The Future of iOS Sideloading: Can Apple Make It Safe(r)?

May 10, 2023

With the next WWDC just around the corner, everyone is talking about the possibility of Apple announcing sideloading apps on iPhones. The introduction of sideloading seems to be necessary for Apple to comply with the European Union's Digital Markets Act (DMA), which labels Apple as a "gatekeeper" and pushes them to loosen up its rules.

Sideloading: Can We Make It Safe-ish?

Many security experts warn of the increased risks associated with sideloading. This is a quote from Forbes article, where they interview several security experts:

Vykintas Maknickas, a product strategist at NordVPN says people “diving into sideloading” in iOS 17 without considering the risks are putting their security in danger. “Many malicious actors use third-party app stores to distribute harmful software, such as viruses and malware,” he warns.

But it's worth asking if Apple could make the process safer than the sideloading Wild West for Android or jailbroken iPhones. Here are some ways Apple might strike a balance between complying with DMA and maintaining control.

Side-loading for signed apps only. Apple could stick to only allowing apps signed with their developer certificate. That way, if something nasty pops up, they can just pull the plug on the developer's certificate, stopping any more installs. It's not perfect, but it's a start.

To make things even safer, Apple's gotta get better at handling malware reports, like removing bad apps or blocking those with revoked developer certificates. But they have never done so with App Store malware apps before, so it's unlikely to happen in the future.

Traditional App Review process might actually be a thing for sideloaded apps. Apple could ask developers to send over the binary of their signed app for review and only give the green light to install reviewed apps (like, by checking the binary's checksum during the installation). It's totally doable technically, but let's be real – it's not that likely.

Express App Review process could be a thing too. Apple might check out sideloaded apps for any sneaky private API calls that mess with the system. That’s not going to replace the manual App Review, but it will give some level of protection.

Sandbox: Social-Distancing for Apps

You might be concerned that sideloaded apps could potentially access data from your other apps, such as stealing passwords or reading your private notes. Don’t worry! iOS apps live in a "sandbox," which means they can only access their own data and certain system resources if you grant them permission (like photos or contacts). Thus, sideloaded apps won't be able to read or mess with the data from your other apps.

Third-Party App Stores

Will we see dozens or hundreds of App Store-like apps competing with each other if Apple allows side loading? Not necessary, macOS experience suggests otherwise. Only a few notable third-party App Stores, like Steam and SetApp (from the lovely Ukrainian MacPaw team 💛💙), got some traction on macOS. It's unlikely that the iOS landscape would be significantly different.

Keeping It Safe: It's Up to You (and Apple)

So, can we sideload apps and still sleep soundly at night? It really depends on what Apple does to make it safer. They've got the tech to make it work, but they might not go all-out on reviewing these apps.

The best approach is to use common sense. If a trusted company or well-known indie developer offers an app for direct download, go for it. However, if a shady website is offering a sketchy app for a slightly lower price, it's probably best to stick to the official App Store. Better safe than sorry, right?

Alexey Rashevskiy

Founder @ Appuchino