In the first quarter of this year, Apple cautiously embraced sideloading, opening the floodgates to its long-standing commitment of privacy and security characterized by a tightly controlled ecosystem. Sideloading, the practice of installing third-party applications from sources outside of the native ecosystem, has long been a staple for Android users, yet Apple had been apprehensive to fully embrace it, wary of potential security risks.

While some businesses may view Apple’s decision to allow sideloading appealing, particularly with the tech giant extending this capability to its EU user base, it has faced pushback from several government agencies. One of the key advantages of using an iPhone has been the assurance that users are protected from inadvertently installing malicious apps that could compromise their device’s security or steal sensitive information. However, with the recent regulatory developments in the EU, this aspect of security seems to be under scrutiny.

Genesis of iOS Sideloading

Over the years, Apple has adhered to a walled garden approach, a main driver to its success yet also a big liability. Under Apple’s walled garden strategy, app developers must undergo a rigorous review and approval process before their products are accessible to users. While this process has been pivotal for security purposes and has driven revenues, it has drawn scrutiny from regulators for walling competition and imposing high fees within the App Store ecosystem.

Addressing these concerns, in 2022, the European Commission (EC) put forth the Digital Markets Act (DMA). This legislation promotes fair competition within digital markets by ensuring that large online platforms called “gatekeepers” operate transparently, leaving room for contestability. As a result, the EC identified six gatekeepers in September, with Apple among them. The company’s App Store, Safari browser and iOS operating system were classified as “core platform services,” subjecting them to the DMA’s regulations.

Subsequently, as a means to align its practices with the requirements of the DMA, Apple announced its sideloading shift. With the release of iOS 17.4, Apple introduced an alternative app marketplace in Europe, managed by third parties, breaking the monopoly previously held by the Apple App Store as the exclusive distributor of iPhone apps. This means that users can download a market from the marketplace website. Once installed, users have the liberty to download a wide range of apps, some of which might not adhere to the App Store’s guidelines. Furthermore, users have the option to set a non-App Store marketplace as their default on their devices. On the other hand, developers now have the option to offer their apps directly to customers through their own websites.

A Threat Analysis of Sideloading

Apple has always prioritized user protection, leading developers who wish to introduce their apps to undergo a rigorous vetting process within the Apple App Store. The 2022 App Store Transparency Report underscores this commitment. Out of a staggering 6.1 million submissions, more than 1.6 million apps failed to meet Apple’s stringent criteria. However, Apple asserts that under the influence of the DMA, it may be unable to provide users with the same level of protection as it could within its walled garden.

In contrast to the App Store, these alternative marketplaces may lack the resources or dedication to replicate Apple’s vetting process. Threats such as social engineering, fake apps, scams, spyware, and ransomware could jeopardize the privacy and security of EU customers.

Fortunately, Apple intends to closely monitor the app distribution process. Every app must undergo Apple’s “notarization” process, and their distribution through third-party marketplaces is still regulated by Apple’s systems. Developers are required to meet fundamental platform requirements, such as malware scanning. Furthermore, if a user chooses to utilize an external app store or payment system, they will encounter a series of alerts cautioning them about departing from the Apple-verse.

Currently, whatever happens in the EU, stays in the EU. Nevertheless, regulators worldwide view this as a litmus test. If the transition proceeds smoothly, it is plausible to anticipate that Apple will be compelled to open its stores to other markets. Conversely, if issues arise, the company may point to these experiences to argue for a more cautious approach.
MDM as a Building Block of Defence

As customers grapple between the decision of in-house or third-party applications, it becomes increasingly challenging for businesses who want to maintain an Apple-secured ecosystem for their employees. Realizing the concerns of such companies, Apple has developed APIs for device management.

By introducing a mobile device management (MDM) platform into the existing infrastructure, administrators gain the ability to restrict sideloading on managed devices. This restricts users from installing applications sourced from the web and limits the installation of apps from alternative marketplace platforms, while also ensuring the removal of any previously installed apps.

Additionally, administrators can enforce the removal of the App Store icon from the home screen, extending this restriction to alternative marketplace stores and their offerings, thereby ensuring consistency in app procurement across the iOS ecosystem. MDMs can also uninstall applications on iOS devices, including those downloaded from third-party app stores. Moreover, device management solutions can regularly patch and update critical applications and generate compliance status reports.

Yet, the challenge escalates with the implementation of bring your own device (BYOD). Nonetheless, there’s a silver lining: By enrolling employees’ personal devices used for work into an MDM, IT administrators can establish dedicated business containers that effectively partition work and personal data on iOS devices, thereby ensuring the secure compartmentalization of corporate data. Moreover, by integrating a zero-trust network access (ZTNA) framework, the transmission of corporate data and app traffic occurs securely through encrypted tunnels, effectively segregating it from other web traffic, including sideloaded apps. This rigorous segregation guarantees that company data remains confined within the corporate network.

In theory, while the DMA aims to foster competition by preventing big tech firms from stifling competitive evolution, Apple argues that this approach may diminish the value of its platform. Consequently, it’s a tug-of-war between regulators and tech giants for control of the digital marketplace. While EU authorities will continue to monitor the compliance of these tech giants, Apple remains vocal about the risks associated with the EU’s regulatory experiment in a 32-page white paper. Meanwhile, app developers and users must adapt to the changing landscape. While MDM solutions aren’t a cure-all, companies can adeptly maneuver through the intricacies of mobile security by harnessing the comprehensive functionalities of the platforms. This enables them to safeguard their assets and uphold regulatory compliance, thereby empowering themselves to thrive amidst ongoing transformations.