Apple: „Sideloading is a cybercriminal’s best friend“

Ambitious · Nov 3, 2021

Craig Federighi vehemently speaks out against iPhone sideloading in Web Summit keynote: 'Sideloading is a cybercriminal's best friend' - 9to5Mac

Last month, it was announced that Apple senior vice president Craig Federighi would attend and speak at Web Summit 2021,...

9to5mac.com

Last month, it was announced that Apple senior vice president Craig Federighi would attend and speak at Web Summit 2021, which takes place in Lisbon, Portugal. In a keynote delivered today, Federighi vehemently spoke out against legislation that could force Apple to open the iPhone up to sideloading…

As you might expect, Federighi repeatedly noted that iOS is far less prone to malware and other attacks than Android. He even put up a slide directly saying that there are "5 million Android attacks per month," according to one security study. Meanwhile, Apple employs human app review and a single point of distribution approach to limit malware.

Federighi repeatedly referred back to a house analogy during the event. He likened buying an iPhone to buying a "great home with a really great security system," but then a new law gets passed that forces you to weaken the security of your home.

"The safe house that you chose now has a fatal flaw in its security system, and burglars are really good at exploiting it," Federighi said.

The Apple executive also warned that the legislation comes as there have "never been more cybercriminals" determined to access the private information on your iPhone. "Sideloading is a cybercriminal's best friend," Federighi said. "And requiring that on iPhone would be a gold rush for the malware industry."

The Mac is a cybercriminal's best friend, I guess.

🤡

Ouroboros · Nov 3, 2021

I love apple products but this is some horse paste shit.

maximumzero · Nov 3, 2021

You joke but I can totally see idiots wasting Apple employees' time after they fuck up their phone.

sprsk · Nov 3, 2021

Sideloading is like riding shotgun with Satan, or so I hear.

spookyduzt · Nov 3, 2021

You wouldn't side load a car!

Jedi2016 · Nov 3, 2021

Five million attacks a month? Out of how many phones? That actually sounds like a decently low number to me.

TheOMan · Nov 3, 2021

spookyduzt said:
You wouldn't side load a car!

Should have been first reply.

Cipherr · Nov 3, 2021

YeahOkay.gif.

stersauce · Nov 3, 2021

STOP RIGHT THERE, CYBER SCUM

Sei · Nov 3, 2021

If all your good security is on a fence/front gate, and your internal security sucks, then your security sucks overall.

excelsiorlef · Nov 3, 2021

tokkun · Nov 3, 2021

Federighi repeatedly referred back to a house analogy during the event. He likened buying an iPhone to buying a "great home with a really great security system," but then a new law gets passed that forces you to weaken the security of your home.

"The safe house that you chose now has a fatal flaw in its security system, and burglars are really good at exploiting it," Federighi said.

That's a weird analogy since the user gets to decide whether they want to sideload an app or not.

It's really more like letting a homeowner decide to invite anyone they want into their house, rather than requiring them to have all of their visitors go through a (paid) police screening first.

Gernau Morat Gurgeh · Nov 3, 2021

I would download an iphone

Fat4all · Nov 3, 2021

MY MUM TOLD ME SHE DID COKE IN THE 80S CUZ EVERYONE ELSE WAS DOING IT, THATS LIKE SIDELOADING NOW, TOO MUCH PEER PRESSURE

entrydenied · Nov 3, 2021

I used an apk store to download the official Nintendo app to my android phone because it is not available in my country's playstore. Guess I'm a criminal now. I didn't even do it to an Apple!

excelsiorlef · Nov 3, 2021

Android users are all being interviewed by CSI Cyber right now

Edward850 · Nov 3, 2021

You can technically side load on an Xbox, and yet the security is yet to be compromised at all. Maybe the problem is just your phone, Federighi.

EssBeeVee · Nov 3, 2021

i would never sideload apps. all i need is my christian app Grindr

Cipherr · Nov 3, 2021

tokkun said:
That's a weird analogy since the user gets to decide whether they want to sideload an app or not.

It's really more like letting a homeowner decide to invite anyone they want into their house, rather than requiring them to have all of their visitors go through a (paid) police screening first.

