Free Trial
Contact Us
Podcast

Root Causes 345: Apple Versus European Sideloading

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
December 5, 2023

The European Union is applying pressure to Apple to allow sideloading of applications. We go over why this is occurring, the potential dangers, and Apple's response.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanThis is a return to one or more earlier conversations that we had on this podcast and also a response to a news item. I’m looking at an article here. It’s from 9to5Mac. It’s written by Chance Miller, November 18, 2023 and the headline reads: “Apple’s head of security speaks out against iphone app sideloading in new interview”.

So, we’ve talked about sideloading in the past. Jason, what’s the two or three description of sideloading?
Jason SorokoJason SorokoSideloading is where you can install applications from someplace other than the official app store of the device vendor that you’re working with. Whether it’s Apple’s App Store or Android’s Google Play.
Tim CallanTim CallanApple of course being the big proponents of an entirely controlled digital environment as they are, is not really fans of sideloading.
Jason SorokoJason SorokoThere’s a good reason for that from the Apple standpoint and a lot of people, you know, the very cynical standpoint is – you’ve heard this before; we’ve used this term, Tim, but Apple’s walled garden.

Apple holds everything very close to their chest and as of right now, there is no official way to run an app on your iPhone without it coming from the Apple App Store.

And why? Why? Why is that? And it’s because Apple feels – and I think this is not a bad thought by Apple at all – they can do a lot of protection for their ecosystem and not put potentially malicious applications into the app store.
Tim CallanTim CallanRight. Maintain security. Maintain quality. Right?
Jason SorokoJason SorokoExactly.
Tim CallanTim CallanBoth of those things are much easier if you are some kind of gateway before applications can appear in your environment. Yep.
Jason SorokoJason SorokoWe are gonna go way back to when Charlie Miller was able to get something passed to the check and balances way back in the day. I forget exactly how many years ago that was but it’s quite a while ago now. And the last few tweets from him on this topic were I think he is still banned from publishing to the app store or at least was for quite a long time.

It’s because Apple takes this really seriously and even if it was a white hat who had no intention of hurting anyone, they take it awful seriously.

Now, here’s the thing. Let’s compare and contrast. Is it perfect? Well, I think it’s a lot better than the alternative and here’s the thing. You, Tim, if you were to go and do an internet search right now on mobile device malware, where does it mostly reside? Well, it mostly resides in the world of sideloading, which exists in Android systems.

You can remove the default setting of, hey, you can only go to the Google Play and get applications, you can sideload an Android device and what has that resulted in? Well, there have been, Tim, lots and lots of fraud attacks against people holding Android devices where you might be texted a link to a Java APK file and you basically install it, which is a way of sideloading an application and if your system is set to allow sideloading on an Android device, you now have a piece of malware which might do something such as SMS redirection.

Now as white hat researcher back in my day, I did that within about ten minutes. It was extremely to do that. And bad guys know it. Apple’s world doesn’t allow that.

Now can you potentially jailbreak iPhones? You know, iOS devices? Well, yes. Jailbreaking has been around a long time. It takes advantage of flaws within iOS and generally – generally – you have to choose to jailbreak your device. I mean, obviously, again, you can do a Google search and there have been non-informed or basically malicious jailbreaks of people’s devices so that the security features of the iPhone are rendered less or whatever.

The ability to listen to a microphone or look through the camera or sideload applications. Those things have all been done with iOS. But those aren’t things that you typically choose to do. Some people choose to jailbreak their devices and they have other reasons to do that but I’m just trying to compare and contrast a walled garden, an official walled garden vs. the easy ability to sideload applications at will. And the Android world has always been seen as being more open but there’s risks involved with that and I think what’s interesting here, Tim, is the EU is basically saying look - - I’m gonna paraphrase everything here and I might get this not completely correct but forgive me because I think this is the spirit of it. Apple’s walled garden is looked at as being anticompetitive in a way.
Tim CallanTim CallanYeah.
Jason SorokoJason SorokoAnd so, the European Union is saying, well the way to break that anticompetitive behavior with your walled garden is to allow sideloading.

Apple looks at that and says that’s kind of scary. We’ve worked so hard in the history of iOS to make sure that we’ve got this super clean, controlled walled garden that really has protected our users. It very, very objectively has protected people.
Tim CallanTim CallanRight.
Jason SorokoJason SorokoTim, you and I talked about the eIDAS 2.0 controversy recently.
Tim CallanTim CallanSure. Just in our Episode 343.
Jason SorokoJason SorokoThere you go. And I would say, Tim, this is kind of related in the sense that you have to ask, ok, well, what are the reasons why the EU wants to do this?

