Sideloading

What is sideloading?

Sideloading refers to installing apps on a mobile device from a source outside the device's official app store, like the Google Play Store or Apple’s App Store. This practice bypasses the default protections put in place by these platforms and is often used to access apps not officially available in certain regions or app stores.

Summary

Sideloading allows users to install apps directly onto their devices, bypassing official app stores like the Apple App Store or Google Play Store. While it can offer benefits—access to apps restricted by region or apps not permitted by official platforms—it also presents significant security risks. Unlike apps downloaded from official app stores, which undergo rigorous security checks, sideloaded apps may not be vetted, increasing the chances of malware or other security threats.

The European Union’s Digital Markets Act (DMA), which impacted iOS with the introduction of sideloading by iOS 17.4, has pushed Apple to loosen its strict control over app distribution. In contrast, Android has long allowed sideloading, though it includes warnings and security measures to protect users. These differences highlight the contrasting approaches of the two dominant mobile operating systems—Android is more open to third-party installations, while iOS has traditionally maintained a more closed ecosystem.

Deep dive

Sideloading and security

When you sideload an app, you install it from a source outside the official app stores, like the Google Play Store for Android or Apple’s App Store. This gives you access to apps that might not be available in your region or platform policies, like Apple’s ban on apps with content like gambling or Google Play’s restrictions on apps that use unapproved payment systems.

Though sideloading sounds good for downloading restricted apps, by doing so, you bypass the security measures that these stores enforce. This leaves your device vulnerable to malware and other threats. While Android has allowed you to do this for years, iOS is now following suit due to regulatory changes.

While sideloading brings fresh security challenges, iOS isn’t necessarily safer than Android. In an analysis of the top 100 iOS apps, we found that as many as 90% are vulnerable to repackaging attacks, challenging the belief that iOS offers better security.

Digital Markets Act (DMA)

The Digital Markets Act (DMA) is a regulatory framework designed to ensure fair competition and consumer choice within the tech industry. One of the key elements of the DMA is its requirement that major gatekeepers, such as Apple, allow sideloading on their platforms. Before the DMA, Apple had a closed ecosystem that controlled app installations through the App Store. The DMA forces companies like Apple to permit users to sideload apps, allowing developers to distribute apps without needing to go through Apple’s official channels. This is a significant step towards more open software ecosystems but also introduces potential risks as the security of sideloaded apps remains a concern.

iOS 17.4

The iOS 17.4 update is a direct response to the DMA’s regulations. For the first time in Apple’s history, iOS supports sideloading, granting users the ability to install apps from third-party sources. Historically, Apple has restricted app installations to the App Store to maintain security and privacy standards. By vetting all apps in the App Store, Apple could ensure that users were protected from malicious software.

With iOS 17.4, this tight control loosens, but Apple has implemented safeguards to mitigate risks—from security prompts to restrictions on how sideloaded apps interact with the core operating system—to ensure security despite the more open nature of the platform.

Sideloading in iOS vs. Android

Android: On Android devices, sideloading is relatively straightforward. Users can enable sideloading by adjusting their device settings to allow installations from unknown sources. Once enabled, users can download APK (Android Package) files from websites or third-party app stores and install them directly. While convenient, this process exposes users to unvetted apps that may contain malware or other security vulnerabilities.
iOS: Apple requires all apps to be downloaded via the official App Store, where they undergo stringent security and privacy checks. Under DMA, Apple will allow sideloading as it aims to level the playing field by reducing the control platforms have over app distribution. iOS 17.4 lets users sideload apps, although under specific measures to mitigate potential risks.

Examples

Fortnite on iOS and Android: In 2020, Epic Games attempted to bypass Apple and Google’s app store fees by encouraging users to sideload the popular game Fortnite directly from their website. On Android, this was straightforward due to the platform’s sideloading capabilities. But on iOS, it was impossible, leading to a legal battle between Epic Games and Apple. This highlighted the rigid control Apple had over app installations, a control now being weakened by regulatory changes like the DMA.
TikTok security risks: In 2023, cybersecurity experts flagged growing concerns over sideloading versions of TikTok from unofficial sources. Reports revealed that modified versions of TikTok, available via third-party APK sites, were being sideloaded on Android devices and contained hidden malware that tracked user data. These malicious variants bypassed the security controls of official app stores, emphasizing the risks of sideloading from untrusted sources and the growing need for stronger sideloading security measures.
Samsung restricts sideloading on new devices: In July 2024, Samsung issued a significant update for several of its flagship devices, including the Galaxy Z Fold 6, Z Flip 6, and the S25 Ultra. The update restricts sideloading practices, particularly in response to growing security concerns around the potential risks posed by unvetted apps. The company’s goal is to mitigate the risk of malware, unauthorized software, and privacy issues that arise from apps sourced outside official app stores. Apps installed via sideloading were either disabled or unable to function properly, emphasizing the company’s stance on enhancing device security.

History

Sideloading can be traced back to the early days of mobile devices, with a stark divergence between platforms in how they approached app distribution. Android, since its debut in 2008, embraced an open ecosystem that allows users to install apps from third-party sources through sideloading. This openness aligned with Google’s philosophy of providing users with maximum flexibility and control over their devices. But this freedom came with risks because sideloading bypasses the security checks of the official Google Play Store, making it easier for malicious apps to be distributed.

On the other hand, Apple took a different route with the launch of iOS in 2007. From the start, apps could only be downloaded through the App Store, which served as a controlled environment where Apple could ensure that all apps met its rigorous security and privacy standards. This closed ecosystem was central to Apple’s strategy of prioritizing user security and protecting devices from malware. While it reduced the risk of users downloading harmful apps, it also restricted their ability to install apps outside of Apple’s ecosystem.

Recently, with the introduction of the DMA, Apple announced that it would introduce sideloading in iOS 17.4 to allow app installation outside of the App Store. This represents a major departure from Apple’s longstanding stance on app distribution and security.

Future

Could other regions adopt regulatory measures similar to the DMA? While the DMA is currently limited to the EU, other regions like Japan, Britain, Mexico, South Korea, Australia, Brazil, and India are considering similar regulations to address tech firm dominance in digital markets. As more regions adopt sideloading policies inspired by the DMA, it could affect iOS security, increase competition, and complicate app distribution for developers, who would need to navigate different app store ecosystems with varying rules and security standards.

While sideloading offers users flexibility, it also poses new challenges. Apple is expected to implement measures such as security prompts, app verification, and sandboxing techniques to mitigate the risks associated with sideloading.

For Android, the future of sideloading could focus on enhancing security measures to reduce malware risks. Google’s Play Protect already scans sideloaded apps for harmful behavior, but future updates could see more advanced AI-driven security features that offer better protection.

In the long term, as regulatory frameworks continue to evolve, both iOS and Android will face increased scrutiny regarding how they manage app distribution and user safety. Sideloading could become common on both platforms, but its risks will need to be addressed with stronger security mechanisms.