AltStore allows limited sideloading of iPhone apps Apple doesn't approve

Posted:
in iOS
As Apple faces pressure to open up the iPhone to third-party App Store providers, one developer has been helping users sideload apps since 2019 -- and has issues with overbroad legislation demanding users be able to sideload.




Apple has been persistently consistent and clear on its view that sideloading brings malware risks, and it's going to take changes in the law to make it allow unapproved apps onto the iPhone. Yet developer Riley Testut has been using one of Apple's own tools to allow users to install apps from outside Apple's curated App Store.

According to Fast Company, AltStore has been downloaded over 1.5 million times since its 2019 launch. It reportedly has over 300,000 active monthly users, and almost 6,000 of those contribute to Testut's Patreon, paying over $14,500 for him to work on the service full time.

Once installed, AltStore lets users add apps made by Testut. Users can also add any app they can find from anywhere, so long as it is using the .ipa format. Versions of social media apps that have had their ads removed are reportedly popular, as are classic game emulators.

AltStore exploits the fact that Apple's Xcode development platform allows users to load apps they're developing, straight onto their own iPhones.

"When Apple announced that [feature in 2015], I was like, 'Oh, so there's some way to install apps onto iOS just with an Apple ID,'" says Testut. "And from there I expanded that into a full solution."

The full solution is not straightforward. It requires a user to install a Mac or PC app called AltServer, then AltStore security signs an app so that appears to have been made by the user.

Apps can only be installed when iPhone and Mac or PC are on the same Wi-Fi network, and running AltServer. Only three such apps can be installed at any time, and one of those is the mandatory AltStore.

It is possible to swap out apps, but there are limits on this too. Any one user can only sideload up to 10 apps per week, and moreover FastCompany says that every app installed must be "refreshed" by connecting to AltServer once a week.

AppleInsider staffers have used the AltStore periodically since release. We can confirm that it works, and does what it is advertised to do. However, the installation of both the AltServer and apps through it can be finicky.

Sideloading is a risk

Testut may not be able to circumvent these and other Apple limitations, but he plans to create a security system that will ensure sideloaded apps are not malicious.

"There's a lot of risk to sideloading," continues Testut. "Because we're the tool that people are using, it's our responsibility to make sure that we're doing what we can to prevent people from accidentally screwing themselves over."

So perhaps ironically, Testut agrees with Apple about sideloading, or at least he does when it's potentially on a large scale. He does not approve of proposed legislation that would conceivably allow any consumer to download any app, without some protection.

"We don't like the bills, actually," he told Fast Company. "We really think they are too broad, and they have serious ramifications for consumer privacy."

However, Testut does very much believe that everyone should have the right to sideload if they want to. And he believes that the app industry needs that freedom.

"Apple takes an approach to the App Store where they only approve what they imagine already," he says, "so anything that pushes the boundaries of that, Apple will just reject."

"We need a way for apps that push the boundaries to first exist, and then people will see it exist and want it in the App Store," he continues. "No cool, fun apps are coming out. We want to see more small, but quirky, fun apps in AltStore."

Read on AppleInsider

Comments

  • Reply 1 of 20
    rob53rob53 Posts: 3,090member
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    killroyleavingthebiggAlex1N
  • Reply 2 of 20
    mac_dogmac_dog Posts: 1,022member
    Cancel his developer license. Next…
    killroy
  • Reply 3 of 20
    BeatsBeats Posts: 3,073member
    Could be another Epic plant. Make them break the rules and then protest when they get kicked out.

    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 

    It’s not that serious. Apple won’t go after users.
    killroyOfer
  • Reply 4 of 20
    dewmedewme Posts: 4,641member
    I'm more than surprised Apple has not engaged a small team of lawyers to stamp this out.  If he's been doing it since 2019 there must be a loophole in Apple's terms of service because this guy isn't hiding his operation. At the very least it seems like anyone using this capability would owe Apple a $100/year developer fee. That would be $30 million per year that Apple is owed. Or maybe Apple simply sees this as a gnat-sized problem and they have bigger problems to deploy their legal forces against.
    BeatsAlex1N
  • Reply 5 of 20
    aderutteraderutter Posts: 547member
    dewme said:
    At the very least it seems like anyone using this capability would owe Apple a $100/year developer fee. That would be $30 million per year that Apple is owed. Or maybe Apple simply sees this as a gnat-sized problem and they have bigger problems to deploy their legal forces against.
    Nope. The $99 fee is only for putting apps in the app-store, using XCode and putting your own apps on your own devices is free.

