Apple software chief Craig Federighi: Sideloading is a cyber criminal’s best friend

At day two of the Web Summit 2021, Apple’s head of software engineering, Craig Federighi, took to the stage for a 10-minute speech centered around iOS security and the risks of sideloading on Apple’s mobile platform. While praising the malware situation on iOS, Federighi noted that rival platforms were subject to a much higher number of malware attacks and called out ‘sideloading’ as the single biggest reason behind the problem.

Apple’s refusal to allow iOS apps from any source other than the official App Store has been a topic of debate for many years. While hardcore fans on either side of the fence have been having at it for some time now, we saw Tim Cook earlier this year remark on how sideloading was the primary reason behind Android having 47 times more malware than iOS.

Unsurprisingly, Craig Federighi shared the same view at Web Summit 2021, where he called sideloading a “cybercriminal’s best friend.” He also cited government agencies, including Europol, which advises users to install apps from only official app stores. It’s an interesting snippet shared by Apple at a time when the company was found in violation of the EU competition rules and would also be forced to allow sideloading on the iPhone under the EU’s proposed Digital Markets Act (DMA).

Craig noted that sideloading on iOS would compromise the iPhone’s security in the name of giving users more choice, taking away their choice of a more secure platform. He also gave an analogy of a safe home equipped with a security system to keep burglars at bay, while some neighbors suffered from repeated break-ins due to inadequate protection. Passing the DMA bill, Federighi noted, would be akin to mandating all homes to build “an always unlocked side door” for optimized package delivery.

Addressing the argument of letting people decide for themselves if they want sideloading, Federighi said that despite people’s intentions, they can still be tricked into running malicious apps. He went on to share an example from Android (of course), which included ransomware disguised as a COVID-19 tracing app and apps that were downloaded from the official Play Store that prompted users to install a fake version of the store.

Whether the EU’s DMA bill comes to pass remains to be seen, but opposers of Apple’s stance, which include a number of developers and consumers, view the company’s policies as highly monopolistic.

Sideloading on iOS would ultimately bypass Apple’s security checks, as well as threaten its 30 percent developer fees that annually amount to billions of dollars. There has been some development on this front in the Apple vs. Epic trial, where Apple was forced to allow links to external payment systems, a ruling it recently appealed.