The Security Implications of ‘Sideloading’ for iPhone Users

Major players in the tech sector have until 2024 to comply with the EU’s new Digital Markets Act, which stipulates that consumers should be able to install apps from any venue - not just the official app store - a practice known as ”sideloading." Apple is particularly affected, as the new law threatens to loosen its tight grip on the iOS ecosystem.

The DMA applies to technology companies with market valuations of at least €75 billion ($80 billion) and a minimum of 45 million monthly users within the European Union.

Valuated at over $2 trillion, Apple more than qualifies. The company generated nearly $400 billion in revenue globally in fiscal 2022, including $95 billion from Europe alone.

The DMA threatens to levy fines of as much as 20% of a company’s annual global revenue if they repeatedly violate the law. In short, Apple will have to loosen the grip on its ”walled garden” or face penalties in the tens of billions.

As reported by Bloomberg on December 13, the Cupertino giant is already hard at work building compliance into iOS 17, slated for release in 2023, well ahead of the DMA’s deadline. As expected, the news is fueling discussions about the implications for the security and privacy of Apple customers come 2023.

Malware

The number 1 fear surrounding sideloading on iOS is, of course, security. Sideloading is a leading malware infection vector on devices that allow the practice.

The Android ecosystem is known for its vulnerability against malware due to sideloaded apps, even though Google disables the feature by default and creates a decent amount of friction to discourage the practice. Nonetheless, many users enable it, often pressed to do so to lift certain restrictions, or through various incentives.

The most common types of mobile malware targeting regular consumers are:

Adware – generating ad revenue via aggressive or fraudulent ads and potentially harming performance of the device

Ransomware – locking victims out of their device and data and demanding ransom to unfreeze the device

Spyware – stealing user data to sell it to hackers; threatening to release the data and extorting the victim; conducting intimate partner surveillance (the ”jealous spouse” cliche)

Trojans – masquerading as legitimate apps, designed to steal banking data or login credentials

Social engineering

Opening iOS to non-vetted third-party downloads will likely generate a lot of fear and confusion around which apps are actually safe to download.

Threat actors may be enticed to target iPhone owners with scareware scams designed to instill fear that the device needs maintenance or an antivirus scan – all to push the user into a trap.

Piracy

Opening iOS up to third-party app venues may encourage bad actors to create spoofed websites mimicking the original App Store, or fake versions of popular apps to deliver tainted software.

Increased concerns about security will also likely impact hard-working developers. Sideloading would enable rogue actors to duplicate and illegally distribute pirated versions of a legitimate app. Pirated content has historically been used to spread malware both on desktop and on mobile.

Supply chain attacks

Another bleak scenario iOS customers face is getting infected by downloading what they otherwise considered to be legitimate app from a legitimate developer. In a supply chain attack, threat actors infiltrate the developer’s work environment and infect their software so that neither the developer nor the end user know the app has been tampered with.

Increased pressure to distinguish good from bad

When the DMA is fully enforced, end-users may find themselves responsible for determining whether a sideloaded app is safe – a task that may prove difficult even for eyes trained to spot security or privacy hazards.

For example, customers may not get accurate information about a certain app because the app store it came from failed to provide all necessary information about its data collection practices, and other security elements.

Bloomberg’s sources say Apple is toying with the idea of mandating certain security requirements outside its store. Some apps may still need to be verified by the Cupertino giant for fee, meaning Apple could give itself some leeway to both protect users and recoup some revenue lost to the DMA’s requirements.

Increased need for security

At the end of the day, malware remains the number 1 threat behind the practice of sideloading, meaning once the DMA is fully enforced, security will become a top priority for Apple and iPhone users alike.

If third-party app stores are allowed on the iPhone without proper safety checks and vetting, sideloading can (and likely will) expose iPhone users to all kinds of cyber threats, making it more important that they deploy a dedicated security solution on their devices.

In a 30-page plea addressing the risks behind sideloading, Apple itself notes:

On platforms that support sideloading, many consumers have also needed to add antivirus services on their devices to attempt to stem the problem.

Bitdefender works tirelessly to anticipate impending threats to all consumer devices, including iOS.

Bitdefender Mobile Security for iOS is designed from the ground up to offer powerful protection against malware threats with the least impact on battery life and performance. Using it, iPhone owners can better protect their password, email address, social and financial information, and easily check their phone’s security to detect and fix misconfigurations. Bitdefender Mobile Security also lets you check your online accounts against data breaches and surf the web under VPN protection.