Well, (a) to break anticompetitive behavior. Right? We can debate all day whether that’s good or bad but (b) what happens if European Union says, hey, you know what? There’s an app you must have. We are going to dictate you must have this X app and if a U.S. based tech company – Apple of course – doesn’t want that app to be on your phone or it’s not on the app store, tough. You will sideload it from us.
Tim CallanTim CallanSure. And this might be a digital wallet, for instance.
Jason SorokoJason SorokoAye yai yai, Tim. Guess what, Tim. It’s amazing how you can read my mind like that. But, yes, it’s exactly what I was gonna say. So, there it is. I leave that on the table for everybody now to chew on but that I think is what’s going on.
Tim CallanTim CallanSo that, of course, goes back to a lot of the concerns we had. And we were talking about this in terms of roots right? Because that’s what our 343 was about but one of the things that we said at that point was we said who is better equipped to ultimately evaluate what is a secure feature or portion of the platform? Apple with their own platform with all of their engineers, their knowledge and all the experience and time they’ve had putting into this or Greece? Right? And it’s hard to imagine that an individual European nation or even the EU is really going to have the equipment to understand the consequences of apps and their functionality and their behavior in the same way that Apple can. And if we’re talking about let’s say a digital wallet, why can’t they just put that through the app store like everybody else does?
Jason SorokoJason SorokoThat means passing the muster of the U.S. tech firm.
Tim CallanTim CallanRight. Exactly. And it’s back to the other thing that we talked about, which is that there certainly appears to be a political aspect to this. A power aspect of this. Where the European Union does not like the fact that their citizens are ultimately beholden to and controlled by these large tech companies that are located on foreign soil and some of this appears to be perhaps an effort to rest back control from those foreign technology giants. And we can see that going on too.
Jason SorokoJason SorokoYeah. Exactly.

So, Tim, just a few extra comments about this. The reason why this has come up – it has been talked about previously. Right? So Craig Federighi, one of the executives at Apple, basically he was the one talking about that Apple may be forced to do this by European law and what’s interesting is Apple might comply with this, but Apple apparently is considering the idea of still maintaining certain security requirements even if the software is distributed outside of its store.

So, therefore, there is still some sort of verification that could still be required by Apple even if you are in the EU and are under this jurisdiction that’s gonna force this by law and apparently what apple is saying is look, because of the fact that we are gonna have to verify this app side of our app store, this could carry a fee for developers because of the fact that it’s gonna cost us extra work to do this outside of the normal means. So, Apple might still try to maintain some kind of control just for security purposes. But here is the bottom line is there may be iOS devices sold in Europe that allow sideloading that are not sold in North America or other jurisdictions where sideloading is not required. So it might – might – end up creating two classes of iOS devices and what happens of course when inevitably you have sideloading capable devices that slip into other jurisdictions. What does that even mean?
Tim CallanTim CallanOf course you will. And also, an inherent disadvantage to forking your operating system just in terms of maintenance and capabilities and opportunities for bugs and security flaws. It’s been said complexity is the enemy of security right?
Jason SorokoJason SorokoYep.
Tim CallanTim CallanAnd as soon as you’ve got two operating systems you are running simultaneously, you’ve just increased your complexity by definition. Yes. It’s really unfortunate. It would be really nice for the reliability and the performance and the security of this operating system ecosystem if that scenario could be avoided.
Jason SorokoJason SorokoExactly right. I mean one of the strengths of iOS is the fact that it is a monoculture, the fact that one iOS to the next is usually the same unless it’s been jailbroken or something really funky. So anyway, it’s interesting to watch. Stay tuned and we’ll see what happens.
Tim CallanTim CallanStay tuned and once again, the arm wrestling match between government and tech which has been going on for decades and will go on for decades still and we’re watching it happen in front of our eyes once again.
Jason SorokoJason SorokoIt never seems to stop, and we will try and cover some of the top parts of those stories as they come up, Tim. I think eIDAS 2.0 story we covered recently and now this second half to it, there’s more to come.
Yeah and if you want to hear more about sideloading, our <a href="/root-causes/root-causes-162-what-is-sideloading">Episode 162</a>, What is Sideloading? Can give you more on that topic in particular. So, that’s a good thing to go back and listen to.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud