios Apple lists in its 16 page report could be done on the App Store today. The solution would be to ban the developer’s accounts and revoke the app’s signatures — which would also work in a world where those apps were sideloaded. No change at all.

Apple’s trying to pretend that opening up a little means opening everything up completely. It doesn’t.

Michael Love:

I wish Google would release data on what % of Android users turn on “Allow unknown sources” (system option to allow sideloading), because I bet it’s extremely small and it would completely undercut all of these Apple arguments about sideloading and malware.

nougatmachine:

My favorite part about this latest evolution of the PR push is when they say it’s acceptable on the Mac because so few people try new apps on the Mac, as though this is a natural state that Apple in no way could influence

Previously:

Update (2021-06-29): Michael Love:

“Our phones would be just as insecure as Android phones if it weren’t for App Review [which incidentally Google also has]” is… not the best sales pitch.

You could talk about how great the Secure Element is or benefits of integrated HW/SW design, but nope, gotta be App Review.

The idea that because a small % of Android users click through several very scary warning screens in order to install a small number of non-Google-reviewed apps, Android has 47x as much malware as iOS is quite a take.

Mike Rockwell:

The App Store is holding the platform back. There’s a lot that Apple could do to improve the status quo, but apps would still be rejected for absurd reasons and garbage games designed to separate you from your money will always find their way to the top of the charts.

Update (2021-07-02): Damien Petrilli:

A lot are only seeing the downsides of alternative App Store, but there are a lot of upsides that might emerge.

One of them being cross platform license. Purchase your App on iOS, get the license on Android too. So you can switch without losing your purchases.

This stuff is pretty common on Mac/PC but not on mobile. Google and Apple are far too happy to have this cost of leaving their walled garden (in addition to the loss of all your books / movies / tv shows).

“Just switch” they say.

The anti-steering rule, in addition to keep Apple’s revenue safe, is also clearly targeted toward preventing users to get cross platform accounts.

Forcing “sign with AppleID” is the same. Apple, under the cover of ‘privacy’, want to limit the loss of user market control.

Kosta Eleftheriou:

Apple: Apps may only use public APIs.

Telegram: “VJJoqvuTfuIptuWjfx” 😅

The Washington Post:

He believed Apple’s App Store was safe. Then a fake app stole his life savings in bitcoin.

Update (2021-07-03): Glenn Fleishman (tweet):

While unfettered sideloading might not be what’s best for users, Apple is using a classic motte-and-bailey tactic to push back: instead of advocating for a position unpopular with its critics and that Apple likes (the bailey), the company instead pushes a connected but much more defensible position (the motte). Apple’s goal is total control of its platform and a generous cut of all revenues that pass through. That’s the bailey in this case—what Apple wants but would struggle to defend if stated openly. The motte, Apple’s easily argued position, is that smartphone users want to be safe and secure. The logical fallacy is Apple’s suggestion that if it were to loosen any control, iOS would fall like Rome to the barbarians when, in fact, there are existing counterexamples inside the Apple ecosystem itself.

[…]

Apple and regulators might reach compromises that don’t go as far as my suggestions above, but the paper is convincing only about certain aspects of Apple’s arguments. And there’s something about technology giants that brings politicians in the United States together across the aisle.

[…]

Apple oddly notes that “A study found that devices that run on Android had 15 times more infections from malicious software than iPhone.” The footnote cites Nokia’s 2020 Threat Intelligence Report 2020. That’s an accurate citation, but a bizarre statistic. The report says an average of 0.23% of mobile devices were estimated to be infected each month. Given that a couple billion Android and iOS/iPadOS smartphones and tablets are in use globally, that means roughly 5 million are infected at any given time…and that over 300,000 of those are iPhones. That number seems quite high relative to what we know about iOS security.

Update (2021-07-06): See also: Accidental Tech Podcast.

12 Comments RSS · Twitter

I'm relieved to see some prominent voices making the correct assertion that sideloading does not equal jailbreaking, because that seems to be what Apple is implying (and what Gruber repeats after drinking too much Federighi kool-aid).

One benefit that I haven't seen discussed is that allowing sideloading would surely result in the App Store getting better for ALL users, even those who never sideloaded anything. Because with sideloading, the opportunity would be there for all the big players like Facebook, Netflix, Epic, EA, etc to distribute their apps on their own... so I bet out of everything being discussed, THIS is Apple's worst nightmare. A more advanced or cheaper version of Netflix/Minecraft/Facebook gives nearly every user a reason to turn on sideloading, so they do it not just for Netflix, but they also start installing all kinds of apps from who-knows-where, and when something breaks, they will blame Apple anyway.