Yeah I'm sure he knows that, but would side step introducing owner/user choice into that topic any way he can for obvious reasons.

Still though, the sheer boomer energy on that statement makes me laugh. Really reminds me of those old poli campaigns of the late 80s/early 90s

Ambitious · Nov 3, 2021

tokkun said:
That's a weird analogy since the user gets to decide whether they want to sideload an app or not.

It's really more like letting a homeowner decide to invite anyone they want into their house, rather than requiring them to have all of their visitors go through a (paid) police screening first.

Yeah. Using his analogy, buying an iPhone is like buying a home with a security system that decides on its own who gets in and who doesn't, with no way to override it. And if your best friend visits you to have a few beers with you, and the system says "no", you're out of luck. Like what kind of moronic system would that be? 😂

LewieP · Nov 3, 2021

This is obviously true.

I want a phone that can sideload (which is why I buy one that can), but I don't want my parents having a phone that can sideload.

Edit: I'd love it if iOS devices offered a bootcamp like solution for installing other operating systems, including those which would allow sideloading.

Storminormin · Nov 3, 2021

Shit argument IMO. Bothers me that it works on so many people.
Just do it like android. Have sideloading disabled by default, make a toggle in settings. Reduce security at your own risk.

I like their hardware, but I hate Apple's blatant bullshit.

jleo · Nov 3, 2021

Everyone is against Apple here, but the fact is that opening your pretty walled garden does mean more risk. Can't have rogue apps doing shit on your iPhone if you don't even let them in in the first place. Not saying their walled garden approach is the best, but there it is.

killerrin · Nov 3, 2021

Biggest load of crap I've ever read. Android doesn't have malware because its opened. It has Malware because has a global marketshare of fucking 70%+ and Google makes it easy by not actually policing their own storefront. Two things that Apple has going for them because nobody is saying they have to stop policing their store. Just they have to let people shop at another store if they want to.

Federighi repeatedly referred back to a house analogy during the event. He likened buying an iPhone to buying a "great home with a really great security system," but then a new law gets passed that forces you to weaken the security of your home.

"The safe house that you chose now has a fatal flaw in its security system, and burglars are really good at exploiting it," Federighi said.

This analogy is pure shit because said safe house would only have a fatal flaw if the owner of the house (iPhone) decided they wanted to leave the door unlocked (sideload).

mute · Nov 3, 2021

spookyduzt said:
You wouldn't side load a car!

I kinda do every time I use one

CatAssTrophy · Nov 3, 2021

human app review is a cybercriminals side piece.

nsilvias · Nov 3, 2021

ah yes, fear! the best friend of corporations and politicians alike

molnizzle · Nov 3, 2021

mute said:
I kinda do every time I use one

FBI

This one right here

Ambitious · Nov 3, 2021

jleo said:
Everyone is against Apple here, but the fact is that opening your pretty walled garden does mean more risk. Can't have rogue apps doing shit on your iPhone if you don't even let them in in the first place. Not saying their walled garden approach is the best, but there it is.

If the only thing protecting users from malware is App Review, then iOS doesn't have any security to begin with.

Dave. · Nov 3, 2021

Lol, what a disgraceful shameless person this is.

Tigel · Nov 3, 2021

I'm not sure I agree with Craig here but he does raise some good points.

Juste image if you can sideload an alternative store, you can bet that Facebook will be happy to leave the office App Store. You can say bye bye to the app tracking transparency feature for exemple.

It is my choice to use an iOS device. If people want to sideload apps, they can choose another platform.

Ambitious · Nov 3, 2021

Tigel said:
I'm not sure I agree with Craig here but he does raise some good points.

Juste image if you can sideload an alternative store, you can bet that Facebook will be happy to leave the office App Store. You can say bye bye to the app tracking transparency feature for exemple.

It is my choice to use an iOS device. If people want to sideload apps, they can choose another platform.

If you don't want to sideload, you have the choice to not sideload.

linkboy · Nov 3, 2021

Tigel said:
I'm not sure I agree with Craig here but he does raise some good points.

