Apple software chief Craig Federighi: Sideloading is a cyber criminal's best friend

Humza

Posts: 944   +167
Staff member
Bottom line: At day two of the Web Summit 2021, Apple's head of software engineering, Craig Federighi, took to the stage for a 10-minute speech centered around iOS security and the risks of sideloading on Apple's mobile platform. While praising the malware situation on iOS, Federighi noted that rival platforms were subject to a much higher number of malware attacks and called out 'sideloading' as the single biggest reason behind the problem.

Apple's refusal to allow iOS apps from any source other than the official App Store has been a topic of debate for many years. While hardcore fans on either side of the fence have been having at it for some time now, we saw Tim Cook earlier this year remark on how sideloading was the primary reason behind Android having 47 times more malware than iOS.

Unsurprisingly, Craig Federighi shared the same view at Web Summit 2021, where he called sideloading a "cybercriminal's best friend." He also cited government agencies, including Europol, which advises users to install apps from only official app stores. It's an interesting snippet shared by Apple at a time when the company was found in violation of the EU competition rules and would also be forced to allow sideloading on the iPhone under the EU's proposed Digital Markets Act (DMA).

Craig noted that sideloading on iOS would compromise the iPhone's security in the name of giving users more choice, taking away their choice of a more secure platform. He also gave an analogy of a safe home equipped with a security system to keep burglars at bay, while some neighbors suffered from repeated break-ins due to inadequate protection. Passing the DMA bill, Federighi noted, would be akin to mandating all homes to build "an always unlocked side door" for optimized package delivery.

Addressing the argument of letting people decide for themselves if they want sideloading, Federighi said that despite people's intentions, they can still be tricked into running malicious apps. He went on to share an example from Android (of course), which included ransomware disguised as a COVID-19 tracing app and apps that were downloaded from the official Play Store that prompted users to install a fake version of the store.

Whether the EU's DMA bill comes to pass remains to be seen, but opposers of Apple's stance, which include a number of developers and consumers, view the company's policies as highly monopolistic.

Sideloading on iOS would ultimately bypass Apple's security checks, as well as threaten its 30 percent developer fees that annually amount to billions of dollars. There has been some development on this front in the Apple vs. Epic trial, where Apple was forced to allow links to external payment systems, a ruling it recently appealed.

Permalink to story.

 

umbala

Posts: 519   +884
So basically Apple is saying that if you download or install software from anywhere other than directly from the Apple app store (where they charge developers a 30% fee) then you're a criminal. Reminds me of that guy (can't remember which CEO) who said that anyone who uses a PVR to skip past commercials of recorded TV programs is stealing.
 

trparky

Posts: 997   +1,107
I'd have to agree that he's right when it comes to a majority of people out there. Remember, most people (not us here at Techspot) are rather stupid when it comes to cybersecurity and keeping their devices safe and secure. Not a day goes by where we hear of new malware coming out for Windows and if you have to ask why malware is so rampant, it's because people are stupid and they need their hand held at every step of the way.

Apple wants to make sure that their devices stay safe and secure for the majority of their users.
 

m4a4

Posts: 2,672   +3,331
TechSpot Elite
I'd have to agree that he's right when it comes to a majority of people out there. Remember, most people (not us here at Techspot) are rather stupid when it comes to cybersecurity and keeping their devices safe and secure. Not a day goes by where we hear of new malware coming out for Windows and if you have to ask why malware is so rampant, it's because people are stupid and they need their hand held at every step of the way.

Apple wants to make sure that their devices stay safe and secure for the majority of their users.
And those people can stay in their Apple-branded bubble either way. But their ignorance shouldn't be used as an excuse to defend a trillion dollar company's profits.

If MS did this with Windows, we all know that people would switch their tune and be yelling about it...
 

Dimitriid

Posts: 1,578   +3,106
I'd have to agree that he's right when it comes to a majority of people out there. Remember, most people (not us here at Techspot) are rather stupid when it comes to cybersecurity and keeping their devices safe and secure. Not a day goes by where we hear of new malware coming out for Windows and if you have to ask why malware is so rampant, it's because people are stupid and they need their hand held at every step of the way.

Apple wants to make sure that their devices stay safe and secure for the majority of their users.
Most of those people you're so concerned about are so clueless about their devices they can't even enable side loading on Android to begin with.

I see you're falling prey to the same intentionally faulty false dichotomy Apple pushes around: They claim the only 2 options available is they control everything and nothing gets installed, or everything gets installed and all security is forever out of the window with no middle point.