So to prevent popular apps from going rogue, Apple will have to get rid of many of their idiotic App Store rules, they'll have to allow third party in-app payments (at minimum, from trusted partners), and they'll have to reduce their fees to 10% for all apps all the time. The threat of sideloading alone is enough, even if it ends up being something that 99% of users never turn on.

Kevin Schumacher

@Ben G
What you're saying would make more sense if anything that you said was true on Android, which already does, and has for years, allowed sideloading. None of the companies you mention have sideloadable apps*. Every single one of them operates through the Google Play store. None of them have "more advanced" versions of their apps available elsewhere. And yet Google still has all of its rules, has maintained its commission (with a slightly different structure to Apple's as to when it's 15% vs 30%, but ultimately charges 30% against the vast majority of revenue), etc. The type of apps available through sideloading are not massively popular apps that everybody has on their phone.

Should sideloading be allowed? Decline to answer. But will it make the type of difference you're imagining? Nearly zero chance.

As Michael said:
> If anything, I think this points to the benefits of sideloading maybe being less than we’d hope.

* Ironically, given the trial that just occurred, Epic did try going the sideload route with Fortnite when it first became available on Android, but pretty quickly found their way into Google Play.

Old Unix Geek

@Kevin

If you try to sideload on Android, Google prints all sorts of scary warnings to dissuade you, basically implying if not saying that your device is now completely hackable. And Apple's document suggests they turn off all sandboxing (Ransomware disguised as a COVID app).

Implementing side-loading correctly should involve the user granting permission to access devices, other parts of the file system, etc. None of this is particularly new either. Sandboxing is just an evolution of Unix permissions, invented 50 years ago.

I agree that even if it were done properly, the side-loading market would be smaller, unless alternative app-stores were required to be installed on each device by Governments. Even so, it would still be useful. (Since multiple App stores would be clunky a better alternative would be to use the same installation app, but require multiple sources of apps, each app being cryptographically signed by the source. Users could then add further sources if they so chose.)

@Michael

"500 experts". Yeah, right. More accurately: "500 warm bodies".

100,000 apps / 500 "experts" = 200 apps per "expert" per week.

40 hours / week = 2400 minutes

2400 minutes / 200 = 12 minutes of "expert" review time per app.

And as we all know people really work 8 hours per day concentratedly.

Hopefully these 500 "experts" are not also responsible for banning 470,000 teams, rejecting 205,000 developer enrollment attempts and deactivating 244 million customer accounts, and rejecting 424 million account creations, because they'd have even less time to lavish on App Review.

This is a very biased argument. Not a reasonable explanation of why they think the trade-offs merit this choice. That Gruber finds this "good, fair and cogent" says a lot about him that is not particularly complimentary.

I found the argument a caricature. It's not even consistent. "As on Mac, we use automated software to scan apps for known malware". In other words, just as on Mac, one could obtain apps from something other than the App Store, and be just as protected from the known malware. And, of course, just as on the Mac, Apple could revoke the signature of any app proven to be ransomware.

It's pretty obvious that the 500 experts cannot deal with the malware aspect in the 12 allotted minutes. But the document argues that because iOS is so much of a more juicy platform than the Mac is, the level of malware attacks are too great for the sandbox and the malware scanner to resist on their own. These 12 magic minutes with the "team" of "experts", worth 30% of the App price, will be sufficient to protect against this onslaught of barbarians at the gate.

So what happens within these 12 incredible minutes? We are told that the "team" of "experts" reads the submitted documentation & verifies the wording (5 minutes?), manually checks whether the app doesn't unnecessarily request access to sensitive data (5 minutes?), and evaluates that apps targeting children comply with stringent data collection and safety rules (2 minutes?). Somehow none of that seems as if it would make much of a difference against malware pretending to be a COVID app, but actually encrypting your phone for ransom.

The document also includes some falsehoods about how only App Store provided apps can be controlled by App Tracking and permissions... That's obviously not true. Parents could still control how much time is spent on side-loaded apps despite what Apple said because the iOS can kill any process it wants whenever it wants. Parents can already control what their children buy by not giving them credit card details, and punishing them if they steal.

