The risks of sideloaded apps

Are sideloaded apps safe? Based on new EU legislation, Apple may start allowing for the sideloading of apps from third-party app stores. These apps can bring new risks to your organization's security posture. Read this blog to know what this can look like and how to mitigate the risks.

December 15 2023 by

Hannah Hamilton

iOS app store

In 2022, the European Union passed the Digital Markets Act, summarized by The European Commission as:

Some large online platforms act as "gatekeepers" in digital markets. The Digital Markets Act aims to ensure that these platforms behave in a fair way online. Together with the Digital Services Act, the Digital Markets Act is one of the centrepieces of the European digital strategy.

Apple is named as one of these gatekeepers based on their impact on the European market. Among other actions, gatekeepers must now allow third parties to inter-operate with their own services in certain situations, and must not treat their own services and products more favorably than similar services and products offered by third parties on their platform.

One consequence of this affects the App Store: barring some kind of appeal or exception, Apple will likely be required to allow the download of apps from third-party app stores. This sideloading of apps, while offering a wider selection of apps and leveling the playing field for other app stores, can introduce security and privacy risks that end users and IT admins need to consider.

Risks of sideloaded apps

While no app store is totally free from malicious or problematic apps, for an app to be approved for the App Store, it must meet a number of safety, performance, business, design and legal guidelines provided by Apple. In fact, according to the 2022 App Store Transparency Report, Apple processed 6.1 million app submissions and rejected nearly 1.7 million for not meeting their guidelines. Over 32,000 apps were removed for fraud or spam, and over $2 billion of fraudulent transactions were prevented.

There is no guarantee that third-party app stores will have similar guidelines to protect user privacy and security, or will have the capabilities to identify and remove apps discovered not to meet these guidelines after they are downloaded by users.

Naturally, this is a cause for concern, especially considering the data and finances that are at stake.

Some potential risks sideloaded apps bring to the table include:

  • They may not be checked for malware or malicious code.
  • They may not follow best practices created by the OS or device manufacturer.
  • It may be more difficult to keep these apps up to date.
  • They might appear like legitimate apps but contain spyware or other malicious code.
  • They may collect and/or disclose personal information without letting the user know.

Reducing the risk

It isn't clear when Apple will allow for third-party app stores. When this happens, what can IT admins do to reduce security or privacy violations?

Define what is too risky.

The first step is to decide how much risk your organization is willing to accept. Do you ban all third-party app stores? Only some based on their policies, reputation or app selection? Or allow all?

You can define access policies and compliance requirements based on the apps a user has installed on their work devices. For example, if in your policy all sideloaded apps are disallowed, devices with these unapproved apps can be denied access to company resources.

Examine third-party app store policies.

If your organization decides to allow sideloaded apps, you should stay in touch with the third-party app store’s privacy and security policies. Some considerations are:

  • How do apps stay up to date? Is there a way to automate this process?
  • What data is collected and/or distributed?
  • How are apps validated or approved for addition to the store?

Block traffic from apps known to be malicious or vulnerable.

While it’s not always possible to prevent users from downloading apps from third-party app stores, it is possible to disallow app traffic from unsanctioned apps. By removing access to these apps on your network, you can reduce their potential impact on your systems.

Consider banning sideloading.

The safest option is likely to prevent sideloading altogether. If employees require an app from a third-party app store, it may be necessary to develop a policy allowing these exceptions. If possible, consider offering apps outside the App Store in a Self Service portal for safe and convenient downloads.

Separate work and personal end-user data on BYOD devices.

Banning sideloading altogether may be difficult if you have BYOD devices or if employees are accessing work resources from their personal devices.

Thankfully, it’s simple to separate work and personal data on iOS devices. Requiring devices — including personal ones — to enroll in your mobile device management (MDM) software if they are accessing company resources enables IT to keep corporate data locked down. With ZTNA, corporate data and app traffic travels through secure microtunnels to your network, while all other traffic, including these sideloaded apps, goes through general web channels. This means company data stays with the company and user data stays with the user.

How Jamf can help

Jamf Pro, Jamf Protect and Jamf Connect can help reduce the risk sideloaded apps may bring once they are allowed by Apple. Learn more about the features that keep your data secure:

Keep your data protected with Jamf.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.