Reality is that the fact that Android has less security has a lot more to do with device manufacturers being careless and incompetent at implementing and serving out patches and updates. By default, a person using a Google Pixel doesn't has the option to side-load anything by default and does come with Google app equivalent to most of what iOS has.

By giving users the OPTION of having finer, more in depth control then you can potentially risk and compromise security but this is an option most people that might even attempt side loading are well aware of as any tutorial and the process itself with come with warnings of "unverified apps" and "this might harm your equipment or compromise it", etc.

Truth as most things, is actually in the middle of the 2 extremes Apple wants to push so they can keep being the leeches that they are siphoning away 30% of all the revenue other people earn through their coding.
 

waclark

Posts: 204   +110
So basically Apple is saying that if you download or install software from anywhere other than directly from the Apple app store (where they charge developers a 30% fee) then you're a criminal. Reminds me of that guy (can't remember which CEO) who said that anyone who uses a PVR to skip past commercials of recorded TV programs is stealing.

That's not what he's saying. What he's saying is that side loading is a perfect opportunity for a criminal to put malware on your phone. It's analogous to putting a big sign on your house that says, "the front door is open,I have expensive jewelry inside and I'm gone on vacation for a month".

Cyber criminals are very sophisticated these days. They have many ways to attack your security and personal information. Apple's problem is that they aren't as vigilant on apps getting into the App Store and ensuring that there's nothing harmful contained within.
 

Neatfeatguy

Posts: 650   +1,151
That's not what he's saying. What he's saying is that side loading is a perfect opportunity for a criminal to put malware on your phone. It's analogous to putting a big sign on your house that says, "the front door is open,I have expensive jewelry inside and I'm gone on vacation for a month".

Cyber criminals are very sophisticated these days. They have many ways to attack your security and personal information. Apple's problem is that they aren't as vigilant on apps getting into the App Store and ensuring that there's nothing harmful contained within.

People do that all the time with social media platforms, flaunt what they have and tell people when they're not home. What makes you think they'd care about their information if they're already handing it out freely?
 

BuckarooBonzai

Posts: 43   +24
Even if Apple is forced to side load they will find ways to get around this by changing the Terms of Service or Agreement against any damage or malfunction caused by side loading to discourage side loading. Apple is probably looking for solutions to get around this while still being compliant.
 
Last edited:

trparky

Posts: 997   +1,107
or everything gets installed and all security is forever out of the window with no middle point.
But we see that this is how it plays out on Windows. Anyone can download an EXE file, run it, and boom... your system's infected. Fighting malware on Windows is a cat and mouse game at this point and I really don't see an end to it until the whole platform is locked down like iOS is today.
 

Ultraman1966

Posts: 163   +64
But we see that this is how it plays out on Windows. Anyone can download an EXE file, run it, and boom... your system's infected. Fighting malware on Windows is a cat and mouse game at this point and I really don't see an end to it until the whole platform is locked down like iOS is today.
They tried that with the mobile Windows version which only allowed apps from the Windows store and people shat all over it. No matter what they do, someone will moan that it is too open/insecure or too closed/walled off, people are too polarised these days to see a middle ground.
 

trparky

Posts: 997   +1,107
Security has always been a bit a tradeoff, if you want it you have to give something up. Unfortunately, I think that most of today's open systems that people like us here at Techspot like, are simply too dangerous to be in the hands of the average person.

Apple, as much as people in these parts hate them, have a place in the world. It gives people who are generally computer stupid a platform upon which they can use and feel safe and secure. Why should we force Apple to open the platform up which will be a detriment to those people?
 

Dimitriid

Posts: 1,578   +3,106
But we see that this is how it plays out on Windows. Anyone can download an EXE file, run it, and boom... your system's infected. Fighting malware on Windows is a cat and mouse game at this point and I really don't see an end to it until the whole platform is locked down like iOS is today.
They tried that with the mobile Windows version which only allowed apps from the Windows store and people shat all over it. No matter what they do, someone will moan that it is too open/insecure or too closed/walled off, people are too polarised these days to see a middle ground.
1) I was very clearly talking Android and not Windows, so why do you two bring up Windows?

Of course Windows is a terrible OS and easy to take over which brings me to

2) It is certainly not how in works on a much better and secure OS, Linux: you can't just "install" whatever program you find out there. You could if you really wanted to and learned quite a bit about how the OS works enough to install source code and it's dependencies but the repository system ensures you get a clean version and by default you just search the app you want it and get it that way and if you need something that's not on a repository that's actually verified by a group of people to be trust worthy, then you could actually ruin your installation of the OS.
 

trparky

Posts: 997   +1,107
You could but the repository system ensures you get a clean version and by default you just search the app you want it and get it that way
So, what's the difference between that and an app store? The way I see it, there's no difference. The only difference is that a repo (or repository) is that it's free and an app store is where you may have to pay for an app or two if you want it.
 