Even the claim that App Review protects people seems quite preposterous. For instance, many games are "free". But then they addict you and ask you for money for in-game items. Addiction and gambling is a real thing that hurts people. Does Apple protect its customers from becoming casino zombies when we know that Facebook uses the same dopamine reward circuitry for updating its streams? No, it seems they are happy to host such apps, as long as they get their share of the loot.

An oversight in the report is that it does not mention the zerodays in Safari that allowed merely visiting a website to result in spyware being installed. Nor does it mention that a better use of 500 employees' time might be to improve security at the software level. That would be putting money behind their stated belief that privacy is a fundamental human right. But it would incur real costs such as employing real experts, and wouldn't bring in any revenue.

Which brings us to the final point: as you said, making money off the App Store is a conflict of interest that is neither quantified nor even mentioned in this "good, fair and cogent" report. So odd that they missed that elephant in the room.

Despite being a long-time Mac user, when I got my first modern smartphone 10 years ago I went Android precisely because I was concerned that the iPhone didn't allow side-loading.

Over the years I have been envious of the iPhone from time to time, but always because of the hardware (and sometimes available software), *never* because of the App Store and the so-called protections it provides.

I was an Amazon employee when Amazon introduced their own App Store for Android, which any Android user could install via side-loading. For a number of years I tried to use this store as my primary store, going to the Google Play Store only if I couldn't find an app.

As an app store it was just fine, in some ways better than the Play Store, but as an ecosystem it was disappointing—the selection was clearly not as good and, worse, often developers would have an app in the Amazon Store but then decide the Amazon store wasn't worth the effort and (silently) stop updating the app. I'd only realize after a couple of years that I was on an unsupported version.

Admittedly, I am not a major app user. But aside from enterprise apps specific to my work, I can't think of the last time I sideloaded an app. The Play Store has whatever I need. The temptation is to conclude from this that if Apple allowed side-loading, users would not actually use it much and all the arguments about the risks would be moot.

I think the difference, though, is that Apple is unlikely to respond well to the market pressures that side-loading would release on them (see: Mac App Store). They would continue along their path of using the App Store policy to control business models, not just user safety, and the market would respond by moving to side-loading.

I'd really love to see side-loading on iOS, I think it would be better for app developers and users by extension. However, I'd like even more to see Apple stop using the App Store to enforce business models and claim it's for user safety.

I am kind of with Apple this time. Sideloadng limits developers but reduces complexity of iOS ecosystem. For most of the end users who don't possess enough knowledge to distinguish malware, it's very easy to trick them to install toxic apps. Apple is indeed protecting them. Of course on the other hand, Apple wants to grip the App Store and IAP firmly in hand.

"For most of the end users who don't possess enough knowledge to distinguish malware, it's very easy to trick them to install toxic apps."

Please define "toxic apps".

Because, personally, I would include Facebook, Instagram and WhatsApp in this category.

Also you probably should take into account the quotes around the word expert in one of the comments. Because, the only one claiming that they are experts is Apple. And considering the number of scams on the App Store, it looks like that these "experts" do not possess enough knowledge to distinguish malware and scams and it's very easy to trick them to allow the publication of toxic apps on the App Store.

Apple could easily allow sideloading of apps that are restricted and sandboxed to keep them from snooping on you. They can publish an API that's as narrowly tailored as they like. They can prevent sideloading of apps that are not signed and police the developers of sideloaded apps so that anyone who tries to distribute a malicious app will get their certificate revoked. They own the device architecture, they own the CPUs, they own the compilers. They can throw up non-bypassable warning messages every time you try to sideload an app about how sideloading is not recommended because blah blah blah. They can make it effectively harder for sideloaded apps to be scammy malware than it is for app store apps.

They could, if they wanted to, easily cut off about 90% of the complaints about the restrictiveness of their app store, cut off the critics who pan IOS for being a walled garden at the knees, ease most of the pressure to regulate and restrict what they do and how they do it by governments, and still have a situation where only a tiny percentage of people bother to install sideloaded apps. The only reason they won't do any of this is because they are a proud, stubborn company that really hates admitting that they were and are wrong.

"many non-technical users would inevitably wind up installing undesirable apps"

I've never heard that this is an actual issue on Android. I bet 99% of Android users don't sideload apps, the 1% of that do are power users, and there are very few unsuspecting people who are somehow tricked into turning on sideloading, and then into sideloading malware.

