3rd party app stores on the iPhone

[dada_dave]

So Apple is being forced by the EU to allow side loading and access to other services like messages for other apps.

Apple Working to Add Support for Sideloading and Alternate App Stores in Europe

Apple is planning to allow for alternate app stores on iPhones and iPads ahead of European legislation that will require the company to support...

www.macrumors.com

Truthfully, depending on the details, I support this more than forcing Apple to make changes to its own store rules. I have a lot of different thoughts on this subject but I thought it be interesting to discuss here what people think.

Bottom line I think there’s room for compromise: obviating most of the privacy/security concerns (which are real) while also alleviating the concerns of developers (which are also real, particularly ones in competition with Apple’s services). Basically Apple charging a fee for verification but allowing other stores to operate seems like the best compromise here. I also think this should apply to consoles and I think it does based on the language.

 

[Andropov]

Truthfully, depending on the details, I support this more than forcing Apple to make changes to its own store rules. I have a lot of different thoughts on this subject but I thought it be interesting to discuss here what people think.

My concerns are more about the amount of crapware that could be generated if other stores are allowed. The phrase "Apple doesn't allow that" comes up A LOT during development when a project manager wants to do some random absurd idea. Some apps will need to stay on the AppStore, but others (big companies, banks...) might try to get around this by launching their own app store.

 

[Chew Toy McCoy]

Because there are a lot of dumb people out there I can already predict people trying to blame Apple when apps from these third party stores fuck up their phone.

 

[Citysnaps]

I'd prefer things staying the way they are from a security/privacy aspect.

But...if it's being forced down Apple's throat, then Apple's user terms and conditions should state that if your phone is somehow hacked or bricked, or if you suffer a monetary/privacy/security loss due to using an alternate app store or payment system, then responsibility with respect to remedies lies with the user, and not Apple.

In other words, you are on your own.

 

[Nycturne]

Because there are a lot of dumb people out there I can already predict people trying to blame Apple when apps from these third party stores fuck up their phone.

Honestly, I’d be more concerned about the privacy implications than the system stability implications.

macOS today uses a sealed system volume. It’s mounted read-only, cryptographically signed, and quite difficult to tamper with because even the kernel only sees the read-only volume. iOS does the same thing, only there’s no way to disable any of these protections like you can on macOS. And it looks like modern Apple chips don’t even use firmware for the various devices on the SoC that would normally want it, instead providing it on every boot, making it quite difficult to persist malware there. Apps are fully sandboxed at the OS level, rather than by the app store.

My take here is Apple will do exactly zero to jeopardize what they have, and will still require proper code signing, apply sandboxing etc. A third party app store will amount to little more than an app that can install other apps. I wouldn’t be surprised if Apple will setup the trust chain such that they can revoke a whole app store along with all the apps it installed. The big difference is that apps coming from these other stores won’t be held to the same standards, so expect even more tracking, more predatory schemes to get your money, apps with libraries currently not allowed by Apple (Chromium/Mozilla being the obvious example) and the like.

I’m not saying that there won’t be malware popping up, but more that the malware will be limited in the scope of damage it can do. Mess with your data and slurp it up if it can escape the sandbox via exploits, yes. Embed into the system, unlikely. Apple’s been building up a rather impressive defense for the system that shuts down an awful lot of the tricks malware can use to persist itself at the system layer, which also means it’s hard for the malware to corrupt the system layer as well.

 

[Andropov]

My take here is Apple will do exactly zero to jeopardize what they have, and will still require proper code signing, apply sandboxing etc. A third party app store will amount to little more than an app that can install other apps. I wouldn’t be surprised if Apple will setup the trust chain such that they can revoke a whole app store along with all the apps it installed. The big difference is that apps coming from these other stores won’t be held to the same standards, so expect even more tracking, apps with libraries currently not allowed by Apple (Chromium/Mozilla being the obvious example) and the like.

