Sideloading is a malware danger, Apple tells U.S. lawmakers

Posted:
in General Discussion
Apple has written to the U.S. Senate Judiciary Committee to dispute claims made by an expect about sideloading, insisting its arguments about the technique being a malware vector are justified.




In February, the Senate Judiciary Committee voted to advance forward the Open Markets Act in February, legislation that could force Apple to allow the sideloading of apps. In a continued effort to fight the measure, Apple has written to lawmakers about malware dangers.

The letter, sent on Thursday and seen by Reuters, talks about comments from computer security expert Bruce Schneider, where he says Apple's concerns about sideloading are "unfounded."

In response, Apple argued that sideloading is beneficial to malware producers, as it relies on users being tricked to download it rather than requiring hackers to more directly break device security. The App Store review process "creates a high barrier against the most common scams used to distribute malware," writes Apple.

Though Apple does accept Schneider's comments that state-sponsored hackers have the potential to break device security directly, such attacks are a "rare threat" to consumers. "There is ample evidence showing third-party app stores are a key malware vector on platforms which support such stores," urges the iPhone maker.

Apple's letter was sent to Dick Durbin, the Senate Judiciary Committee chair, as well as its top Republican, Chuck Grassley. It was also sent to antitrust subcommittee chair Amy Klobuchar and its top Republican, Mike Lee.

In a previous letter to top Senate lawmakers on February 3, Apple said the Open Markets Act would harm user security and privacy. Sideloading "would enable bad actors to evade Apple's privacy and security protections by distributing apps without critical privacy and security checks."

The Open Markets Act is an antitrust bill that applies restrictions to Apple, Google, and other platform holders. It would ban policies preventing sideloading, as well as essentially forcing the acceptance of third-party payment systems, among other measures.

Read on AppleInsider
«1

Comments

  • Reply 1 of 33
    Of course side loading is a malware danger. That was never being debated. The solution is simple: A switch that turns on side loading and turns off features like the official Apple App Store and iCloud that would be compromised by a side loaded app. Users who enable side loading would use third party app stores on their device. It's perfect for older iOS devices that otherwise would otherwise collect dust and is also a great way to recycle old devices. I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.
    xyzzy-xxxjony0
  • Reply 2 of 33
    22july201322july2013 Posts: 2,936member
    I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.
    Apple should allow jailbreaking by letting users replace iOS with Android, but not by weakening iOS.

    You are neglecting the fact that should side loading be allowed on iOS, companies like FaceBook would insist that any software developers who want data from FaceBook would be required to make their app "require side loading." That way FaceBook gets more data. And with a majority of software switching to side-loading to become more profitable, everything would have to be side loaded.
    watto_cobraicoco3qwerty52jas99jony0
  • Reply 3 of 33
    I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.
    Apple should allow jailbreaking by letting users replace iOS with Android, but not by weakening iOS.

    You are neglecting the fact that should side loading be allowed on iOS, companies like FaceBook would insist that any software developers who want data from FaceBook would be required to make their app "require side loading." That way FaceBook gets more data. And with a majority of software switching to side-loading to become more profitable, everything would have to be side loaded.
    FaceBook could not require that users enable side loading in order to use their app. The market size is just too small. I would expect very few iOS users to enable side loading and disable iCloud an App Store apps on their devices. FaceBook can't give up the iOS market and they don't have the weight to force users to do anything. FaceBook still works in a browser so users would simply stop using the FaceBook app if they tried it.

    Allowing jailbreaking does not weaken iOS. It strengthens it. Currently jail breaking is possible in older versions of iOS. That's really bad for security because it means that apps the user downloads from the official App Store on those devices have their personal data exposed to other apps. With the method I propose, it means that side loaded apps would not have access to any secure information. Users would have to manage security on their own (or with third party apps). A jail broken iPhone would be exactly like a Mac Book, Windows PC or Raspberry Pi when it comes to security.
    edited March 5 xyzzy-xxxmuthuk_vanalingamelijahg
  • Reply 4 of 33
    xyzzy-xxxxyzzy-xxx Posts: 120member
    I don't like the security argument, because if iOS sandboxing would work flawlessly, sideloading would not be a problem.
    On the other side, the App Store review process was never good in preventing malware, more in being compliant with Apple's rules.

