Skip to main content

‘Sideloading is a cyber criminal’s best friend,’ according to Apple’s software chief

‘Sideloading is a cyber criminal’s best friend,’ according to Apple’s software chief

/

Craig Federighi says that “the floodgates are open for malware” if Apple allows sideloading on iOS

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

“Sideloading is a cyber criminal’s best friend and requiring that on iPhone would be a gold rush for the malware industry,” according to Apple senior vice president Craig Federighi, who delivered a dramatic speech at Web Summit 2021 declaiming the security risks if Apple were required to let users sideload apps.

Federighi, who oversees Apple’s iOS and macOS software divisions, was specifically protesting the European Commission’s proposed Digital Markets Act, which, if passed, would require Apple to let users install apps outside of the iOS App Store. According to Federighi, the lack of sideloading is what separates Apple’s relatively low rate of malware on iOS from the “5 million Android attacks per month,” and that if Apple were forced to let users install their own apps, “the floodgates are open for malware.”

Federighi also argues against a popular proposed solution of letting users decide for themselves whether to take the risk of sideloading apps. The problem is that “criminals are clever, and they’re really good at hiding in plain sight,” and that even informed users might get caught by misleading websites, or even get stuck with fake app stores installed on their phones.

Apple is still very much against sideloading

And even if you, a tech-savvy smartphone expert, might not be fooled, Federighi plays on the heartstrings and asks the audience to think of the children or parents who might be fooled. “The fact that anyone can be harmed by malware isn’t something that we should stand for,” Federighi concludes, despite the fact that Apple still routinely deals with multimillion-dollar scams that the company only just added the ability to report in September.

Federighi’s picture of doom doesn’t just stop there, though: he also raises the concern that if Apple were to allow sideloading, “some social networking apps will probably try to avoid the pesky privacy protections of the App Store and only make their apps available via sideloading.” According to Federighi, Apple’s privacy requirements in the App Store go beyond those of the letter of the law, and social media companies looking to escape those could force customers to choose between “losing touch with your friends online, or taking on the risks of sideloading.”

“Sideloading undermines security and puts people’s data at risk,” according to Federighi, and that if customers and regulators want the option to sideload apps, the alternative of Android should be enough to meet that without requiring it for iPhones. But all the concerns on iOS are curious, given the other half of his job description: leading the macOS software team, where apps can be freely installed outside of Apple’s app store (and have been for decades) without suffering from apocalyptic malware attacks.

If Apple wanted, it could enable iOS sideloading in a similar manner and require something like the Gatekeeper system on macOS, which allows for Apple to check signed developer IDs to confirm the software is genuine. It’s an argument that Judge Yvonne Gonzalez Rogers noted as well during the Apple / Epic trial, commenting that Federighi may be “stretching the truth” on Mac malware concerns and that Apple could likely make a similar system work on iOS.

And most notably, Federighi’s speech completely ignores the fact that by requiring all apps to be installed through the App Store, it forces all app commerce to flow through the App Store, too — where Apple collects its highly contested 30 percent cut, to the tune of billions of dollars every year.