Apple makes the case against sideloading

Apple's response to the European Union's proposed Digital Markets Act runs to 31 pages, including footnotes.

From "Building a Trusted Ecosystem for Millions of Apps: A threat analysis of sideloading" posted on

apple case against sideloadingIf Apple were forced to support sideloading: More harmful apps would reach users because it would be easier for cybercriminals to target them – even if sideloading were limited to third-party app stores only.

The large amount of malware and resulting security and privacy threats on third-party app stores shows that they do not have sufficient vetting procedures to check for apps containing known malware, apps violating user privacy, copycat apps, apps with illegal or objectionable content, and unsafe apps targeted at children.

Users would now be responsible for determining whether sideloaded apps are safe, a very difficult task even for experts. In the rare cases in which a fraudulent or malicious app makes it onto the App Store, Apple can remove it once discovered and block any of its future variants, thereby stopping its spread to other users. If sideloading from third-party app stores were supported, malicious apps would simply migrate to third-party stores and continue to infect consumer devices.

My take: The judge hearing the Epic case accepted this argument from Apple. So far the Europeans aren't buying it.

See also: Will the EU’s Digital Markets Act be taking 10% bites out of Apple?


  1. Kirk DeBernardi said:
    “So far the Europeans aren’t buying it.”

    And they probably won’t since their intent always seems to be penalty damage rather than imposing justifiable corrections on companies.

    Side-loading hurts more than it helps and the industry knows this.

    I guess they don’t believe in gardens.

    October 13, 2021
  2. If you read the entire report (or a major %) and still go ahead with a side load mandate, don’t blame Apple if you have to sell the Daimler or Peugeot to pay the ransoms to unlock your phone. It spells out current examples of malware (avoiding any mention of NSO Group) & specific costs, beyond the loss of privacy & safety.

    October 13, 2021
  3. Fred Stein said:
    Deep irony:

    Typically Europeans see the value of regulation for public safety (and the environment for that matter). But when Apple regulates their 1,000,000,000 playgrounds, EU says; “No! Deregulate. Make it open to all comers. And don’t expect me (EU regulators) to take any responsibility.”

    October 13, 2021
  4. Fred Stein said:
    More likely, Apple holds firm on principle.

    OTOH: Apple may be able to comply and also give users an explicit opt-out feature that disables Apple’s wall garden w.r.t. side loading and other means to circumvent Apple’s regulation. It would be similar to parental control, maybe just an extension.

    October 13, 2021
    • Hap Allen said:
      That would amount to, and be phrased as, a release of liability?

      The appearance of such language on the screen would surely put me off.

      October 13, 2021
    • John Butt said:
      In many countries, releasing yourself from liability is not possible because consumer protection forbids it.
      NZ consumer guarantees act, for example, overrides Apple’s warranty period making AppleCare redundant. Apple accepts that, but still tries to sell AppleCare, despite it being over-ridden by the Act.

      October 13, 2021
      • Fred Stein said:
        Thanks John for educating me.

        I suspect that this trend of not allowing big vendors to be released from liability will continue. And yet, the EU wants to force Apple (and others) to “open” their platforms to more threats.

        October 13, 2021
  5. John Konopka said:
    If side-loading was allowed how would you prevent people being “forced” to side-load. Maybe a school district goes cheap on an app and says you have to have it for submitting schoolwork. Maybe an employer does something similar. Or a scammer says side-load this app to get a $100 debit card. The public argument is that the people pushing for side-loading are all hardworking, honest developers just trying to get out from under Apple’s thumb. Cry me a river.

    I was alerted to a new scam. You get an Amazon box you didn’t ask for. Inside is a “Thank You” gift: a debit card and a thumb drive. You are instructed to view the thumb drive on your computer to unlock the debit card. Of course, the thumb drive just installs all sorts of malware.

    October 13, 2021
    • David Emery said:
      UNH requires me to load an app they provide (or to go to their website and daily print out my vaccination/testing status.) Given UNH’s IT, a big glob of commercial outsourced products cobbled together with Active Directory, I refuse to load their app.

      “Outsourcing relieves the CIO of any responsibility for whatever bad conduct the service provider does.” In UNH’s website, that includes 3rd party cookies, Google search, Microsoft email and Office 365, and a bunch of COTS packages that don’t play well together…

      October 13, 2021
  6. Bart Yee said:
    Make the EU, each member country, and regulators specifically responsible and sueable for any monetary damages any sideloading Apple iPhone or user incurs if this is forced upon Apple. The EU can then be responsible for going after the malicious app, it’s developer, and the third party platform App Store that it was downloaded from.

    Apple cannot be held responsible for any injury incurred from third party App Store malware, identity theft, or monetary loss. Apple would be ready to sell replacement iPhones to those users who’s iPhones get irrevocably compromised. However, no one can say whether Apple or anyone else can help a user wipe or recover their accounts and info once compromised.

    I don’t quite get why people would consider risk taking like this for saving a few pennies with third party App Stores when the gold standard for security and safety is there in plain sight.

    October 13, 2021

Leave a Reply