    So I would like to see:

    - iOS (and sandboxing) being more robust
    - Sideloading being allowed, but with developer certificate (like on the Mac), so that bad apps can be wiped remotely by revoking the certificate
    - 3rd party app store, that have their own review process and their own set of compliance rules

    All in all I strongly believe this would help Apple to grow the platform and not be harmful at all!
    edited March 5 muthuk_vanalingamelijahg
  • Reply 5 of 33
    DAalsethDAalseth Posts: 2,034member
    Apple is not wrong. 
    But I guess congress and the lobby groups are going to have to find out the hard way. Trouble is that so many developers will just jump ship and insist their app must be side loaded, to keep the 30% cut, that we all are going to end up side loading something.
    It’s not going to be pretty.
    I predict though that Apple will be who gets sued when people side load something that steals their data. 
    watto_cobraDetnatorjas99jony0
  • Reply 6 of 33
    22july201322july2013 Posts: 2,936member
    I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.
    Apple should allow jailbreaking by letting users replace iOS with Android, but not by weakening iOS.

    You are neglecting the fact that should side loading be allowed on iOS, companies like FaceBook would insist that any software developers who want data from FaceBook would be required to make their app "require side loading." That way FaceBook gets more data. And with a majority of software switching to side-loading to become more profitable, everything would have to be side loaded.
    FaceBook could not require that users enable side loading in order to use their app. The market size is just too small. 
    I do not think there's any point it trying to explain it to you. But you misquoted me: I did not say "in order to use their app." Read my post again. FaceBook can (and does) leverage its huge position as a data collector to impose rules on any developers who wants to purchase their data. And FaceBook could force any developers who want to do business with FaceBook to pressure those developers to require that their apps only be available to iOS users through the side loading process. That way those apps can collect more data on their users, send that data to FaceBook, and FaceBook could store all that personal data, and sell it back to the developers.

    OutdoorAppDeveloper said:
    Allowing jailbreaking does not weaken iOS. It strengthens it. Currently jail breaking is possible in older versions of iOS. That's really bad for security because it means that apps the user downloads from the official App Store on those devices have their personal data exposed to other apps. With the method I propose, it means that side loaded apps would not have access to any secure information. Users would have to manage security on their own (or with third party apps). A jail broken iPhone would be exactly like a Mac Book, Windows PC or Raspberry Pi when it comes to security.
    When you say "with the method I propose" are you saying that pressing that pressing that switch would prohibit any apps from accessing your location AND your address book AND your photos AND every other piece of data a user has on his device or in his iCloud? Do you really think there's any point to side-loading if the side-loaded app has NO access to ANY user data? Do you really think that's what FaceBook wants? No, they want access to ALL your data when they are side-loaded.
    edited March 5 watto_cobrajas99
  • Reply 7 of 33
    dewmedewme Posts: 4,239member
    Of course side loading is a malware danger. That was never being debated. The solution is simple: A switch that turns on side loading and turns off features like the official Apple App Store and iCloud that would be compromised by a side loaded app. Users who enable side loading would use third party app stores on their device. It's perfect for older iOS devices that otherwise would otherwise collect dust and is also a great way to recycle old devices. I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.

    Apple sanctioning a jailbreaking model would open up, or at least greatly expand, an attack vector against people who are vulnerable to human/social engineering attacks. Owning an iPhone would no longer convey a great sense of assurance that the device is to be trusted and is legitimate. Victims could easily be instructed to install sideloaded/untrusted apps or have their devices configured to allow sideloaded/untrusted apps when the device is brought in for "service" in response to a phishing attack.

    I can definitely understand the desire for hobbyists and enthusiasts to be able to repurpose older Apple devices for other purposes. However, I am also willing to accept that certain devices need to be uncompromising in their adherence to ensuring that the trust relationship between the device vendor and the customer is never compromised for any reason whatsoever. Perhaps it's too idealistic to expect that partnering with Apple as a customer ensures that you will never be subjected to negative consequences, because no vendor can ever be perfect.