Juste image if you can sideload an alternative store, you can bet that Facebook will be happy to leave the office App Store. You can say bye bye to the app tracking transparency feature for exemple.

It is my choice to use an iOS device. If people want to sideload apps, they can choose another platform.

Not really, because the app tracking feature is an iOS feature, it doesn't matter if Facebook came from the app store or a third party store.

Side loading on Android devices is disabled by default, and only gets enabled if the user says so.

Also, if side loading is a criminals best friend, then everyone shouldn't be surprised when Apple locks down macOS programs to programs from just the App store (we know people will lose their shit if that happens).

Slayven · Nov 3, 2021

what are people that used Cydia?

thisismadness · Nov 3, 2021

I mean he''s not necessarily wrong... side loading is objectively less secure. Google doesn't default side loading off and serve you the big scary warning about how dangerous it is for no reason. Where Apple is wrong is that users should be free to accept those risks 🤷‍♂️

345 · Nov 3, 2021

jleo said:
Everyone is against Apple here, but the fact is that opening your pretty walled garden does mean more risk. Can't have rogue apps doing shit on your iPhone if you don't even let them in in the first place. Not saying their walled garden approach is the best, but there it is.

it's certainly true that iOS is more secure than more open OSes, but that's really a false dichotomy. let's ask, uh, apple: https://www.apple.com/macos/security/

The technically sophisticated runtime protections in macOS work at the very core of your Mac to keep your system safe from malware. This starts with state-of-the-art antivirus software built in to block and remove malware. Technologies like XD (execute disable), ASLR (address space layout randomization), and SIP (system integrity protection) make it difficult for malware to do harm, and they ensure that processes with root permission cannot change critical system files.

sounds useful!

Tigel · Nov 3, 2021

Ambitious said:
If you don't want to sideload, you have the choice to not sideload.

Not really. To stay with the Facebook example, in some countries communications are done principally via FB apps, so you'll either have to download it via the alternative store or not download it and be cutoff from talking to your friends and family.
So, that's not a choice at all.

GreenMonkey · Nov 3, 2021

Jedi2016 said:
Five million attacks a month? Out of how many phones? That actually sounds like a decently low number to me.

Yeah that isn't a big number.

I work security, blue team, for like ten years.

I'm not sure what it is right now but a typical device or firewall that becomes internet facing starts getting hammered on the moment it appears on the network.

Typical graphs show millions of attack attempts per month. It doesn't mean anything. A lot of those are automated vulnerability scans, auto-spreading stuff like Wannacry, hell Conficker is still bouncing around out there and it only works on XP.

Meaningless number.

linkboy · Nov 3, 2021

Tigel said:
Not really. To stay with the Facebook example, in some countries communications are done principally via FB apps, so you'll either have to download it via the alternative store or not download it and be cutoff from talking to your friends and family.
So, that's not a choice at all.

If Facebook wanted to pull their apps and put them on an alternative app store to get around the platform holder, they would have done it on Android years ago, and yet, for some reason, they haven't.

They're not going to remove their apps from the App store if Apple allowed sideloading.

The amount of people who would enable sideloading is so miniscule that it wouldn't be worth it for Facebook, or any other app developer to leave the App Store.

Why would you do that? · Nov 3, 2021

Tigel said:
I'm not sure I agree with Craig here but he does raise some good points.

Juste image if you can sideload an alternative store, you can bet that Facebook will be happy to leave the office App Store. You can say bye bye to the app tracking transparency feature for exemple.

It is my choice to use an iOS device. If people want to sideload apps, they can choose another platform.

People keep saying this, but in practice, this is something that just doesn't happen.

On PC, one of the most open platforms out there, nearly all game developers try to get their games on Steam. The visibility is important, as does catering to the desire many users have to keep all their games in one place.

On Android (where you CAN sideload, and which does have alternate stores), there's an incredibly miniscule amount of apps you would be forced to go to other stores for.

And many of those apps are things that simply wouldn't be allowed on the Play Store by Google... which proves just how much sideloading increases consumer choice. E.g. adult / 18+ app stores can exist on Android.