    Obviously, re-signing someone else’s apps as yours likely violates Apple’s terms and conditions of use of course, so expect this service to be taken down at some point now that it has been publicised here - lol. But yes, it is a tiny issue really - I suspect they have been more focused on companies using enterprise signing in prohibited ways.

    killroyOferAlex1N
  • Reply 6 of 20
    emoelleremoeller Posts: 551member
    I don't see this as a problem.   Apple's Developer program allows for developers to side load apps, and to allow others to side load via its TestFlight app through the Developers Apple account, generally for testing purposes.   The concern raised in this article  is that the developer is then using that process to allow others to side load through his Developer account.  In other words he is a contract App Developer.  Corporations do this frequently when creating and distributing internal apps for Apple devices all the time.  This Developer is not selling apps created and installed outside of the Apple Developer framework.  

    Furthermore this Developer, rightly, is concerned about potential privacy and security issues for some of the apps he and his clients have created and wants to internally develop additional protocols (above and beyond Apple's usual Developer review) on his side before side loading.  

    The article isn't clear on this, but I am assuming that none of the apps are publicly "sold" outside of the Apple App store - rather they are utilized only by the Developer and his clients. 

    Finally, I agree with the developer and others that a wide and general opening to the public of side loading is inappropriate.
    viclauyycwilliamlondonAlex1Ngrandact73rhonin
  • Reply 7 of 20
    jungmarkjungmark Posts: 6,924member
    Sure customers want to side load apps but when it bricks their phone or steals their data, they will be blaming Apple. 
    rob53danoxFidonet127Alex1N
  • Reply 8 of 20
    rob53rob53 Posts: 3,090member
    emoeller said:
    I don't see this as a problem.   Apple's Developer program allows for developers to side load apps, and to allow others to side load via its TestFlight app through the Developers Apple account, generally for testing purposes.   The concern raised in this article  is that the developer is then using that process to allow others to side load through his Developer account.  In other words he is a contract App Developer.  Corporations do this frequently when creating and distributing internal apps for Apple devices all the time.  This Developer is not selling apps created and installed outside of the Apple Developer framework.  

    Furthermore this Developer, rightly, is concerned about potential privacy and security issues for some of the apps he and his clients have created and wants to internally develop additional protocols (above and beyond Apple's usual Developer review) on his side before side loading.  

    The article isn't clear on this, but I am assuming that none of the apps are publicly "sold" outside of the Apple App store - rather they are utilized only by the Developer and his clients. 

    Finally, I agree with the developer and others that a wide and general opening to the public of side loading is inappropriate.
    According to Fast Company, AltStore has been downloaded over 1.5 million times since its 2019 launch. It reportedly has over 300,000 active monthly users, and almost 6,000 of those contribute to Testut's Patreon, paying over $14,500 for him to work on the service full time.

    This sounds like he’s making money and has a ton of users. This wasn’t for testing it was for a production product, plain and simple. 
    Alex1N
  • Reply 9 of 20
    neoncatneoncat Posts: 94member
    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    Your obsessive need for letter-of-the-law adherence is... charming, however AltStore is hardly a secret. There have been numerous articles about it over the years, and he operates it out in the open. Like Hackintoshes, there may be a certain fetish among a subset of Apple White Knights who would like nothing better then for lives to be ruined in pursuit of the purest manifestation of Apple's precious ecosystem, yet no such hammer is ever going to fall. Apple is far too busy trying to figure out where to put all the piles of money it makes every quarter to care.
    edited May 2022 williamlondon
  • Reply 10 of 20
    dewmedewme Posts: 4,641member
    aderutter said:
    dewme said:
    At the very least it seems like anyone using this capability would owe Apple a $100/year developer fee. That would be $30 million per year that Apple is owed. Or maybe Apple simply sees this as a gnat-sized problem and they have bigger problems to deploy their legal forces against.
    Nope. The $99 fee is only for putting apps in the app-store, using XCode and putting your own apps on your own devices is free.

    Obviously, re-signing someone else’s apps as yours likely violates Apple’s terms and conditions of use of course, so expect this service to be taken down at some point now that it has been publicised here - lol. But yes, it is a tiny issue really - I suspect they have been more focused on companies using enterprise signing in prohibited ways.

    Thanks for clarifying this. The training material I used to familiarize myself with the provisioning process didn't cover the free provisioning option, which at first glance seems like it is very limited or even time-bombed in some way. Good to know.

    I do know Apple also has a way for companies to setup internal app stores with their MDM framework for use within a company. I’m sure Apple would frown upon that model being used outside of its intended purpose. 

    I don’t think anyone’s trying to be a volunteer police officer for Apple. The fact that Apple knows about this and hasn’t done anything is kind of a implicit sanctioning of this little back door (or side door) method. It just seems out of character for Apple to allow this, since it is not without risk and should anything go wrong they will certainly be blamed. 
    edited May 2022 Alex1N
  • Reply 11 of 20
    crowleycrowley Posts: 10,453member
    Sounds like Apple allow third party app stores already then, so there's no problem.
  • Reply 12 of 20
    JustSomeGuy1JustSomeGuy1 Posts: 306member
    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    Lol, "illegal activity"! You are extremely confused about the difference between criminal and civil law. I'd suggest googling that, there's a ton of material available.

