I think that’s exactly the problem. The real user benefit will be very small, but in order to enable those changes, functionality will be implemented on everyone’s phones to support sideloading. In my eyes, this increseas the attack surface against iPhones. Time and time again alt stores have been used to distribute fake apps and malware on Android, and the victims are often those users who haven’t asked for sideloading and are unlikely to use it intentionally.
Yes, maybe this will enable an F-droid equivalent on iPhone and it will be great to have direct access to open-source apps. But is this niche addition worth potentially reducing the security of all iPhones? I’m not convinced.
Time and time again alt stores have been used to distribute fake apps and malware on Android, and the victims are often those users who haven’t asked for sideloading and are unlikely to use it intentionally.
Can you offer any evidence to back up either of these claims?
This is just my gut feeling. It is based on not knowing anyone IRL that has willingly installed an Android app from outside the Play Store, but actually knowing people that avoid it because of the potential security implications.
You have to remember that the vast majority of smartphone users are not power users, and not the people who hang out on these forums. While something may look attractive in small circles like these, there are many other factors to consider when targetting the entire userbase.
Your third link actually discredits your point. The Play store is the “main”/1st party app store for Android devices and the article says how it’s the biggest distributer of malware over 3rd party app stores
But here’s the thing - side loading, even on android, is an opt-in feature. The user has to actively go out of their way to sideload an app. Even if an app tries to do it behind your back, you must first enable its ability to do so.
Yes, this doesn’t exist when ADB is involved, but in that case you have to go out of your way to enable USB debugging (and be stupid enough to plug your phone into someone else’s computer). The vast majority of iPhones will never have sideloading enabled by their users. The EU isn’t grabbing their balls and saying that all users must have it enabled by default, otherwise they’d be going after Android too.
Sure, I get that. The issue is that as soon as you introduce the ability to install apps from outside the App Store, it becomes possible to trick unsuspecting users into clicking buttons they don’t understand. By designing a web page to look like an actual Apple page, a malicious party could convince users to “opt in” to outside sources, in a similar way in which phishing websites harvest users’ online banking credentials. Currently, this kind of attack is entirely impossible on iPhone.
Doesn’t this argument essentially boil down to “people are stupid and we should take away their freedoms to protect them from themselves”? I’m not going to say that most people would make use of being able to install 3rd party apps, or even that it won’t give malware more chances to get people. But people can get themselves hurt or compromise their electronic security in any number of ways taking away people’s choices until they can’t make bad decisions anymore just doesn’t seem worth it to me
Sure, but at that point we’re getting into the weeds of fake webpages, which really isn’t anything apple could control anyway. Nothing’s to say that if sideloading didn’t exist, that page wouldn’t just direct them to a form to fill out your banking information. All it does is change the method. Apple could simply maintain a hash database of files that are known as dangerous and package it into a built-in AV for iOS (like most OSes do)
Nothing’s also to say that the page wouldn’t just abuse one of the hundreds of vulnerabilities that currently exist in WebKit currently.
For your average user, they’re probably only visiting legit sites on that browser anyway. My grandparents both have Android phones and to my knowledge have never been “tricked” into installing an APK. I can probably say the same for the vast majority of people.
I believe the benefits outweigh the costs here. Apple loses their grip on the walled garden which is punishing for developers and makes Apple judge, jury and executionor on not only what apps can run on iOS, but also how much developers have to give up to Apple (they could up their cut to 90% at anytime and currently developers can’t do shit about it).
I think that’s exactly the problem. The real user benefit will be very small, but in order to enable those changes, functionality will be implemented on everyone’s phones to support sideloading. In my eyes, this increseas the attack surface against iPhones. Time and time again alt stores have been used to distribute fake apps and malware on Android, and the victims are often those users who haven’t asked for sideloading and are unlikely to use it intentionally.
Yes, maybe this will enable an F-droid equivalent on iPhone and it will be great to have direct access to open-source apps. But is this niche addition worth potentially reducing the security of all iPhones? I’m not convinced.
Can you offer any evidence to back up either of these claims?
On malware being distributed through alternate stores, yes. For example:
This is just my gut feeling. It is based on not knowing anyone IRL that has willingly installed an Android app from outside the Play Store, but actually knowing people that avoid it because of the potential security implications.
You have to remember that the vast majority of smartphone users are not power users, and not the people who hang out on these forums. While something may look attractive in small circles like these, there are many other factors to consider when targetting the entire userbase.
Your third link actually discredits your point. The Play store is the “main”/1st party app store for Android devices and the article says how it’s the biggest distributer of malware over 3rd party app stores
But here’s the thing - side loading, even on android, is an opt-in feature. The user has to actively go out of their way to sideload an app. Even if an app tries to do it behind your back, you must first enable its ability to do so.
Yes, this doesn’t exist when ADB is involved, but in that case you have to go out of your way to enable USB debugging (and be stupid enough to plug your phone into someone else’s computer). The vast majority of iPhones will never have sideloading enabled by their users. The EU isn’t grabbing their balls and saying that all users must have it enabled by default, otherwise they’d be going after Android too.
Sure, I get that. The issue is that as soon as you introduce the ability to install apps from outside the App Store, it becomes possible to trick unsuspecting users into clicking buttons they don’t understand. By designing a web page to look like an actual Apple page, a malicious party could convince users to “opt in” to outside sources, in a similar way in which phishing websites harvest users’ online banking credentials. Currently, this kind of attack is entirely impossible on iPhone.
Doesn’t this argument essentially boil down to “people are stupid and we should take away their freedoms to protect them from themselves”? I’m not going to say that most people would make use of being able to install 3rd party apps, or even that it won’t give malware more chances to get people. But people can get themselves hurt or compromise their electronic security in any number of ways taking away people’s choices until they can’t make bad decisions anymore just doesn’t seem worth it to me
Sure, but at that point we’re getting into the weeds of fake webpages, which really isn’t anything apple could control anyway. Nothing’s to say that if sideloading didn’t exist, that page wouldn’t just direct them to a form to fill out your banking information. All it does is change the method. Apple could simply maintain a hash database of files that are known as dangerous and package it into a built-in AV for iOS (like most OSes do)
Nothing’s also to say that the page wouldn’t just abuse one of the hundreds of vulnerabilities that currently exist in WebKit currently.
For your average user, they’re probably only visiting legit sites on that browser anyway. My grandparents both have Android phones and to my knowledge have never been “tricked” into installing an APK. I can probably say the same for the vast majority of people.
I believe the benefits outweigh the costs here. Apple loses their grip on the walled garden which is punishing for developers and makes Apple judge, jury and executionor on not only what apps can run on iOS, but also how much developers have to give up to Apple (they could up their cut to 90% at anytime and currently developers can’t do shit about it).