    I'd prefer that Apple maintain the attainment of that type of trust relationship as a goal. Sanctioning sideloading would, in my personal opinion, be a pessimistic response by Apple and signal that they were no longer fully committed to being a trusted partner that we can always rely on because they would be enabling their devices to be weaponized for illegitimate purposes. I have no desire to see that happen and I doubt that anyone in Apple wants to see that happen either.
    edited March 5 NoFliesOnMewatto_cobraradarthekat
  • Reply 8 of 33
    larryjwlarryjw Posts: 917member
    One side loading issue has not been brought up -- maybe because I'm wrong. But here it goes.

    iPads, iPhones, Apple TVs, etc are general purpose computers, but are restricted by Apple from being programmed to behave as such. Apple's restrictions on these devices prevent apps from being general programming devices -- you can't install a c compiler, fortran, Julia, lisp, etc.

    So, you can't turn these devices into network monitors, scanners which allow them to snoop around. 

    This is on my mind.

    As an election official, the bogus claims of election fraud and the nonsense that voting machines were being controlled from China, Brazil, etc to change votes from Trump to Biden has strong backing by 70% of Republicans opens up the argument that anyone carrying an iPhone could be hacking into voting machines and thus invalidating every election result. I'm sure there is nothing that would prevent that story from gaining widespread adoption. No proof is necessary.

    Of course, there is nothing to prevent these any machines from using http, or VNC protocols from controlling other machines if they've been designed to allow that connection. 

    There is nothing now that prevents any computer from monitoring insecure networks if users don't use VPN services. 

    At least, at this time, we can look to Apple to implement security protocols that limits snooping of, and by, our devices; but if side loading is allowed, no security of any kind is likely to be effective. 


    watto_cobraradarthekatkillroy
  • Reply 9 of 33
    Company that profits hugely from a 30% cut from non-sideloaded apps claims that sideloading is dangerous. It certainly is — to their bottom line.

    The only thing I’m surprised by is that anyone would even bother reading what Apple writes on the subject, given their inherent conflict of interest.
    xyzzy-xxxmuthuk_vanalingamelijahg
  • Reply 10 of 33
    larryjw said:
    One side loading issue has not been brought up -- maybe because I'm wrong. But here it goes.

    iPads, iPhones, Apple TVs, etc are general purpose computers, but are restricted by Apple from being programmed to behave as such. Apple's restrictions on these devices prevent apps from being general programming devices -- you can't install a c compiler, fortran, Julia, lisp, etc.

    So, you can't turn these devices into network monitors, scanners which allow them to snoop around. 

    This is on my mind.

    As an election official, the bogus claims of election fraud and the nonsense that voting machines were being controlled from China, Brazil, etc to change votes from Trump to Biden has strong backing by 70% of Republicans opens up the argument that anyone carrying an iPhone could be hacking into voting machines and thus invalidating every election result. I'm sure there is nothing that would prevent that story from gaining widespread adoption. No proof is necessary.

    Of course, there is nothing to prevent these any machines from using http, or VNC protocols from controlling other machines if they've been designed to allow that connection. 

    There is nothing now that prevents any computer from monitoring insecure networks if users don't use VPN services. 

    At least, at this time, we can look to Apple to implement security protocols that limits snooping of, and by, our devices; but if side loading is allowed, no security of any kind is likely to be effective. 


    Right, because only iPhones are allowed at polling places. Androids are banned.

    Also, any iPhones where the guy coded something (or downloaded a project from GitHub), and compiled and sideloaded it via the already existing Xcode route, which by the way doesn’t require a $99 developer account.

    Geez, the arguments are getting ever more desperate. Hopefully that’s a sign we’re going to win this war and finally have the right to do whatever we want with the hardware we bought and paid for, as we should have since the beginning.
    muthuk_vanalingamelijahg
  • Reply 11 of 33
    This Bruce Schneider fellow is an idiot and it’s hard to believe he’s a security expert.

    Maybe he’s like those doctors who used to say smoking was good for you. Say whatever aligns with those paying you.
  • Reply 12 of 33
    larryjwlarryjw Posts: 917member
    swineone said:
    Company that profits hugely from a 30% cut from non-sideloaded apps claims that sideloading is dangerous. It certainly is — to their bottom line.

    The only thing I’m surprised by is that anyone would even bother reading what Apple writes on the subject, given their inherent conflict of interest.
    Almost everyone has some conflict of interest, if nothing more than a general bias in one direction or another.