Tigel · Nov 3, 2021

linkboy said:
If Facebook wanted to pull their apps and put them on an alternative app store to get around the platform holder, they would have done it on Android years ago, and yet, for some reason, they haven't.

They're not going to remove their apps from the App store if Apple allowed sideloading.

The amount of people who would enable sideloading is so miniscule that it wouldn't be worth it for Facebook, or any other app developer to leave the App Store.

Apple are way more restrictive than Google though. Plus, FB has a beef with Apple for some times now because they keep adding restrictions on how apps like Facebook can collect data.
It's only an hypothetical anyway, but that´s a scenario that would't surprise me at all.

lorddarkflare · Nov 3, 2021

They are technically not wrong...

...but also fuck them. I do what I want with my shit.

CreepingFear · Nov 3, 2021

That's me, I have Android, where it's allowed.

Shadow · Nov 3, 2021

Slayven said:
what are people that used Cydia?

A murderer. Yes, I've murdered my iDevices many times since 2010. I'm criminal scum. I also have apps sideloaded atm with altstore. I'm everything Apple hates!

linkboy · Nov 3, 2021

Tigel said:
Apple are way more restrictive than Google though. Plus, FB has a beef with Apple for some times now because they keep adding restrictions on how apps like Facebook can collect data.
It's only an hypothetical anyway, but that´s a scenario that would't surprise me at all.

Facebook isn't going to want to do anything to jeopardize their userbase and pulling their apps from the App Store will do just that. Just like people didn't buy into Fortnite not being on the Play Store (which is why Epic had to come crawling back), people aren't going to sideload Facebook. There's a good chance the exact opposite will happen, people will bitch at Facebook and they'll come crawling back to the App Store.

Even if Facebook were to pull their apps from the App Store, they'd still have to deal with the data restrictions that Apple implemented. Those are baked into the OS at an OS level, not an app level. It doesn't matter where the app was installed from, those restrictions still exist.

Tigel · Nov 3, 2021

linkboy said:
Facebook isn't going to want to do anything to jeopardize their userbase and pulling their apps from the App Store will do just that. Just like people didn't buy into Fortnite not being on the Play Store (which is why Epic had to come crawling back), people aren't going to sideload Facebook. There's a good chance the exact opposite will happen, people will bitch at Facebook and they'll come crawling back to the App Store.

Even if Facebook were to pull their apps from the App Store, they'd still have to deal with the data restrictions that Apple implemented. Those are baked into the OS at an OS level, not an app level. It doesn't matter where the app was installed from, those restrictions still exist.

Agreed about Fortnite, I forgot about that episode.

However, that's not true that all restrictions are baked in at the OS level, some are policies of the App Store itself. For example the nutrition labels and the no fingerprinting rule.

Deleted member 79451 · Nov 3, 2021

Apple has had so many of the worst types of bugs lately that put Spectre to shame. Do you have any idea how many zero click remote execution flaws have come up in Apple OS level software just in the last 2 months? People were able to send a iMessage to someone to completely pwn their iOS device! That makes MS and Intel look like Neo!

Apple's security is absolutely abysmal.

Basically they need to seriously shut the fuck up. They're full of shit.

Alpheus · Nov 3, 2021

Fat4all said:
MY MUM TOLD ME SHE DID COKE IN THE 80S CUZ EVERYONE ELSE WAS DOING IT, THATS LIKE SIDELOADING NOW, TOO MUCH PEER PRESSURE

I read that in Ralph Wiggums voice and LOL

Ambitious · Nov 3, 2021

Tigel said:
Agreed about Fortnite, I forgot about that episode.

However, that's not true that all restrictions are baked in at the OS level, some are policies of the App Store itself. For example the nutrition labels and the no fingerprinting rule.

What kind of restriction do you think the nutrition labels are?

Qvoth · Nov 4, 2021

and that's why i'm android 4 lyfe

Apple: „Sideloading is a cybercriminal’s best friend“

Resettlement Advisor

Drive-In Mutant

Prophet of Truth

Bad Praxis

Woke up, got a money tag, swears a lot

Bad Praxis

Software & Netcode Engineer at Nightdive Studios

▲ Legend ▲

Never read a comic in his life

One Winged Slayer