Checklist 275: Tim Cook’s Case Against Sideloading
Sideloading apps on iOS
Apple CEO Tim Cook is making the case against sideloading on iOS.
In an iPhone context, sideloading refers to installing apps that come from outside of the App Store. Last week, Cook spoke at the International Association of Privacy Professionals (IAPP) 2022 Global Privacy Summit — and minced no words about the impact of sideloading on user privacy:
[W]hen companies decide they want to leave the App Store because they want to exploit user data, it could put significant pressure on people to engage with alternate app stores, where their privacy and security may not be protected.
So why is Cook bringing this up now? Because two pieces of proposed legislation could force Apple to allow sideloaded apps on iPhones.
Legal changes on the horizon
Two bills are currently under consideration in the U.S. Congress: the American Innovation and Choice Online Act and the Open App Markets Act.
The second of these proposed laws, in particular, could mean big changes for iOS users. As 9 to 5 Mac reported, the law contains the following provisions:
- Alternative app stores would be allowed on iPhones
- Consumers would choose which app store’s app to download
- Consumers would be able to choose default apps
- Apple wouldn’t be allowed to give its own app store an advantage
Apple, unsurprisingly, opposes the legislation.
The company says that sideloading would make it much harder to protect iOS users from security and privacy threats. In addition, sideloading would actually help companies that collect and sell user data irresponsibly (yes, everyone’s looking at you, Facebook). It would also open the door to the kinds of malware threats seen on macOS.
Is Apple overreacting?
There is some merit to Tim Cook’s argument. Apple really has done a good job of making iOS a safe platform for users. And newer features, especially App Tracking Transparency, have helped with user privacy. If alternative app stores arose, they might not have the same stringent security and privacy standards that Apple does.
We’ve seen how tech companies collect and monetize user data for ad revenue. We’ve also seen how upset companies like Facebook became when Apple rolled out App Tracking Transparency. It’s hard to believe that a Facebook app in an alternative app store would respect user privacy — especially if it wasn’t required to do so by the platform. And remember, Facebook is just one company: There are plenty of other businesses out there that are making money from user data. If alternative app stores with lax privacy policies suddenly appeared, they’d definitely want in on the action.
In addition, we were just talking about the issue of malicious iOS apps on Checklist 272: All of the Apps You Need Are in the App Store. That episode was about bad guys abusing a legitimate Apple developer feature to install their malicious apps on people’s iPhones. If sideloading was widely available, you’d likely see much more of this behavior — and on platforms and websites that Apple couldn’t monitor or control.
The counterpoint to all of this, of course, is that Apple has other motivations for opposing sideloading: namely, the 15-30% commission that the company gets from every App Store sale. Sideloading proponents argue that users have the right to install whatever they want on their devices, as long as they’re willing to accept responsibility for the consequences.
To hear more of Tim Cook’s remarks to the IAPP, check out his full speech on YouTube.
Just when we thought we were out…
We’ve talked about AirTags a bunch of times on The Checklist.
It’s been a big — maybe the big — Apple privacy story for the past year. In brief: AirTags are personal tracking devices for your stuff. But some creepers have been using them as personal stalking devices for people.
We talked about it so much that we decided to take a break for a bit! And to be honest, there’s an unfortunate tendency towards sensationalism in cybersecurity journalism. We always took AirTag security seriously, but we didn’t want to turn it into the “code red” scenario that some local news outlets were suggesting.
The reason we’re bringing it up again this week is because of a recent report by Motherboard. The report suggests that the issue may have been more serious than everyone realized (though perhaps still not as dire as your local cable news outlet wanted you to believe).
Motherboard investigative journalists requested police reports that mentioned AirTag from numerous police departments across the country. They uncovered at least 50 cases of women who reported stalking after hearing an AirTag chime or receiving warning notifications. And that’s just from the jurisdictions that Motherboard investigated — which suggests that AirTag stalking may go well beyond a few isolated incidents.
An AirTag safety refresher
The AirTag story is worrying, but there are some things that we can do to protect ourselves. Here are a few suggestions:
- Listen for beeping and watch for “Item Detected Near You” notifications on your iPhone.
- If you use an Android device, get the Tracker Detect app from the Google Play Store — it will let you access the same Apple security notifications that iPhone users get if an unknown AirTag is around.
- Don’t panic. Sometimes people legitimately lose their AirTags (or the things that they’re tracking with them). An unknown AirTag isn’t necessarily a sign of imminent danger.
- Stay current: both with Apple’s updated guidance and with your own OS updates. This will ensure that you’re on top of the latest developments in AirTag security — and that you have access to the latest security features on your device.
