Apple

If Apple allows sideloading in iOS 17, how will iPhone security be affected?

Posted on by

We don’t usually report on rumors and speculation about potential future Apple features or products. But this news is causing a stir in the Apple community—for good reason.

MacRumors is reporting that iOS 17 may “support app sideloading to comply with European regulations.” Apple’s next-generation mobile operating systems will likely arrive this fall. The ability to sideload apps would likely become possible in an update to iOS 17 and iPadOS 17 in March 2024.

What could this mean for the future of iPhone and iPad security and privacy? Let’s explore some possibilities.

In this article:

What is sideloading, and what are the benefits?

For the most part, Apple only allows iOS and iPadOS apps to be distributed through the App Store. This means that Apple acts as a gatekeeper for virtually all apps on its mobile devices. If Apple deems your app unworthy for any reason, the company may reject it from the App Store.

Is your app very similar in functionality to a lot of other apps already in the App Store? Apple might reject it.

Do you develop anti-malware software? Sorry, Apple arbitrarily stopped allowing antivirus apps for iOS in 2015.

Want to release an emulator to let people play classic video game ROMs? Too bad; Apple won’t allow it.

The list of potential reasons for app rejection, and the categories of apps banned from the App Store, are too numerous to mention here. Suffice it to say that developers have long wished for some alternative way to distribute apps on iOS.

On Android, it’s possible to “sideload” apps. If, for whatever reason, Google rejects an app from the Play Store, a developer can simply distribute an Android app directly from its own site instead. Google also allows third-party app stores on Android, so the developer could simply distribute through an alternative app store instead.

Such is not the case on iOS. All iPhones and iPads ship with a single, official App Store, and offer no official way to install alternative app stores. Sideloading is virtually nonexistent on iOS as well, although there are some very limited ways to obtain software from third parties. As a rule, you can only get iOS apps from the Apple App Store—period.

Are there already ways to distribute non-App Store apps?

That said, there are actually some very limited exceptions to the “App Store only” rule.

Since the first iPhone, and before the existence of an App Store, the iPhone has supported “web apps” that can be added to the Home Screen. But naturally, this type of “app” can only do what a standard Web page can do.

Apple also allows companies to create “proprietary in-house apps” that bypass the App Store. However, these apps require the user to install a “provisioning profile” first. Apple prohibits developers from distributing these apps publicly. (In fact, Apple once banned Facebook and Google apps that were deployed to non-employees in violation of Apple’s Enterprise Developer Program policies.)

There’s also Shortcuts, introduced in iOS 12. Third parties can create their own, but because Shortcuts are essentially scripted automations, their utility is limited.

The only other option without jailbreaking is to use an app like Sideloadly or AltStore. Both are complicated to use and have a lot of limitations. Simply put, it’s not the user-friendly experience that most developers are seeking.

And then there’s jailbreaking, which involves exploiting a known vulnerability on your device—and intentionally leaving your device vulnerable—in order to install Apple-prohibited apps or OS tweaks. Only a very small percentage of consumers jailbreak their iPhones. Thus, there is little financial incentive for major software developers to release a commercial app exclusively for jailbroken devices. (Not to mention that developers would implicitly be sending consumers the ill-advised message that security, and by extension privacy, are less important than getting some specific app they want.)

What Apple will likely do to comply with EU laws

Many developers have argued that Apple’s practices are anti-competitive and monopolistic. And now a new EU law seems to support that assertion.

The European Union’s new Digital Markets Act, which has been enshrined into law, will almost certainly be found to apply to Apple. If so, Apple will be required to allow third-party app stores no later than March 2024.

Most likely, Apple would not allow third-party app stores (or other Apple App Store circumvention methods) until nearly the very end of that deadline. So while iOS and iPadOS 17 are expected to arrive in fall 2023, sideloading via third-party app stores likely wouldn’t be possible until a later update in March. This might be, for example, iOS and iPadOS 17.4.

It’s unclear whether Apple might allow apps to be sideloaded directly, for example by installing them directly from developers’ Web sites. It’s possible that developers (such as Epic Games, maker of Fortnite) would each have to release their own “store” app instead, and distribute their apps through it. Epic has said in the past that it would like to offer its own Epic Games Store app for iOS.

Compliance in spite of security risks

One of Apple’s arguments against sideloading for years has been that it would compromise device security, because it would allow for apps that haven’t gone through Apple’s vetting process. (Pay no attention to the fact that Macs have always allowed unvetted third-party apps since 1984.)

