Apple just went full Android in the EU. While sideloading, the act of installing apps from sources other than the OS's official app store, is a familiar practice for Android users, it marks a departure from the tightly integrated ecosystem that has long characterized Apple's approach.

While the option to pick and choose the apps on their devices holds appeal for certain enterprises, EU admins might not agree. Maintaining a delicate equilibrium between user privacy and strong endpoint security has always been a challenge, one that is bound to escalate with the EU's latest regulatory changes.

Where it all began

The recent changes to iOS app distribution in the EU, permitting sideloading, marks a significant development in the ongoing regulatory tug-of-war. For years, Apple's App Store was a dominant gatekeeper, controlling app distribution for iOS devices. It operated as a walled garden requiring app developers to undergo a stringent review and approval process before their creations could reach users. From a security point of view, this is a significant and mandatory process. However, it raised concerns regarding high App Store fees and limited competition.

In response to these concerns, the European Commission (EC) proposed the Digital Markets Act (DMA) in 2022. This legislation promotes fair competition within digital markets by imposing regulations on such "gatekeeper" platforms. Finally, in early 2024 we saw the finalization of the list of designated gatekeepers, with Apple included. Subsequently, Apple announced its compliance strategy. This strategy allows for sideloading apps from alternative app stores downloaded through the web browser.

With the release of iOS 17.4, Apple has officially launched alternative app marketplaces in Europe, operated by third parties. These platforms allow the direct delivery of apps to iPhones from sources beyond the App Store.

The Implications of Sideloading

While no app marketplace is a perfect utopia, Apple's App Store stands out for its rigorous vetting process. This meticulous approach is reflected in the sheer numbers: according to the 2022 App Store Transparency Report, a staggering 1.7 million apps out of 6.1 million submissions failed to meet Apple's stringent criteria. That's almost a third of all submitted apps falling short! Moreover, in 2022 alone, over 32,000 apps were removed for exhibiting fraudulent or spammy behavior. Such a proactive approach helps to weed out malicious apps before they can wreak havoc on user devices and data.

Unlike the App Store, these alternative marketplaces might not have the resources or commitment to replicate Apple's stringent vetting process. This can lead to a Wild West scenario where malicious apps with hidden agendas can slip through the cracks. Moreover, user privacy and security could be at risk, as these stores might lack the ability to effectively identify and remove non-compliant apps after downloading them.

Leveraging MDMs as a Deterrent

Given the numerous security and privacy risks associated with sideloading, businesses should explore a more secure and compliant approach. Here's where Mobile Device Management (MDM) platforms come in.

Firstly, administrators possess the authority to proactively hinder the installation of applications, implementing proactive measures to prevent their ingress onto the system. Moreover, they can enact stringent controls to limit the installation of apps originating from alternative marketplace platforms, extending their oversight to include apps already present on the device.

Furthermore, by implementing measures to restrict users' access to the App Store, administrators enforce the removal of its icon from the home screen. This prohibition extends equivalently to alternative marketplace stores and the applications they offer, ensuring a uniform approach to app procurement across the iOS ecosystem. Finally, MDMs can also remove applications on iOS devices, including those downloaded from third-party app stores.

However, the equation gets trickier when we add BYOD to the mix. Fortunately, separating work and personal data on iOS devices is a simple endeavor. Enrolling employees' personal devices they use for work in an MDM allows admins to ensure that corporate data remains securely locked down. Augmenting such an MDM with Zero Trust Network Access (ZTNA) solutions facilitates the secure transmission of corporate data and app traffic through tunnels, segregating it from other web traffic, including sideloaded apps. This delineation ensures that company data remains within the confines of the corporate network, safeguarding sensitive information.

The story of the DMA and app sideloading reflects a broader struggle between regulators and tech giants over control of the digital marketplace.  The coming years will likely witness further developments as EU authorities monitor compliance and app developers and users adjust to the changing landscape.

Apple itself underscores the inherent risks associated with alternative distribution channels, emphasizing the potential privacy, security, and safety concerns for users and businesses alike. While an MDM alone might not be a complete solution, companies can navigate the complexities of mobile security with confidence by leveraging the comprehensive capabilities of MDM platforms. This enables them to safeguard their assets and ensure regulatory compliance in an increasingly interconnected digital landscape.

Photo Credit: Art_girl/Shutterstock

Apu Pavithran is the founder and CEO of Hexnode, the award-winning Unified Endpoint Management (UEM) platform. Hexnode helps businesses manage mobile, desktop and workplace IoT devices from a single place. Recognized in the IT management community as a consultant, speaker and thought leader, Apu has been a strong advocate for IT governance and Information security management. He is passionate about entrepreneurship and devotes a substantial amount of time to working with startups and encouraging aspiring entrepreneurs. He also finds time from his busy schedule to contribute articles and insights on topics he strongly feels about.