Security Experts:

Apple Points to Android Malware Infections in Argument Against Sideloading on iOS

Apple Threat Analysis Report Highlights Risks Posed by Sideloading on iOS

Apple on Wednesday published a 30-page threat analysis report in an effort to show why allowing sideloading on iOS would pose serious privacy and security risks to iPhone users.

Sideloading is the process of downloading and installing mobile apps on Apple devices from sources other than the official App Store, such as through direct downloads or third-party app stores.

There has been pressure on Apple to support sideloading, but the tech giant believes that sideloading would “cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.”

Apple is apparently trying to show how bad the situation is in the Android ecosystem, and suggests that iOS could end up just as bad if it starts allowing users to install applications from third-party stores and websites.

The company has collected data from nearly 150 reports and news articles published by major cybersecurity firms and news outlets since 2014 in an effort to show that Android devices are far less secure than iPhones. For instance, the report highlights two threat intelligence reports from Nokia showing that Android phones had between 15 and 47 times more malware infections than iPhones.

Apple’s report also highlights a recent EU report claiming that its cybersecurity agency, ENISA, detected 230,000 new malware infections every day between January 2019 and April 2020. It’s worth noting that Apple’s report says “230,000 new mobile malware infections,” but the EU and ENISA reports seem to refer to infections across all platforms, not just mobile platforms.

The tech giant also points to a Kaspersky report showing that the cybersecurity firm’s products detected more than 5.6 million malicious installation packages targeting Android devices last year.

Apple argument against sideloading on iOS

The company said that if it were forced to support sideloading, it would be easier for cybercriminals to target its customers, even if sideloading were limited to third-party app stores. It also pointed out that other app stores don’t check applications and don’t require developers to provide accurate privacy-related information, as the App Store does.

“Some sideloading initiatives would also mandate removing protections against third-party access to proprietary hardware elements and non-public operating system functions. This would undermine core components of platform security that protect the operating system and iPhone data and services from malware, intrusion, and even operational flaws that could affect the reliability of the device and stop it from working,” Apple wrote in its report.

The company is concerned that universal support for sideloading would also cause problems for users who don’t want to install applications from third-party sources — they could be forced to install work- or school-related apps, or cybercriminals could more easily deliver their malware by creating fake App Store websites that lure users with tempting offers.

Apple published another, shorter report on the risks posed by sideloading in June.

While iOS may not be as targeted by malware as Android, iOS has still had some malware problems, including ones that impacted a large number of users. For example, the XcodeGhost malware discovered in 2015 impacted thousands of iOS applications and 128 million iOS users.

More recently, threat actors were observed delivering spyware to iPhones as part of a highly targeted espionage campaign that involved iOS zero-day vulnerabilities.

Related: Apple Security Flaw: How do 'Zero-Click' Attacks Work?

Related: Apple Patches macOS Security Bypass Vulnerability Exploited by 'Shlayer' Malware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.