I’m not saying that there won’t be malware popping up, but more that the malware will be limited in the scope of damage it can do. Mess with your data and slurp it up if it can escape the sandbox via exploits, yes. Embed into the system, unlikely. Apple’s been building up a rather impressive defense for the system that shuts down an awful lot of the tricks malware can use to persist itself as the system layer, which also means it’s hard for the malware to corrupt the system layer as well.

I fully agree with this take. I think at worst we'll have terrible UX and privacy, but not a serious malware problem.

Also, Apple can always pivot to implement some limitations that are currently enforced at the App Store level (i.e, forbid submitting app updates that don't support X or Y feature, like a new iPhone screen size) at the OS level instead. Same for app background time restrictions and the like (which are already handled by the OS).

 

[Nycturne]

I fully agree with this take. I think at worst we'll have terrible UX and privacy, but not a serious malware problem.

Also, Apple can always pivot to implement some limitations that are currently enforced at the App Store level (i.e, forbid submitting app updates that don't support X or Y feature, like a new iPhone screen size) at the OS level instead. Same for app background time restrictions and the like (which are already handled by the OS).

Yup, most of the critical enforcement for things like battery life and accessing device capabilities are all OS-level today. The App Store is itself an app that installs other apps, only with a bunch of gatekeeping and automated tooling on the submission end added on.

 

[Andropov]

Yup, most of the critical enforcement for things like battery life and accessing device capabilities are all OS-level today. The App Store is itself an app that installs other apps, only with a bunch of gatekeeping and automated tooling on the submission end added on.

Keeping the app updates current is still done on the App Store side. You must submit app updates using the latest Xcode version, and you have to support certain hardware capabilities (screen sizes, Safe Areas, etc) after a while too. But I think most of those rules can also be enforced on the OS side (i.e. make apps signed after a certain date require a specific SDK version to be launched).

 

[Alli]

I have mixed feelings about this.

 

[Nycturne]

Keeping the app updates current is still done on the App Store side. You must submit app updates using the latest Xcode version, and you have to support certain hardware capabilities (screen sizes, Safe Areas, etc) after a while too. But I think most of those rules can also be enforced on the OS side (i.e. make apps signed after a certain date require a specific SDK version to be launched).

A lot of this is done to protect Apple's brand image. Users get some benefit out of in the sense that they can upgrade without wondering as much if their stuff will work, but I find it more sad that Apple has to do this at all.

Although using the latest Xcode tools when submitting updates, that I kinda get from a security perspective.

I have mixed feelings about this.

Same, but I don't think there's going to be much choice in the next few years. Mobile phones are a Duopoly/Oligarchy market, so I don't disagree that Apple and Google have an incredible amount of power to set the rules in the mobile space that impacts every 3rd party developer. Especially when Apple and Google get price advantage on their home turf when it comes to services.

The EU already passed the legislation, and so it's more a question of "how" Apple intends to comply, rather than when.

 

[Herdfan]

Are their 3rd party Play stores or does Android just allow side-loading?

I currently have 1 side-load on my Galaxy tablet and it is because it is a niche trails app. No issues so far and it has been on their for a few years.

 

[dada_dave]

Are their 3rd party Play stores or does Android just allow side-loading?

I currently have 1 side-load on my Galaxy tablet and it is because it is a niche trails app. No issues so far and it has been on their for a few years.

Samsung operates a 3rd party store - the Galaxy store. There may be other OEMs who do the same. Samsung, through of their store, were the source of the recent breach of valid Android certificates into the wild (allowing malicious apps to masquerade as a real ones verified by Google). However I believe there are nuances to the what exactly 3rd party stores are allowed to do and integration with Google Play for in app purchases which is why Google is also under fire from regulators and the like. I’m not as familiar with Google’s issues so someone else can go into further depth.

 

[Chew Toy McCoy]

Other than Apple taking a cut, are there any other reasons a developer wouldn't want to go through Apple's app store? A developer not wanting to do that sounds suspect to me.

 

[Nycturne]

Are their 3rd party Play stores or does Android just allow side-loading?

