The Digital Markets Act (DMA), freshly brought out in the EU, cracks Apple’s armour, enabling iOS sideloading into iPhones for more extensive user controls. What does this mean for other users outside the EU, and is sideloading apps safe on iOS?

The following article will unveil everything about sideloading iOS apps, including the associated risks, limitations, and changes brought in by the DMA.

Verimatrix’s FREE mobile app security testing service allows developers to identify vulnerabilities in your third-party apps. Try it here.

What is app sideloading?

Sideloading refers to the process of loading apps onto a device from a source other than the official app store. Android has been sideloading apps for years via direct installation from the internet or other alternative app stores, while traditionally, Apple’s closed ecosystem forbids this in favor of needing all apps to download from the App Store.

With iOS sideloading, Apple now allows users in the EU to install apps from third-party sources, giving them more freedom to use their iPhones as they see fit. The sideloaded apps could come from independent app stores or as direct downloads from developers, which may avoid Apple’s in-app payment systems.

Is it possible to sideload apps on the iPhone without jailbreaking?

For years, sideloading apps on an iPhone has been associated with jailbreaking—a process that removes Apple’s security restrictions.

Since iOS 17.4, Apple started letting users in the EU sideload apps outside their official app store. That’s a big turn for Apple’s closed ecosystem because, up until then, it allowed nothing but apps from the App Store. Now, users no longer need to jailbreak their iPhones to install apps from sources other than Apple’s App Store, making it easier and less risky for those in the EU to install third-party apps.

Unfortunately, for users outside the EU, this option is still unavailable. The internal system from Apple, called “countryd,” does the verification of where the device is using the billing address from the Apple ID and the settings on the iPhone to allow or deny sideloading. That means that, outside of the 27 EU countries, sideloading of iOS apps without jailbreaking your iPhone remains inaccessible.

How about sideloading apps using developer mode?

Some iPhone users may have a passing familiarity with the concept of sideloading apps through developer tools, such as Xcode or TestFlight, which is, in fact, the official beta testing platform by Apple.

While that is technically possible, it’s really not considered the same as iOS sideloading. Apps installed this way are still subject to Apple’s restrictions, and you need to be a registered developer to sideload apps via Xcode.

Can I sideload apps on an iPhone using a VPN?

Most people think that a VPN can help bypass Apple’s restrictions on sideloading iOS apps by disguising the location of a device. On the contrary, even with a VPN, it is not possible to sideload applications outside the EU. 

What Apple has done is to put in place a very elaborate system that checks the region of the user through several means: settings of the iPhone, Apple ID, and billing address. That means Apple’s system checks several boxes to confirm that a user is in a location where sideloading iOS is allowed. Even if you go ahead and use a VPN to virtually change your location to the EU, for instance, your device’s physical location and settings ensure you cannot sideload iPhone apps.

The bottom line is that while VPNs are typically used to bypass geo-blocked content like streaming services, they won’t help when it comes to sideloading iOS apps on your iPhone outside the EU.

Is it safe to sideload apps?

The answer is yes and no. The act of sideloading isn’t inherently dangerous, but it opens the door to new risks that would normally be blocked by Apple’s App Store.

The greatest risk concerning the sideloading of iOS applications involves the chances of exposure to malware, spyware, or some other kind of cyberattack. The Apple App Store has strict guidelines and careful review processes in place for checking any application before it goes live to download. Sideloading simply bypasses those security checks, and hence, it’s more likely for the sideloaded apps to have malicious code in them.

On the other hand, Apple’s iOS sideloader does permit apps from third-party sources, but the checks will be incomplete. These apps undergo a notarization process, meaning that they have been scanned for not containing known malware. That is less complete compared to the review process of the App Store itself, leaving some room for potential risks.

Notarization vs. App Store review

With the introduction of iOS sideloading, Apple has introduced the notarization process as a less rigorous alternative to the traditional App Store review. But what is the difference between these two procedures, and why is it important?

Applications that make it to the App Store go through a serious reviewing process—everything is checked, from functionality to security. Apple checks whether an application meets its design guidelines, follows privacy policies, and doesn’t host malicious code. That is why the downloading of apps from the App Store is considered secure and reliable.

