Apple, the EU, and the threat of sideloaded applications

A huge shift has just happened in the mobile security landscape: Apple’s release of iOS 17.04 in March 2024 has allowed users to sideload apps and use third party app stores. This has largely been done in an effort to comply with the EU’s Digital Markets Act (DMA). The DMA was introduced by the European Commission in order to help mitigate the domination of silicon valley giants – which the DMA calls “gatekeepers” – over digital markets.

Specifically, the DMA states that gatekeepers, “shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper.”

On one hand, this provides a level of flexibility for apple users which will likely be welcomed. On the other hand, it introduces new risks for those users, their devices and the organisations and individuals to which they are connected.

Apple has noted before that they were opposed to this possibility in the past. It has even gone so far as to file a legal challenge in European courts. In 2021, Tim Cook, current CEO of Apple noted that such a move would “destroy the security of the iPhone and a lot of the privacy initiatives that we’ve built into the App store.” Whatever their misgivings, that capability was included in iOS 17.04 as a result of the EU’s Digital Markets Act. However, it doesn’t mean that they don’t have a point.

Circumventing app stores

Mobile application security depends on a whole ecosystem of security measures which go from development to production to release to the app stores to customers’ phones. Sideloading disrupts a key part in the centre of that chain: the app stores.

Legitimate app stores such as the Google Play Store or Apple’s App store maintain a serious review process in order to ensure that the apps on their stores are safe to use. That hasn’t always been perfect and there have been several instances of malicious apps making their way onto the app stores but it has nonetheless provided an important mark of trust for apps.

Sideloading provides a way around those security measures. This was something that could be offered by third-party app stores hosting apps which provide new functionality to users.

However, by doing so, mobile device users have to effectively jailbreak their own phones, circumventing those aforementioned protections. From there – they invite a whole number of threats.

Firstly, they expose themselves to malware threats. Third party app stores are notoriously filled with malicious apps that contain malware. Without the benefit of app store security controls and screening processes, these apps can quite easily make their way onto the phones of unsuspecting users.

The threats aren’t just malicious but entirely accidental too. App stores provide automatic official updates including security patches, sideloaded apps don’t – meaning these apps could become a vector for attack if users don’t apply. Given the fact that people often don’t patch on their own – we should consider this a highly likely possibility.

For businesses, that lack of protection means an enlarged attack surface which malicious parties can exploit. Furthermore, those unscreened apps can introduce a whole series of privacy risks if they ask for excessive permissions on the mobile device which in turn can expose sensitive and personal data. Those apps might also not be optimised for the device, resulting in crashes and performance problems.

The app store’s strengths don’t just rely on their review process but on their ability to crowdsource quality assurance through reviews and rankings. Sideloaded apps often forgo this crucial component of app store’s strength.

The circumvention goes further than just the app stores. In many cases sideloading an app requires a user to actually jailbreak their own phone, altering security settings so that the app can be granted permissions on the phone. That includes allowing installations and modifications from unknown – potentially malicious sources. As you can see all this combines to create a very risky picture for a mobile device user, let alone the organisations and individuals with which they are connected.

The Digital Markets Act’s objective is to improve consumer choice when it comes to mobile devices. They aim to inject competition back into European digital markets, by forcing tech giants to open their platforms to smaller competitors. In this sense, it is similar to PSD2 and other Open Banking regulations which aim to loosen the grip that large institutions had over banking, thus allowing more competition and innovation within the sector. Open Banking has provided us with a myriad of new products and services, and the Digital Markets act may engender the same blooming of innovation. This move – ushered in with the release of 17.04 – will likely introduce serious risk to Apple devices if not administered correctly.

One of the most important aspects of mobile devices is that they provide greater connection – but not just to legitimate secure entities. These are often open environments and while the devices might be otherwise secure, users can take actions and download software which threatens that security. This is already a difficult security problem to solve in businesses, and introducing the risk of third party app stores will add a new layer of complexity for security personnel to deal with. We need to apply the same approach to mobile devices as we do with traditional endpoints, monitoring devices directly and continuously assessing risks as they arise.

This article first appeared on IoT Now. 

(Photo by James Yarema)

Tags: apple, cyber security, cybersecurity, ios, mobile, security, sideloading