    There is no shortcut to thinking. One, or someone, needs to think in depth about the issues and facts to come to even tentative conclusions. 

    Nihilism is the result if it's enough to claim some bias to reject any discussion. If that's your approach, just believe anything you want, but don't claim any thought process was involved. 
    radarthekatkillroy
  • Reply 13 of 33
    I thought sandboxing in iOS prevented apps from affecting other apps.
    xyzzy-xxxkillroy
  • Reply 14 of 33
    rob53rob53 Posts: 2,946member
    His name is Bruce Schneier as spelled in the Reuters article. https://www.schneier.com/ He’s a public interest technologist. He appears to be employed but looks like he’s mainly an older male blogger. I disagree with his comments about side-loading but I don’t have his degrees, only 33 years dealing with computerized systems including those with sensitive and classified data. I’ve never made money off of telling people how to do things, other than my salary. I know what happens when computer systems of any kind have easy access to random software. 
    radarthekatericthehalfbeemark fearingkillroyjony0
  • Reply 15 of 33
    davidwdavidw Posts: 1,561member
    swineone said:
    Company that profits hugely from a 30% cut from non-sideloaded apps claims that sideloading is dangerous. It certainly is — to their bottom line.

    The only thing I’m surprised by is that anyone would even bother reading what Apple writes on the subject, given their inherent conflict of interest.
    You are clueless. 1% of the developers accounts for over 90% of Apple App Store revenue. And not even that looney Sweeney, that is in charge of Epic Games and part of that 1%, don't really want to have his customers have to side load his apps, in order to avoid paying that 30%. Otherwise he would have never put "Fortnite" in the Google Play Store and ended up making a ton of more money, than when "Fortnite" was only available by side loading (on Android). For Epic Games, it was well worth paying Google their 30% for being in the Google Play Store, as it would be for most of these 1%. But then Epic got greedy. These 1% wants to avoid the 30% while still being in the Apple App Store and not by having their customers having to side load. Side loading is a hard sell on Android, where the vast majority of the users don't ever want to side load and would even be a harder sell on iOS, where users are more security minded.  

    The people that mainly want side loading are the developers that have apps that don't adhere to Apple App Store policies or those wanting to download pirated apps or apps that cater to pirating. Apps that poses a security issue for Apple. The loss of App Store revenue for Apple from side loading, would only amount to a rounding error. If even that. (And that's not factoring the added revenue from the Android users that wants to be able to side load, that would be switching to iPhones and iPads.) 

    And think about this, the developers passes the commission to the customers. With iOS, small developers that don't have the means to provide side loading or their own payment method, don't have to compete with other developers that can sell their apps at a lower cost because of side loading and not having to pay the commission. Or worry about their apps being pirated by "cracked apps" app stores like the ones easily available on Android. iOS is a level playing field or at least more level than Android. Which maybe why developers make more money with iOS App Store.    

      
    edited March 6 dewmekillroyjony0
  • Reply 16 of 33
    netroxnetrox Posts: 1,168member
    "The letter, sent on Thursday and seen by Reuters, talks about comments from computer security expert Bruce Schneider, where he says Apple's concerns about sideloading are "unfounded." "

    That computer security "expert" is definitely not trustworthy. Seriously, how can he even be qualified to make such a statement that is fundamentally wrong? 


    qwerty52ericthehalfbeekillroy
  • Reply 17 of 33
    Apple should support third party curation, with some kind of revenue split. That way we can get better app stores, or at least better specialized app stores, but with Apple still getting the revenue it wants (and should receive) to ensure the App ecosystem is properly managed. This also isn't perfect, and it certainly has its own technical (and business) hurdles. But, it would solve one of the Apple App Store's biggest problem for both app developers and consumers, which is that it is a disorganized mess. 
    xyzzy-xxx
  • Reply 18 of 33
    davidwdavidw Posts: 1,561member

    swineone said:
    larryjw said:
    One side loading issue has not been brought up -- maybe because I'm wrong. But here it goes.

    iPads, iPhones, Apple TVs, etc are general purpose computers, but are restricted by Apple from being programmed to behave as such. Apple's restrictions on these devices prevent apps from being general programming devices -- you can't install a c compiler, fortran, Julia, lisp, etc.

