In the months leading up to Apple’s announcement about iPhone sideloading last week, I told you that I had no plans to download apps from other sources. I don’t want third-party app stores, and I’m happy to pay for the 30% commission that covers Apple’s fees.
That buys me peace of mind. It’s not just the security and privacy of my data and transactions — it’s also the convenience of having all my digital purchases in one place.
I also said that I thought Apple should release iPhone sideloading worldwide rather than only in Europe, where the new Digital Markets Act (DMA) law requires such changes. Then, every iPhone user would be able to decide for themselves how to buy apps and other content. And I’m pretty sure Apple’s bottom line would be fine.
But one iPhone sideloading scenario made me worry about iPhone owners in my family who aren’t as tech-savvy as I am. They could be the targets of infected apps from these less-regulated storefronts. But now that Apple has shown us what iPhone sideloading will look like, I’m no longer worried.
How sideloading could be dangerous
Here’s the most reasonable argument in favor of sideloading: If it’s possible on a Mac, it should be possible on an iPhone.
The people who make those claims are probably the kind of iPhone and Mac users who would not easily fall prey to malware scams. They know how to vet the apps the install and which red flags to watch out for, regardless of the device they’re using.
But the iPhone is now the primary device for many people, including those who don’t have a wealth of experience with smart devices.
Imagine that, after iPhone sideloading is widely available in Europe, hackers start targeting unsuspecting users with spam messages and emails about this or that iPhone app they have to install on their devices.
Imagine that your kid, who is more likely to use your credit card for in-app purchases than pay attention to your ramblings about iPhone security, installs that fishy app. Or your mom thinks she’s getting the latest version of her mobile banking app, but it’s malware.
This might be an exaggeration, but I was still preparing for the worst. I planned to instruct others in my family not to trust strange emails or text messages once the DMA rolled out. They’re already somewhat trained for that, and I keep reminding them to pay attention to how they use their smartphones. I’ll still instruct them to contact me if they think something is fishy.
The reality of sideloading
Now that Apple has rolled out its new deal for developers and the planned changes for the EU, I’m no longer worried about sideloading bringing malware with it. It’s not impossible; it’s just that Apple seems to be doing everything it can to ensure the safety of those users who decide to install apps from other app marketplaces.
As I already explained, iPhone sideloading is not what we thought it would be. A hacker might have all the data they need to mount a spam campaign to convince people to install their apps. But the current requirements for sideloading iPhone apps make it nearly impossible for that hacker to actually offer malware-laced apps for direct download.
Apple has very specific rules in place that make true iPhone sideloading impossible. You won’t be able to install apps from any source. Apple has plenty of prerequisites that developers must meet before offering their apps outside of the App Store.
I already covered all the new rules Apple has developed to comply with the DMA, many of which will impact iPhone sideloading.
I still won’t be leaving the App Store myself anytime soon, even though I’ll be able to experience App Store alternatives once the DMA rolls out in Europe. But I won’t be as concerned about the potential security impact.
That’s not to say that iPhone security is perfect. We’ve covered the sophisticated hacks that nation-state attackers used to spy on iPhone users. Those have nothing to do with iPhone sideloading and affect a limited number of targets.
However, malware isn’t a problem on iPhone, as it is on Android. And we keep seeing reports about malware on Android. Also, even if someone were able to deploy iPhone malware successfully, other protections in iOS might kick in to prevent that app from actually snooping around.
Finally, Hacker George and his friends can always mount phishing campaigns targeting iPhone users that have nothing to do with sideloading. You still have to protect yourself online, regardless of the DMA. It’s just that iPhone sideloading, in its current EU-only form, isn’t as bad as I feared.