I would bet that the only people who sideload malware are pirates who intentionally turn on sideloading, download cracked APKs from somewhere, and then get an APK with malware - and even that is kind of difficult, because by default all APKs are scanned by Google before they're installed. At any rate, at that point, I'm just going to say that it seems a poor trade-off to protect these pirating nincompoops at the expense of everybody else.

Unless I see data telling me otherwise, I'm going to assume that tricking people into turning on sideloading to get them to install malware on Android is just such a non-issue that it is completely dishonest to even consider it as a possible downside of sideloading on iOS.

(Tricking people into sideloading malware is a non-issue in part because purveyors of malware can just put their stuff into the proper app stores, and distribute it that way. This works wonderfully well, because Apple and Google have convinced their users that they can trust whatever stuff they find in these stores.)

"Apple could easily allow sideloading of apps that are restricted and sandboxed to keep them from snooping on you"

I'm pretty sure they can't, at least not reliably. Once you run code on iOS, that code can probably do things you don't want it to do. But that's kind of the point. Part of the reason for why sideloading would be great would be precisely because you would end up with apps that wouldn't be possible if they were distributed through the App Store, because they'll do things Apple doesn't want them to do.

"They can prevent sideloading of apps that are not signed and police the developers of sideloaded apps"

Yep, that they can do.

The funny thing about Apple’s arguments is that, in the meantime, macOS has been gaining user interfaces to allow for the compromises their people have been arguing are near-impossible to do.

Simply put, Apple is conflating two radio buttons of their old Gatekeeper UI, which was:

Allow applications downloaded from:

(•) Mac App Store
( ) Mac App Store and identified developers
( ) Anywhere

macOS no longer exposes the third option at all — but it does still make it easy to pick the second option. iOS could do the same, still require notarization, and on top of that (unlike the above options) require sandboxing as well.

And look no further than the (somewhat misleadingly-named) System Preferences, Security & Privacy, Privacy tab for various permissions iOS doesn’t currently allow. Want to allow a backup utility other than iCloud and connecting to a PC? Make that something like “Files and Folders” in macOS. Don’t want to allow this in the App Store? I’m not sure I see why not, but sure, make it notarization-only.

The tech exists, both in terms of underlying stack (sandboxing, TCC, etc.) and UI on top. This is largely a matter of policy. And I’m not sure the policy is wrong, but 1) it is limiting, 2) it is frustrating to see another Apple OS that can do those things, and 3) quite a few of the arguments Apple is putting forth are misleading at best.

They could, if they wanted to, easily cut off about 90% of the complaints about the restrictiveness of their app store, cut off the critics who pan IOS for being a walled garden at the knees, ease most of the pressure to regulate and restrict what they do and how they do it by governments, and still have a situation where only a tiny percentage of people bother to install sideloaded apps.

I’m not sure that’s true, though. Siracusa made a compelling case that all it takes is for one app (say, Facebook) to decide: hey, we can be sideloaded on both major mobile platforms — why bother with app stores at all?

At that point, the floodgates are open, everyone is trained to sideload, and to Apple’s point, we do lose some protections.

Wes Campaigne

> Businesses can already force employees to install certain apps, and these apps can already bypass App Review via Apple’s enterprise program.

*Technically* this is not allowed on an employee's personal device under the legal agreements.

The stipulations on the Enterprise Developer Program are quite clear: apps that are provisioned through that can only be distributed to devices _owned_ by the company. But there are no technical measures to monitor or enforce this, so the only mechanism by which Apple might even find out about transgressions is if someone were to know enough to report the violation to Apple (and good luck even figuring out how to do that.)

Gruber's technical acumen remains, lacking, disappointing even, but I've read worst takes by him. He's not really right, but I can almost see the point he's trying to make.

What's weird is even Amazon's "locked down" Fire tablets are more open than Apple's iOS devices. I don't even sign into Amazon on most of my Fire devices. I either sideload individual apps or I sideload the Google Play store and related APKs (there's four of them total) to get access to all my Google Play Store apps. Kind of neat how sideloading is working well for me on really cheap hardware. Well enough to get 3 plus years generally out of my Fire tablets before upgrading.

Now, Google moving away to a new format for apps that are device specific, that's less good depending on how easy it is to build a generic apk for the same file.

[…] macOS model and its enterprise support for non-App Store installation. Michael Tsai noted this in a blog entry summarizing reactions to the white paper, “Businesses can already force employees to install certain apps, and these […]

Leave a Comment