The notarization process for sideloaded apps, on the other hand, is a little more lenient. Apple conducts a cursory scan to check that the app doesn’t contain known malware but does not check for deeper privacy compliance or functionality. This means that, while the sideloaded apps will still have some level of security control, they are less strictly vetted than the apps from the App Store.

How to stay safe when sideloading iOS apps

An infographic that lists the key safety tips when sideloading iOS apps.

If you still want to sideload apps on your iPhone, some of these ways may help lessen the risks:

  • Download apps only from trusted sources: Stick to reputable third-party app stores or a developer with a proven track record of delivering safe applications.
  • Keep your iOS updated: Periodically, Apple issues updates where various security vulnerabilities are patched; make sure your iPhone has the latest version of iOS.
  • Use antivirus software: Installing verified security software in your iPhone can help to detect malware and remove it before it causes damage to your device.
  • Be careful with app permissions: Check the permissions that different apps are requesting when sideloading. An application may be malicious when it requests unnecessary or excessive permissions.

What does the DMA do?

The Digital Markets Act (DMA) is a set of regulations initiated by the EU to address the dominance of tech giants like Apple and ensure that the digital market is a fair place for consumers as well as developers. The DMA forces companies considered to be “gatekeepers” like Apple into opening up their platforms to third-party services and apps.

Key changes introduced by the DMA

  • Third-party app stores: Under the DMA, iPhone users in the EU will be able to sideload iPhone apps from alternative app stores.
  • Alternative payment methods: It allows developers to use alternative ways of receiving payments, aside from those that are imposed by Apple, and record up to 30% in commission.
  • Expanded APIs: New APIs are now available for developers to build browsers using third-party rendering engines instead of being restricted to the use of Apple’s WebKit, the traditional iOS browser.

The future of app sideloading on iOS

While iOS sideloading is currently only available in the EU, there have been active discussions regarding if it will be allowed in other places anytime soon. The effects of iOS sideloading are very far-reaching.

Will the US follow the lead of the EU?

With more regions considering the DMA and other similar regulations for digital markets, sideloading applications might just become a feature globally. US lawmakers have shown interest in clipping the wings of major tech gatekeepers. Should similar regulations be passed in the US, Apple may just find itself in a position wherein it shall have to support iOS sideloading beyond the EU as well.

If sideloading of apps into iOS increases, the good news could be new opportunities and challenges for the developers of those apps. While that cuts out Apple’s App Store and the commissions paid to the company, that also means they would be responsible for securing their apps themselves.

Best practices for developers

As iOS sideloading presents developers with a whole new world of possibilities, they will have to follow best practices to ensure their apps remain secure and functional. The following are some key considerations a developer should look into:

1. Prioritize app security

While doing basic checks, Apple’s current notarization process is not good enough to make an app secure, and it is upon the developers to take more steps in order to make their apps secure. This includes rigorous security testing, encrypting sensitive data, and continuous updates of the apps with the aim of patching various bugs and vulnerabilities.

2. Utilize transparent payment mechanisms

One of the advantages of sideloading iOS applications is that these third-party apps get to bypass Apple’s in-app payment system and its commissions. However, they need to make sure that their payment mechanisms are secure and meet the regulations of the region. For gaining user trust, one needs to allow trusted payment gateways and transactional transparency.

3. Offer ongoing support and updates

Because sideloaded apps will not update through the App Store, it’s up to developers to determine a way to provide updates in another manner. It can involve creating different notification systems or literally emailing users when a fresh version of the app is available for download.

4. Educate users on permissions

Users of sideloaded apps may not be well acquainted with the variety of permissions that an app requires from third-party sources. Developers should educate users on what reasons those permissions are necessary, and they must make sure their apps don’t ask for unnecessary or excessive access to the device features.

Conclusion

While sideloading gives users more freedom when it comes to iOS, there is also a chance of security risks since sideloaded apps are not being put under the same process as App Store review guidelines. 

For now, iPhone users outside the EU are still out of luck when it comes to being able to sideload iPhone apps. Should sideloading arrive in other areas, however, this is a good reminder to be aware of where you download apps. 

To ensure the security of your mobile apps, consider trying out Verimatrix’s FREE mobile app security testing service. Get insights into any discovered vulnerabilities to better safeguard your apps against potential threats today!