Apple slams sideloading provisions in the DMA

Apple's Senior Vice President of Software Engineering Craig Federighi speaking at the Web Summit in Lisbon on Wednesday (3 November). [Web Summit]

Apple’s senior vice-president Craig Federighi directly attacked an EU legislative proposal that allows multiple app stores, defining that so-called sideloading as “a cybercriminal’s best friend”.

Apple’s senior manager took the floor at the Web Summit in Lisbon to reiterate the company’s strong opposition to sideloading. Apple’s App Store ensures strict security requirements are met through human review. On the other hand, App developers have accused the iPhone-maker of exploiting its dominant position with iOS-powered devices to impose excessive fees.

Federighi stated that in terms of consumer choice and protection, “European policymakers have often been ahead of the curve, but requiring sideloading on iPhone would be a step backwards.”

He argued that, while trying to give users more choice via several app marketplaces, sideloading would open a ‘pandora’s box’, depriving users of choice for iPhone’s unique security approach at a time when cyber threats are on the rise.

Apple continues pushback on sideloading and third-party app stores

As international pressure on Apple’s increases over accusations of anti-competitive practices, the tech giant continues to push back against alternative app shops and sideloading in the name of user security.

The Digital Markets Act (DMA) is a major EU legislative proposal to impose special rules on gatekeepers and online platforms so large that they are considered a systemic impact on the internet ecosystem. Among other things, the DMA would allow the installation of third-party app stores.

For Apple, that would go against the core of its security architecture, which is based on human app review and a single-entry point for software applications that ensure a trusted source applies consistent standards.

Federighi pointed at examples from other operating systems, such as Android, where the app store does not review the apps, consequently leaving the door open for malware attacks.

“There’s never been this kind of widespread, consumer malware attack on iOS. Never,” he emphasised.

Similarly, he stressed that Europol and other law enforcement agencies in Europe and US also consider users should only install apps from official app stores.

For the iPhone-maker, the single most pressing problem is social engineering malware. In other words, apps that pretend to be something they are not, as was the case in Canada, where a fake contact-tracing app, disguised as the government’s official, encrypted device data and only released it upon payment of ransomware.

“Even if you have no intention of sideloading, people are routinely coerced or tricked into doing it. And that’s true across the board, even on platforms like Android that make sideloading difficult to do,” the leading engineer said.

South Korea has proven we can beat Apple and Google, vice president of Match Group says

As Google and Apple are coming under attack from all sides for the power they wield over app developers, the debate is also raging in France and the European tech, particularly as the EU’s landmark Digital Markets Act approaches.

Another argument against sideloading is that even users who want to use the official app store might not be able to distinguish them from imitations. He mentioned a study of Indian security firm Quick Heal that in 2019 reported 27 fake app stores were being used to spread adware.

Furthermore, Federighi made the case that certain online platforms such as social networks, based on data-intensive advertising, might pressure users into accepting sideloading by simply deciding not to be available on the official app store. This would allow them to avoid compliance with Apple’s privacy protections.

Apple’s executive also stressed that, while a more tech-savvy user might be wise enough to avoid falling into traps, that might not be the case for more fragile categories such as children and elderly.

“The fact is, one compromised device, including a mobile phone, can pose a threat to an entire network. Malware from sideloaded apps can jeopardise government systems, enterprise networks, public utilities, the list goes on,” Federighi added.

[Edited by Alice Taylor]

Subscribe to our newsletters