Although Apple’s vetting processes aren’t perfect and often let scammy, privacy-violating, or potentially unwanted apps into the App Store, Apple nevertheless makes a fair point. I’d be more inclined to trust Apple’s vetting process, which has been refined over the course of many years, than to trust any third-party vendor to vet apps equally well or better—at least at first, until they’ve made some very public blunders.

Because of Apple’s concerns about security, it wouldn’t be any surprise to see Apple try to maintain at least some control over, or ability to remotely disable or remove, third-party apps distributed outside of the official App Store.

According to Mark Gurman, a journalist with reliable sources inside Apple, the company may require a paid “verification” that developers would need to use if distributing apps outside of Apple’s official App Store. Regardless of whether the payment-required part is true, we can guess that the verification process itself would presumably be similar to notarization on macOS.

The notarization process for macOS is significantly less stringent than the human review process that App Store apps must also pass. Basically, notarization is an automated process that runs some quick checks to try to ensure you aren’t attempting to notarize any known malware (but as we’ve seen time and time again, Apple often fails to even do that).

What Apple likely won’t do

If Apple does find a way to insert itself in the process without EU repercussions, we can expect that Apple would still try to ban the use of private APIs (application programming interfaces; private APIs are not publicly documented, and are reserved for Apple’s use only). Apple would likely also prevent sideloaded apps from accessing the entire file system, among other restrictions.

In fact, it may not even matter whether Apple inserts itself in the process somehow. Apple could potentially just let third party app stores allow whatever apps they want, but put additional restrictions in place at the OS level in iOS 17 to try to block third-party apps from using private APIs and other verboten behavior.

Thus, it’s still unclear whether something like system-wide antivirus software could become possible on iOS. Malware protection might become more important for users who obtain iOS apps from questionable sources, including app stores that don’t have much of a vetting process.

If you live outside of the EU, you might still be out of luck

Keep in mind with all of this that the law only applies to the European Union. Theoretically, Apple could choose to only allow sideloading via third-party app stores if you’re an EU resident, perhaps based on the mailing address associated with your Apple ID account. If you live outside of the EU, you might not get the functionality to install third-party app stores—at least not officially, and at least not at first.

On the other hand, it’s possible that Apple might allow third-party app stores worldwide at the same time, feigning altruism to score points with non-EU customers—while secretly being fully aware that, if Apple didn’t do this, other countries would likely sue Apple or enact their own laws to force Apple to open up elsewhere.

Are there security implications to Apple allowing sideloading?

The most significant potential security concern with sideloading is that third-party apps will be able to make it onto iPhones and iPads without being fully vetted by Apple. That could mean a number of things.

First of all, we’ll almost certainly see an increase in scam apps hitting the platform, perhaps including lookalike apps designed to phish user credentials.

Non-App Store apps may be more privacy invasive. Third-party app stores may not necessarily include “nutrition labels” like Apple requires developers to fill out regarding the app’s privacy. And if developers feel like they can get away with collecting more data than they feel comfortable doing on the official App Store—especially if they can monetize that additional data—they might just do it.

If any apps have been banned for alleged security or privacy reasons, such as TikTok, they could potentially become available to download again.

Apps could self-modify their behavior after being downloaded onto the device—a practice which Apple prohibits due in part to security concerns.

If third-party apps somehow get access to private APIs, or otherwise get greater access to the system than apps obtained from the official iOS App Store, we could potentially even see some serious malware threats start to emerge for non-jailbroken iPhones and iPads.

Could sideloading actually be a good thing for security?

There might also be positive consequences, in that more security-protecting apps could potentially come to iPhones and iPads as well.

Malware scanning apps could become a thing again on iOS for the first time in nearly a decade. As for whether you might be able to get the full-fledged, active scanning type of anti-malware solutions—like those available on macOS, Windows, and Android—remains unknown, but at this point seems unlikely. If anything, though, it should be possible to again offer apps that can scan individual files for malware, like VirusBarrier for iOS used to do.

But it certainly seems like the cons may outweigh the pros, at least from a security and privacy perspective. Only time will tell for sure.

How can I learn more?

We discussed iOS sideloading on episode 288 of the Intego Mac Podcast. Give it a listen or check out the full transcript in our show notes.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →