Apple Device Sideloading: What MSPs Need to Know

Phone in the dark
Author: Nathan Pabon, application security engineer, Addigy

Sideloading has become a hot topic in the Apple space after Tim Cook's speech at the IAPP conference.

On April 12, Cook made the case against sideloading at the conference in Washington, DC, citing potential privacy and security risks. 

Which begs the question: What is sideloading? 

In the iOS context, sideloading is the process of installing an app in IPA format onto an Apple device. This contrasts with downloading and installing apps from the Apple App Store. This is more common on Android devices, specifically for users in regions with censorship laws that disallow certain apps from the Google Play store. Users may also opt to sideload apps for greater variety as some developers do not have their apps on the respective app stores.

In his speech, Cook argued that sideloading could circumvent the App Store's security protections. This will be the case if sideloaded apps do not undergo a review process before being made available for download.

Cook's speech is related to the ongoing litigation in which Apple sued Epic Games for allowing users to make purchases in their game, Fortnite, outside of Apple's in-app purchases. This allowed Epic Games to avoid the 30% cut Apple normally takes for in-app purchases. 

This lawsuit sparked a conversation about whether Apple's App Store is a monopoly and whether developers should be allowed to distribute apps and do business on iOS devices outside of the App Store. 

In response to this concern of monopolization, the E.U. reached an agreement on legislation on March 25th, set to allow users to install apps from third-party platforms. The proposal called the Digital Markets Act has significant implications for the way companies like Apple and Google manage their app stores and user data.

In August 2021, the Open App Markets Act was introduced in the U.S. Senate. This bill would allow developers to distribute their apps and handle in-app purchases outside of company-controlled platforms and protect them from punitive action if they decide to do so. 

In response to this proposal, Apple said in a letter to lawmakers, “Sideloading would enable bad actors to evade Apple’s privacy and security protections by distributing apps without critical privacy and security checks.” 

Apple has always been vocal about these concerns, as indicated by its introduction in 2021 of the App Tracking Transparency feature in iOS 14.5, along with other protections. But Cook’s words at IAPP are also a response to the real threat these regulations, and the ongoing litigation with Epic Games, pose to their business model.

MSPs should keep an eye on this story since the legislation will likely impact the iOS security landscape if passed.

Author Nathan Pabon is an application security engineer at Addigy. Read more Addigy guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.