I currently have 1 side-load on my Galaxy tablet and it is because it is a niche trails app. No issues so far and it has been on their for a few years.

Epic is trying to make inroads with an app store on Android, but right about now the only thing keeping it alive is Fortnite.

 

[Nycturne]

Other than Apple taking a cut, are there any other reasons a developer wouldn't want to go through Apple's app store? A developer not wanting to do that sounds suspect to me.

Apple sets rules on what is and isn't allowed. Their review system is opaque and can feel quite arbitrary.

- Google would love to be able to use their engine on iOS rather than Apple's for Chrome.
- Facebook would love to not have to follow the increasingly stringent privacy rules.
- Smaller indie developers can have plans derailed by the opaque review policy.
- More esoteric software such as emulators simply aren't allowed.

As a developer, Apple feels like that guy who means well, but can randomly and abruptly make your life hell, and cost you money. But you keep doing it because they know all the folks with money, if you want your small business to work on iOS, then you gotta play ball.

It's been getting kinda better on the rules part, as they slowly loosen things up over time. That said, the review system is still unhelpful when you get caught up in it.

 

[Chew Toy McCoy]

Apple sets rules on what is and isn't allowed. Their review system is opaque and can feel quite arbitrary.

- Google would love to be able to use their engine on iOS rather than Apple's for Chrome.
- Facebook would love to not have to follow the increasingly stringent privacy rules.
- Smaller indie developers can have plans derailed by the opaque review policy.
- More esoteric software such as emulators simply aren't allowed.

As a developer, Apple feels like that guy who means well, but can randomly and abruptly make your life hell, and cost you money. But you keep doing it because they know all the folks with money, if you want your small business to work on iOS, then you gotta play ball.

It's been getting kinda better on the rules part, as they slowly loosen things up over time. That said, the review system is still unhelpful when you get caught up in it.

Thanks for the insight. From the user side I can't really think of anything I would want that couldn't be possible within Apple's walled garden.

 

[Andropov]

As a developer, Apple feels like that guy who means well, but can randomly and abruptly make your life hell, and cost you money. But you keep doing it because they know all the folks with money, if you want your small business to work on iOS, then you gotta play ball..

As a developer, I've been thankful for the App Store review rules way more often than not. It's crazy what some product managers and clients try to push onto users with no regard for ethics or user experience. If anything, sometimes I've wished for the review to be more thorough.

I was tangentially involved with a feature, pushed to 8M+ active users, that launched a 300-500 MB download *every time* users navigated to a product detail in one shopping app. I remember bringing up whether this should be automatic when using mobile data, but I was quickly dismissed. Wish the review team had taken down the feature. IMHO it was borderline unethical to blow users' data plans without warning.

 

[Nycturne]

As a developer, I've been thankful for the App Store review rules way more often than not. It's crazy what some product managers and clients try to push onto users with no regard for ethics or user experience. If anything, sometimes I've wished for the review to be more thorough.

In some ways, I don't disagree. But we've also had issues where we were rejected for a violation, but not with enough detail to know which part of the rule was violated, let alone enough to track things down. Meaning it took days to address even a simple rejection situation. There's been plenty of reports of developers where this sort of opaque behavior happens at critical times, derailing a launch, urgent fixes, or the like.

I personally don't think we need to accept the bad in order to have the good.

All that said, I was more trying to outline why companies would have issues working within Apple's framework, rather than trying to associate any value judgement to it one way or another. For me, I just want improvements to the review process so remediation is faster. I also would like to see some relaxing of certain things that are simply not allowed, which they have been doing, but I don't think they go quite far enough yet.

 

[turbineseaplane]

So many "concerns" around this ... that are basically not an issue on the Mac

(or at least not something discussed and worried about to this extent)

 

[turbineseaplane]

Let's not forget that the term "side loading" gives off an overly scary impression.

"Sideloading" = "Installing Apps that Apple isn't dictating all policy about, or forcing their way into getting a financial cut of"

90%+ of the Apps on my Mac are "side loaded" and things are just fine.