‘Sideloading undermines security and puts people’s data at risk,’ Apple SVP Craig Federighi says in pushing back against EU legislation that would require companies like Apple to allow it.
By Rob Pegoraro
LISBON—Apple’s pro-privacy stance has often had it applauding privacy protections in the European Union, but the company sent a top executive to the Web Summit conference here with a different message for EU policymakers: Don’t alter our App Store.
Craig Federighi, Apple’s senior vice president for software engineering, spoke Wednesday evening to decry a provision in the Digital Markets Act that would require “gatekeeper” platforms to let people install apps of their choice, not just those in an official app store.
An English-language draft of the DMA says such restrictions “should be prohibited as unfair and liable to weaken the contestability of core platform services.” Federighi told Summit attendees that this mandate would unwind all of Apple’s measures to protect iPhone and iPad users.
“With sideloading, those layered protections are undone,” he said. “Sideloading undermines security and puts people’s data at risk.”
Federighi offered his audience the analogy of shopping for a house and picking one with the best security and locks. Imagine, he said, that your municipality now votes to require “an always-unlocked side door” to optimize package delivery.
“Sideloading is that unlocked side door,” he said. “And requiring it on iPhone would give cybercriminals an easy point of entry on your device.” The DMA text, however, notes that platform developers “may implement proportionate technical or contractual measures” to screen or restrict sideloaded apps.
Federighi also attacked the notion of making sideloading just an option, as it is in Google’s Android. “History shows us, it doesn’t play out the way we hope,” he said, citing a scam Android ransomware app that mimicked an official Canadian COVID-tracking app. “Even if you have no intention of sideloading, people are routinely coerced or tricked into doing it.”
He further suggested that “some social networking apps” would opt for sideload-only distribution to evade Apple’s privacy protections, warning “you’d be stuck with the risk of losing touch with your friends online.”
(An app developer might also opt for sideloading distribution to avoid Apple’s 15–30% take of App Store sales and subscriptions.)
Finally, Federighi noted that even if you resolutely avoid sideloading, a family member doing so could still leave you at risk: “Even if you never sideload, your iPhone and data are less safe in a world where Apple is forced to allow it.”
He did not address the risk factor of Apple’s macOS, on which sideloading—there called just “downloading”—has always been allowed next to Apple’s Mac App Store.
Nor did he note how totalitarian governments have leveraged Apple’s control over mass-market mobile-app distribution to demand that it remove certain apps. For example, in 2017, Apple removed a batch of VPN apps from its Chinese-market app store; two years later, it booted HKMap Live, an app that Hong Kong protesters used to coordinate their campaigns.
A company fond of saying that “privacy is a fundamental human right” should at some point acknowledge that its app store gatekeeping can itself leave a dent in other human rights.
Disclosure: I’m moderating four panels at Web Summit, in return for which the organizers are covering my lodging and airfare.