Tim Cook is right and wrong about sideloading
Sideloading is as safe as you make it.
At the 2022 International Association of Privacy Professionals (IAPP) conference Tim Cook got a little passionate about what he calls the "data industrial complex" and one of the most essential battles we are fighting against right now. What he was really talking about was sideloading apps onto the phone you paid for.
This is not a thing for those of us with an Android phone, but for iOS, you have never been able to install apps that didn't come from Apple's official App Store unless you went through the hassle of jailbreaking your expensive phone or tablet. Apple has always hated the idea of sideloading and probably always will.
The reason he went on about all of this is that the legal landscape — especially in the E.U. — is changing in ways that might force things like interoperability of chargers, opening up long-closed Apple features like iMessage, and being able to install applications outside of the Apple-approved App Store marketplace.
While lawmakers and marketing groups (as well as tech writers like myself) think these ideas are good for the consumer, Apple and Google aren't keen on being forced to change the old ways of doing business. Those old ways were pretty damn lucrative after all.
But buried in the talk about how sideloading is literally the devil and the data industrial complex wants to send our sons and daughters off to war, there is a sliver of truth where sideloading carries more risk than anyone wants to talk about.
Google protects Android users in more ways than Apple does
Yes, you read that correctly. When it comes to applications with bad intentions, Google does more than Apple to protect you. That's because Android was designed with the ability to sideload apps and iOS wasn't.
There is a great write-up about the hows and whys here, but in a nutshell, it comes down to Google Play Protect. Think of it like a virus scanner that runs every day and can kill off bad apps even if they weren't downloaded from the official Google Play Store. That means you can download and install an app from anywhere, and if it does malware "stuff" it gets found. The system isn't perfect, but it works really well.
Get the top Black Friday deals right in your inbox: Sign up now!
Receive the hottest deals and product recommendations alongside the biggest tech news from the Android Central team straight to your inbox!
Apple has no such protections in place because iOS was designed to only download and install apps from the Apple App Store.
I'm not trying to convince you that one is better than the other. I'm just saying that when it comes to actual malware and sideloading, Google has been prepared for a long time and Apple would have to build some sort of system from scratch to do the same.
The real issues comes from store policies
Android and iOS both use similar systems when it comes to the ways apps can operate within the system on your phone. There are user and group permissions, sandboxing, and APIs that make sure an app can't get any data from other apps unless you allow it. There are exploits that break these systems from time to time, but those are quickly patched.
Sideloaded apps would still have to follow this set of restrictions to work on your phone. Unless you've rooted or jailbroken it, your phone's operating system knows how to keep apps in line and force them to behave. On Android phones apps that can't follow these rules get ferreted out by Play Protect, and whatever Apple would design to enforce these safeguards would do the same if sideloading was allowed on iOS.
What can't be enforced on an app you installed from a third party are app store rules and developer agreements that all apps in Google Play or the App Store have to follow. Those can be pretty important, too.
To publish an app to Google Play, a developer has to do things like provide you with a privacy policy and follow rules about what data is collected and how. Android itself can't enforce these rules as written, because apps need to collect data in different ways. To take things a step further, the company a developer uses to monetize their app through ads also has to play by the rules Google put in place or the app can be pulled out of the Play Store.
If an app isn't published in the Play Store, these rules don't have to be followed. That means a developer can, in theory, lie to you about the data being collected and how it is used or even collect unnecessary data about you.
Another thing that helps protect users even though it may restrict choice and hurt developers is payment processing. There are very strict rules about how you can pay for apps or make in-app purchases that must be followed for an app to be published in Google's Play Store. There are plenty of other ways a developer can process payments, but if they want their app to stay in Google Play they can only use what Google allows.
Who do you trust more with your bank card number: Google or Jerry's PayPal? If I work hard and develop an app worth paying for, I should be able to enter a contract with you and collect the payment without Google getting a portion of it that's too large. But to be 100% safe, you as the user can trust Google with your payment information more than you can trust me.
Data is valuable
To be clear, I don't think there are many developers out there that will skirt these rules and be all kinds of shady once they get you to sideload an app on any of the best Android phones. And there are third-party app stores that have rules developers must follow to protect our privacy. But it could happen.
I also don't think this is why Tim Cook is so against sideloading on iOS or why Google reluctantly allows it. Money is what drives companies like Google and Apple and keeping everything inside the walls of their own ecosystem is better for the bottom line.
I do think it's important for all of us to think about what could happen whenever we make a decision that involves our personal data. Data Industrial Complex weaponization chaos conspiracy theories aside, data is very valuable and important. That's why companies like Apple and Google want to keep it to themselves.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.