Dimitriid

Posts: 1,578   +3,106
So, what's the difference between that and an app store? The way I see it, there's no difference. The only difference is that a repo (or repository) is that it's free and an app store is where you may have to pay for an app or two if you want it.
There is: advanced Linux users that *want to* thinker with software absolutely can install custom third party repositories or even compile (or pre-compiled) software and dependencies manually if they want to, or force updates for newer versions before they're properly tested, lots and lots of things.

It's a more advanced version of what I was talking with the google play store: For most people the repository is the first and only stop to install something, if it's not there you shouldn't mess with it. But you're not limited to exclusively what the distribution developers think you should and shouldn't install in any way, you just gotta know what you're doing and understand the risks.

There's even flat packages that kind of create isolated version of the software and dependencies you want to run that behave pretty much like an app you would sideload on Android but again, is not the recommended and easiest way to get working for good reasons.
 

trparky

Posts: 997   +1,107
They really do have similarities; they both serve up programs to users. But I'm going to leave it at that since I really could go off on a tangent about how Google doesn't do enough to keep their house clean.
 

hwertz

Posts: 109   +60
Welp, that's why I don't use Apple products. On MY phone, I have a choice -- I can keep that "unknown sources" checkbox unchecked, and be all warm and cuddly knowing all my apps are coming from Google Play store; or uncheck it and install whatever I want (I do own the phone after all, not Google.)
 

bviktor

Posts: 616   +992
He's stating the obvious. We've already had this experiment with an OS that has no restrictions, it is called Windows. If you think it's not suffering from malware, and it's not related to the fact that you can install anything from anywhere, I don't know what else to say to you.
 

ZedRM

Posts: 721   +472
Whether the EU's DMA bill comes to pass remains to be seen, but opposers of Apple's stance, which include a number of developers and consumers, view the company's policies as highly monopolistic.
Moronic would also be an excellent description, but then again, we're discussing Apple..
 

captaincranky

Posts: 18,068   +6,862
. Reminds me of that guy (can't remember which CEO) who said that anyone who uses a PVR to skip past commercials of recorded TV programs is stealing.
Well first, I can't afford a Beemer, so what possible good is sitting through their commercials going to do me? It's just 10 to 30 seconds of my life I'll never get back. The same applies, (for me), about ads for women's panty liners. Audis, and countless other products.

Now that I've gotten that out of my system, let's move on.

When the VCR was first introduced, ir received massive push back on grounds of copyright infringement, and advertising bypass. It was introduced by >> SONY << (Anybody remember "Beta" format video tapes)? Sony lobbied intensively and finally got it to market here in the US.

Years later, Sony introduced malware into their CDs to prevent copying, along with ruining the person's computer that tried to copy them. So, good business acumen, or hypocrisy, you make the call..

And BTW, CEOs are all sociopaths and pathological liars, and sheep are, by nature, herd animals..
 

wiyosaya

Posts: 7,018   +5,543
That's not what he's saying. What he's saying is that side loading is a perfect opportunity for a criminal to put malware on your phone. It's analogous to putting a big sign on your house that says, "the front door is open,I have expensive jewelry inside and I'm gone on vacation for a month".

Cyber criminals are very sophisticated these days. They have many ways to attack your security and personal information. Apple's problem is that they aren't as vigilant on apps getting into the App Store and ensuring that there's nothing harmful contained within.
Ah, so we should all listen to his fear-based propaganda - no matter what level of skill you have. Some people are, admittedly, clueless, however, there's that saying "You can't fix stupid."

Though there is risk, if crApple were to allow side-loading, perhaps doing it in a way like Android does, where its not obvious and requires you to figure it out for yourself, would deter the clueless from doing so.

IMO, this is more marketing than anything else. He's saying "crApple is protecting you" and that is completely in line with the image crApple wants to project. IMO, this is not about crApple protecting its customers, it is about crApple protecting its profit - as if that were, in anyway with so many crApple sheep, in danger.
He doesn't need to defend it. The free market is defending the product for him. Apple's profitability and progress is proof.
Actually, I think its more about marketing and making people think that owning some brand or product gives them something that they cannot live without or that keeps them safe.