Side-loading is a gold rush for cybercriminals, says Craig Federighi
Craig Federighi, Apple's Software Engineering chief, gave a keynote focused on the dangers of forcing Apple to allow side-loading on iPhone at the Web Summit 2021 conference.
Credit: Web Summit
During a keynote speech on day two of the Web Summit in Lisbon, Portugal, Federighi touted the benefits of Apple's iOS and the built-in protections of the App Store. He also spoke out against the provision to allow side-loading in the European Union's Digital Markets Act.
"The DMA has an admirable mission: to promote competition and to make sure consumers have choice," said Federighi. "And I'm a big fan of both of these goals. But as the engineer who wants iPhone to stay as secure as possible for our users, there is one part I worry about. And that's the provision that would require iPhone to allow side-loading."
Federighi said that the provision, intended to provide more choice to consumers, would actually reduce user's choice away.
"Because in the name of giving users more choice," Federighi said. "That one provision would take away consumers' choice of a more secure platform."
The Apple SVP then reiterated some of the company's past talking points on side-loading, included in an October update to its "Building a Trusted Ecosystem for Millions of Apps" white paper.
Federighi, and that white paper, both touted the privacy and security benefits of the iPhone. They also maintain that security is essential on a user's smartphone, given the expanding amount of sensitive data stored on them.
The Apple software chief focused almost entirely on side-loading, choosing to forego talking about the other provisions in the DMA. The crux of his argument came down to the fact that allowing side-loading would, according to Apple, cripple the company's privacy and security mechanisms.
As Apple did in its research paper, Federighi gave a number of specific examples of malware and ransomware that run rampant on competing platforms like Android. All of them, Federighi said, rely on side-loading in one way or another.
"Cybercriminals' targets and strategies vary, but here's one thing that couldn't be more clear: side-loading is a cybercriminal's best friend," Federighi said. "And requiring that on iPhone would be a gold rush for the malware industry."
Read on AppleInsider
Credit: Web Summit
During a keynote speech on day two of the Web Summit in Lisbon, Portugal, Federighi touted the benefits of Apple's iOS and the built-in protections of the App Store. He also spoke out against the provision to allow side-loading in the European Union's Digital Markets Act.
"The DMA has an admirable mission: to promote competition and to make sure consumers have choice," said Federighi. "And I'm a big fan of both of these goals. But as the engineer who wants iPhone to stay as secure as possible for our users, there is one part I worry about. And that's the provision that would require iPhone to allow side-loading."
Federighi said that the provision, intended to provide more choice to consumers, would actually reduce user's choice away.
"Because in the name of giving users more choice," Federighi said. "That one provision would take away consumers' choice of a more secure platform."
The Apple SVP then reiterated some of the company's past talking points on side-loading, included in an October update to its "Building a Trusted Ecosystem for Millions of Apps" white paper.
Federighi, and that white paper, both touted the privacy and security benefits of the iPhone. They also maintain that security is essential on a user's smartphone, given the expanding amount of sensitive data stored on them.
The Apple software chief focused almost entirely on side-loading, choosing to forego talking about the other provisions in the DMA. The crux of his argument came down to the fact that allowing side-loading would, according to Apple, cripple the company's privacy and security mechanisms.
As Apple did in its research paper, Federighi gave a number of specific examples of malware and ransomware that run rampant on competing platforms like Android. All of them, Federighi said, rely on side-loading in one way or another.
"Cybercriminals' targets and strategies vary, but here's one thing that couldn't be more clear: side-loading is a cybercriminal's best friend," Federighi said. "And requiring that on iPhone would be a gold rush for the malware industry."
Read on AppleInsider
Comments
No one is saying Apple needs to make it as easy to sideload as not. FWIW Google makes it fairly difficult to do so now, so even if it can be done they definitely strongly discourage it with change settings in an obscure place most people would never see. Allowing a user choice of what applications to load on their own personal $1000 expenditure puts the onus where it belongs. The only legitimate reason not to is purely profit-based and not because they're "saving us from ourselves".
We buy homes and add furniture we choose from whatever source we wish, no payment to the architect or the builder. We buy cars and change out the audio, headlights, et.al sourced from wherever we wish, no permission required from the auto manufacturer or fee to be paid. We buy computers and laptops and add programs from any developer we wish, no stipend needs to be paid to the computer vendor or manufacturer. But we buy a smartphone and can only add applications that the provider further profits from and/or offers themselves?
EDIT: As I said, it's not a simple thing to sideload on Android now. It requires more than a bit of familiarity with the system structure and so not something Cesar's grandmas and aunts would accidentally do.
Pull down from the top and tap Settings. Then nestled among a dozen or so main collections from Security (which is where I would have expected it to be) to Privacy to System, go to Apps. where you're presented with all your recently opened ones and an option to see all of them. Nothing there indicates anything about outside sources or 3rd party stores or anything else. Where they've hidden it is in yet another sub-menu; Special App Access. Even there you won't find it on the first page of options.
Down near the bottom if you scroll far enough will be "Install unknown apps", a disconcerting title. Now tapping that makes it even more difficult because you then are offered several different categories of personal devices, products, files and browsers where you will choose to allow it, but which one?? By default they are all disallowed. Yup, daunting for someone with little knowldege.
Apple can do the same, make it pretty darn hard, in fact near impossible, for mom, pop and that great aunt to accidentally load an app that comes from an unsafe place. Only the knowledgeable will be able to do so.
VOILA.
Don't allow side-loading and it gets a ton harder to do the same thing.
You’re free to get an enterprise cert but the target market for abuse is small and the participants are advanced users.
Next.
Your first point is a lie. I’ll repeat the previous example I used. I download an App from The App Store. My friend downloads it from a 3rd party store. My App has restrictions applied by Apple but the 3rd party App has no such restrictions. Anything I share with my App that goes to my friend now gets shared with an outside party because THEIR App doesn’t get vetted. Suddenly my personal information is shared WITHOUT my consent, not by my version of the App but by an App on the other end. The idea staying away from side-loading protects you is asinine.
How do you reconcile this stance with your constant promotion of Google Messages being E2EE and therefore safe? It’s not safe if the other end isn’t. Seems you’ve really backed yourself into a corner here.
Your second point shows your ignorance of what’s being requested. Epic is suing Google because they claim the warnings you see before side-loading are anti-competitive. They claim these warnings are designed to scare users away from side-loading. What the companies/groups/Senators want is frictionless side-loading. They will accept nothing less. Therefore there will be no warnings. They want 3rd party stores to be as simple as The App Store. One-click installs and no constant nagging/warnings. This is where the danger lies as it will be easy to trick users into allowing and installing 3rd party Apps. The only warning Apple/Google will get away with is most likely a single, one-time notification to enable side-loading. After that it’s the Wild West.