    So, you can't turn these devices into network monitors, scanners which allow them to snoop around. 

    This is on my mind.

    As an election official, the bogus claims of election fraud and the nonsense that voting machines were being controlled from China, Brazil, etc to change votes from Trump to Biden has strong backing by 70% of Republicans opens up the argument that anyone carrying an iPhone could be hacking into voting machines and thus invalidating every election result. I'm sure there is nothing that would prevent that story from gaining widespread adoption. No proof is necessary.

    Of course, there is nothing to prevent these any machines from using http, or VNC protocols from controlling other machines if they've been designed to allow that connection. 

    There is nothing now that prevents any computer from monitoring insecure networks if users don't use VPN services. 

    At least, at this time, we can look to Apple to implement security protocols that limits snooping of, and by, our devices; but if side loading is allowed, no security of any kind is likely to be effective. 


    Right, because only iPhones are allowed at polling places. Androids are banned.

    Also, any iPhones where the guy coded something (or downloaded a project from GitHub), and compiled and sideloaded it via the already existing Xcode route, which by the way doesn’t require a $99 developer account.

    Geez, the arguments are getting ever more desperate. Hopefully that’s a sign we’re going to win this war and finally have the right to do whatever we want with the hardware we bought and paid for, as we should have since the beginning.
    Geez, not surprisingly, another clueless post from you. 

    Apple is not stopping you from using your Apple hardware as a paperweight, door stop, hammer, Frisbee, etc. It's your hardware, you bought and paid for it, you own it. Apple is not stopping you from installing jailbreak software, so you can do all the wonderful things you want with your Apple hardware, that you bought and paid for.

    But iOS is not yours to do as you wish. iOS is Apple copyrights/patented IP.  Apple do not have to make any changes to iOS, for the benefit of a very few. Just because you bought and paid for the Apple hardware, it doesn't mean that Apple have to make changes to iOS so that you can use the Apple hardware as you wish. If Apple hardware didn't do the things you needed it to do, then you should not have bought it. 

    When you buy a DVD or CD, can you do what you want with the copyrighted works on them? Why not, after all, you bought and paid for the DVD or CD? Why can't you make copies of those copyrighted IP and sell them at the flea market? Why can't you use any of those copyrighted works to make money with commercially? Why can't you sell tickets to a concert of you covering the songs on the CD that you bought and paid for? Or open your own theater and charge an admission to the public, to watch the DVD you bought and paid for, on a big screen?  It's NO to all, because you do not own the copyrighted works, no matter how much you think that you do, because you bought and paid for the physical media they are on. 
    edited March 6 tenthousandthingsqwerty52rob53Detnatormark fearingdewmebestkeptsecretDBSynckillroyjony0
  • Reply 19 of 33
    jimdreamworxjimdreamworx Posts: 1,085member
    Like third-party batteries, if Apple blessed side-loading, someone would sue them when their smartphone was bricked, infected or they had their personal data compromised.

    Obviously anyone who does these sorts of things is a gear head who is not in need of any support from the manufacturer.

    I'm just surprised no one turns around and expects iOS to behave like macOS in terms of being a free-for-all - offering that up as a reason to open up iOS.
    Then again, macOS is getting more locked down with each new version.
    killroy
  • Reply 20 of 33
    qwerty52qwerty52 Posts: 359member
    Of course side loading is a malware danger. That was never being debated. The solution is simple: A switch that turns on side loading and turns off features like the official Apple App Store and iCloud that would be compromised by a side loaded app. Users who enable side loading would use third party app stores on their device. It's perfect for older iOS devices that otherwise would otherwise collect dust and is also a great way to recycle old devices. I bet less than 10% of iOS users would enable side loading on an old device but if they want to they should be able to. This is why jailbreaking exists. Apple should just make an official way to jailbreak old devices and be done with it.
    It is not very clever!
    So are you suggesting, that Apple should invest in creating special new iOS versions, only to make old Apple devices be able to use third party app stores?…..
    Without collecting any commission?…..
    And why Apple should do this?
    Apple is not a charity organization, remember?
    killroy
Sign In or Register to comment.