How “Sideloading” Can Be Made Safe

One of the bigger controversies reverberating around the tech industry is the controversy around Apple’s and Google’s de facto monopoly on mobile app distribution in their respective ecosystems. The whole thing was kicked off in August 2020 by Epic Games’ decision to purposely violate both companies’ policies. They did so by deciding to use Epic’s own in-app purchasing system for their ultra-popular game Fortnite, leading to Fortnite being banned from both app stores. With this further evidence of the power these high-tech giants hold, governments around the world are now looking into potential regulatory solutions to this issue.

Citing the dangers of “sideloading”, Apple and Google defend themselves by saying their app store policies are necessary to protect their users. This brings up the question, is this true? The answer is that while sideloading can be very risky, it can be done securely through the use of time-tested and effective cybersecurity technologies. One potential solution to the app store controversy would be for mobile ecosystems to allow multiple trusted app stores that adopt these technologies to distribute apps securely to their devices.

The potential dangers of sideloading

First, just what is sideloading? Succinctly, sideloading is the downloading of apps from an app store not favored by the device maker. In this case, that would be apps that aren’t distributed by either Apple’s or Google’s app stores.

While smartphones are some of the best-protected consumer devices in the market, sideloading does have risks from a data privacy and cybersecurity standpoint. Users forced to sideload Fortnite (or other apps) from sketchy app stores with unknown security practices could be exposed to mobile malware that could contain ransomware, spyware, and trojan horses. Obviously, we want to avoid these scenarios.

How to secure apps

That being said, side loading from third-party app stores that do use appropriate cybersecurity measures can be done safely. In fact, these measures have been used in various forms for decades now with variations used by browsers as well as personal computer app distribution.

To start, when an app developer submits an app to an app store, the store, through a combination of automated and manual procedures, needs to review the app to make sure it doesn’t contain malware or well-known vulnerabilities. Once the app has been reviewed and approved for distribution, the app store must ensure the trusted version is the one that reaches the user’s device. This is done by signing the app with a Public Key Infrastructure (PKI) based digital signature. The signature contains a unique fingerprint or hash of the app’s bits that is encrypted using a PKI private key. The signed app is then distributed by the app store.

Now, when a user downloads the app to their phone, the phone verifies that the digital signature is legitimate and not a fake one created by an attacker. Once verified, the app can be safely installed and continually checked at run time to ensure persistent protection.

So far so good, but there is another piece missing. A phone could be compromised with malware that just accepts any digital signature, including fake ones used by malicious apps. To keep this from happening, best practice is to use hardware cybersecurity measures built into the phone’s main chipset. The industry standard way to do this is to first install a verified public key (the “PK” in PKI) into the phone in a trusted manner that makes it very difficult to attack during provisioning. This trusted public key is the one used to verify the downloaded app. This protection is further enhanced with additional cybersecurity features in the chipset to make it very difficult to attack the app verification process.

Creating secure third-party app stores

As mentioned before, the method above has been used in Internet app distribution for some time, including by the major app stores, and it is a proven model. This method can and is being used by third-party app stores such as the one run by Samsung for distributing apps to their phones.

Apple and Google could just simply open up their platforms to allow their users to download apps from verified third-party app stores that follow these and other industry standard cybersecurity measures. Not only would this give users more choice, but increased app store competition would also benefit both users and app developers, as well as encourage more innovation. While there might be some pressure on Apple and Google’s profit margins, in the end, such an approach would benefit the industry as a whole and potentially ward off further regulations.