Saktanong - stock.adobe.com
Most mobile administrators know how simple it is to download and install third-party apps onto Android devices, but they may not know how easy it is to sideload iOS apps.
How common are sideloaded iOS apps in the enterprise?
Lookout representatives commented that from February 2016 to February 2017, 11% of iOS devices encountered a sideloaded app.
Between November 2017 and November 2018, 6.8% of iOS devices connected to third-party app stores, and 3.43% of iOS devices had a sideloaded app installed, according to Wandera. These aren't large numbers, but Lookout and Wandera's customers are businesses and corporations that prefer to keep devices locked down. For many enterprise organizations, anything greater than 0% is too high.
How easy is it to sideload iOS apps?
The process of accessing iOS sideloaded applications is easy -- really easy. Anyone can do it from their iPhone or iPad, and it doesn't require jailbreaking the device. All that's needed is to download the app onto the device via a desktop or load apps from the mobile browser.
Anecdotally, jailbreaking isn't as popular or common as it once was. Some people still do jailbreak their iOS device -- this will never completely go away -- but the number of jailbreakers is getting smaller and smaller as Apple rolls out features that used to only be possible on a jailbroken device. Also, it's easy enough to sideload iOS apps onto a phone or tablet, so users may not find it necessary to do so.
There are two different -- but ultimately similar -- methods to sideload iOS apps worth exploring here, and the key with each relies on abusing Apple developer certificates. The simplest method is via the device itself.
Method 1: Third-party app store
To sideload on an iOS device, first, find a third-party app store that is trustworthy enough. Whether these app stores any truly safe is a debate for another time. It shouldn't be difficult to find plenty of options.
- Select the chosen app and download it.
- Go into Settings > General > Device Management and trust the developer certificate.
The app should be sideloaded on the iOS device and ready to go.
Method 2: Cydia Impactor and Xcode
The other method uses Cydia Impactor, Xcode and a downloaded IPA file. IOS can sideload an app just with Xcode, but it requires some additional technical knowledge. These steps will help the process
- Create an Apple developer account; admins can create a free account for a trial period or pay $99 per year for one.
- With the Xcode, push the designated provisioning profile onto the iOS device -- follow these directions.
- Use Cydia Impactor to re-sign the IPA file to the developer profile.
- Enable the device to trust that profile, and the process is complete.
Neither method is flawless, though. The first method of loading apps from a third-party store relies on the hope that Apple doesn't revoke the enterprise developer certificate the app uses, as this will prevent the app from launching. Meanwhile, the personal provisioning profile attached to a free developer account -- using the Cydia Impactor -- will expire after five to seven days unless the admin pays the $99 account fee. It's also important to note that IT administrators can prevent these actions with some basic device management security protections.
Risks of sideloading iOS apps
The inherent issue of sideloading iOS applications is somewhat obvious: They aren't coming from approved and carefully vetted sources. The Apple App Store vets its mobile applications for malware or other potential threats before approving and distributing them. While security breaches are still possible through apps from the Apple App Store, the world of sideloaded apps is the Wild West compared to it.
Apple's approach to device security is dubbed the "walled garden" approach, where the vendor essentially preapproves every software or service that can run within its OSes. The default is not the flexibility to run whatever users or admins want; it's security. To sideload a mobile app on an iOS device is to open the gate to that garden. The user may only crack it open, but all it takes is one instance of downloading malware leading to malware infections to undermine the entire approach. The security risks of sideloading tend to outweigh the benefits, but IT administrators will have to consider this case by case.
Key takeaways of iOS sideloading apps
The simplicity of this process may be surprising to some administrators. Apple's iOS has the reputation of being a walled garden that requires all apps to go through the official App Store, but this is not always the case.
While it remains easy for users to get these applications, an iOS device with sideloaded apps opens up another vector for bad actors to get spyware and other malicious software onto iOS devices. Organizations must be sure they can trust the third-party app store where the IPA file or app originated.
Jailbreaking also leaves devices more vulnerable. In theory, malicious apps would have less effect on jailed devices than jailbroken ones. Administrators need to think about the overall threat model. No method to getting unauthorized apps onto a device is great from a security perspective. Any sideloaded iOS apps will have unfettered access to a device, along with APIs, according to Lookout.
If administrators decide to jailbreak or sideload iOS apps, they must be very careful, especially with work devices.