    In short, no possible Apple ToS, T&C, click-through agreement, etc., could possibly make any action by this or any other person or company illegal. And no, there is no world where Apple could go after end users. There's also no world where Apple is stupid enough to try, even if they could.

    Now... Can Apple cancel is developer cert? Sure. I'm a little surprised they haven't.
    radarthekatwilliamlondongrandact73
  • Reply 13 of 20
    leavingthebiggleavingthebigg Posts: 1,291member
    Though “AppleInsider staffers have used the AltStore periodically since release. We can confirm that it works, and does what it is advertised to do. However, the installation of both the AltServer and apps through it can be finicky.”, was written, doing a search for past AltStore articles published on this Website turned up one article… This article. 

    I am guessing anti-Apple articles will be published if Apple revokes the developer’s certificate due to the developer breaking the rules. 

    I agree 100% with Rob53 above. 


  • Reply 14 of 20
    Mike WuertheleMike Wuerthele Posts: 6,567administrator
    Though “AppleInsider staffers have used the AltStore periodically since release. We can confirm that it works, and does what it is advertised to do. However, the installation of both the AltServer and apps through it can be finicky.”, was written, doing a search for past AltStore articles published on this Website turned up one article… This article. 
    I'm not sure what your point is?

    I use all kinds of software and hardware that we haven't written about.
    muthuk_vanalingamAlex1N
  • Reply 15 of 20
    Mike WuertheleMike Wuerthele Posts: 6,567administrator
    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    If we wanted to delete the comment, there's literally no reason for us to "be careful."

    That said, there's no reason to do it just because of the misunderstanding between criminal matters and possible terms of service violations.
    muthuk_vanalingamAlex1Ngatorguy
  • Reply 16 of 20
    Fred257Fred257 Posts: 212member
    I used to jailbreak all of my phones until it didn’t matter anymore..,
    grandact73
  • Reply 17 of 20
    dope_ahminedope_ahmine Posts: 150member
    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    If we wanted to delete the comment, there's literally no reason for us to "be careful."

    That said, there's no reason to do it just because of the misunderstanding between criminal matters and possible terms of service violations.
    I don’t think your “power language” is suitable for an administrator at AI, Mike. I actually found your tone quite arrogant when you commented on rob53 above — whether you’re right or not. Just sayin’
  • Reply 18 of 20
    Mike WuertheleMike Wuerthele Posts: 6,567administrator
    rob53 said:
    So AI is using an app that violates Apple’s rules and actually telling people about it. I can’t wait for Apple to find out about it. The developer should lose the license/developer certificate while Apple can immediately cancel all apps using that certificate. I also wonder if Apple could go after the users, including AI. Be careful about removing my comment because all I’m doing is commenting on illegal activity, both the developer’s and user’s violations. I’m talking about the misuse of the obvious Xcode development program. This is not for limited testing, the developer is getting paid which is against Apple rules. 
    If we wanted to delete the comment, there's literally no reason for us to "be careful."

    That said, there's no reason to do it just because of the misunderstanding between criminal matters and possible terms of service violations.
    I don’t think your “power language” is suitable for an administrator at AI, Mike. I actually found your tone quite arrogant when you commented on rob53 above — whether you’re right or not. Just sayin’
    "The customer is always right" isn't the full statement. It's "The customer is always right in matters of taste."

    That's the great thing about the forums. We all get an opinion and as long as forum rules aren't broken, we all get to express it how we see fit. Even staff.
    edited May 2022 muthuk_vanalingamgatorguy
  • Reply 19 of 20
    elenagenelenagen Posts: 1member
    I do disagree with him that the proposed changes to the law are too broad.  People can still decide for themselves whether to buy their applications through an official store, whether Apple's or another's once Apple's monopoly is broken.  The latter hasn't happened yet because this AltStore is not a true alternative due to the limitations.

    It is tough luck if Apple takes some flack when something goes wrong due to a sideloaded application.  They're a big wealthy company, so I'm sure they can handle the strain.

    I suspect Apple will be very wary of retaliating against this developer, because they're already in the crosshairs for their anti-competitive behaviour.

    rob53 said:
    all I’m doing is commenting on illegal activity, both the developer’s and user’s violations.
    So which law do you think they're breaking?
  • Reply 20 of 20
    rhoninrhonin Posts: 60member
    It continues to appeal me how some here will post a response without looking into what the issue really is or what is actually happening.

    Great to have this option and even though it has some serious limitations and is quirky to install, it is a needed (IMO) option.
    Looking forward to the day we can install apps from places other than the App Store.
    It is the only OS I use that I cannot perform this action.
Sign In or Register to comment.