Apple, the EU, and the threat of sideloaded applications

A significant change has occurred in mobile security with Apple’s release of iOS 17.04 in March 2024. This update allows users to sideload apps and access third-party app stores, a move largely driven by the need to comply with the EU’s Digital Markets Act (DMA). The DMA, introduced by the European Commission, aims to reduce the dominance of major tech companies, referred to as “gatekeepers,” over digital markets.
The DMA mandates that gatekeepers “shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper.”
While this change offers Apple users greater flexibility, it also introduces new risks for users, their devices, and the organizations and individuals connected to them.
Apple has historically opposed this change, even filing a legal challenge in European courts. In 2021, Apple’s CEO Tim Cook expressed concerns that such a move would “destroy the security of the iPhone and a lot of the privacy initiatives that we’ve built into the App store.” Despite these concerns, the capability was included in iOS 17.04 due to the EU’s Digital Markets Act, highlighting the potential risks involved.
Circumventing App Stores
Mobile application security relies on a comprehensive ecosystem of security measures, from development to production, release, and customer use. Sideloading disrupts a crucial part of this chain: the app stores.
Legitimate app stores like the Google Play Store and Apple’s App Store implement rigorous review processes to ensure the safety of apps. Although not perfect, these processes provide a significant level of trust. Sideloading, however, bypasses these security measures, allowing third-party app stores to host apps with new functionalities but also potential risks.
By sideloading, users effectively jailbreak their phones, circumventing existing protections and exposing themselves to various threats. These include:
Malware Threats: Third-party app stores often contain malicious apps with malware. Without the security controls of official app stores, these apps can easily reach users’ devices.
Lack of Automatic Updates: Official app stores provide automatic updates, including security patches. Sideloaded apps do not, making them potential attack vectors if users neglect manual updates.
Increased Attack Surface for Businesses: The lack of protection enlarges the attack surface for malicious entities. Unscreened apps may request excessive permissions, risking exposure of sensitive data and causing performance issues.
App stores also offer quality assurance through user reviews and rankings, a crucial component often missing from sideloaded apps.
Sideloading may require users to jailbreak their phones, altering security settings to allow installations from unknown sources, further increasing security risks.
The Digital Markets Act’s Impact
The DMA aims to enhance consumer choice and inject competition into European digital markets by forcing tech giants to open their platforms to smaller competitors. Similar to Open Banking regulations like PSD2, the DMA seeks to foster innovation by loosening the grip of large institutions. While this could lead to a surge in new products and services, it also poses significant risks to Apple devices if not managed properly.
Mobile devices provide greater connectivity, not just to secure entities but also to potential threats. As open environments, they require robust security measures. Introducing third-party app stores adds complexity for security personnel, necessitating continuous monitoring and risk assessment, similar to traditional endpoints.
In conclusion, while the DMA’s objectives are to promote competition and innovation, the introduction of sideloading capabilities in iOS 17.04 presents substantial security challenges that need careful management to protect users and organizations.