By now, most everyone (in our industry anyway) should know how simple it is to download and install third-party apps onto Android devices. But how many people know just how easy it is to sideload iOS apps (or that it’s even possible outside of jailbreaking the device first)?
I spent some time figuring out how to do it, because if I can do it, it can’t be too difficult!
Sideloaded iOS apps in the enterprise data
Jack and I first got curious about the difficulty of getting third-party apps onto an iPhone after speaking with Lookout and Wandera for our articles on mobile security. Lookout revealed that from February 2016 to February 2017, 11% of iOS devices encountered a sideloaded app.
Then, Wandera told me that between November 2017 and November 2018 6.8% of iOS devices connected to third-party app stores and 3.43% of iOS devices had a sideloaded app installed. Not large numbers, but their customers are corporations that prefer to keep devices locked down.
So, how easy is it to sideload iOS apps?
Easy—like really, really easy. Anyone can do it from their iPhone or iPad right now. And we’re not talking jailbreaking the device, just downloading the app onto the device via desktop or from the mobile browser.
Anecdotally, and if the comments on this recent article about the Cydia Store are anything to go by, jailbreaking isn’t as popular/common as it once was. People definitely still do jailbreak their iOS device (it’ll never completely go away), it’s just that fewer and fewer do as Apple rolls out features that used to only be possible on a jailbroken device. Also, it’s easy enough to sideload iOS apps onto your phone or tablet, so why go through the extra effort?
Jack and I tried two different, but ultimately similar, methods to sideload iOS apps, with the key to both based on abusing Apple developer certificates. The simplest method is via the device itself.
Find a third-party app store you feel is trustworthy enough (whether any truly are is a debate for another time), it won’t be a difficult search to find plenty of options. Select the app you wish to download and after it finishes, go into Settings > General > Device Management and trust the developer certificate. And voila, the app should work and be ready to go.
The other method uses Cydia Impactor, Xcode (though it’s possible to do it just using Xcode, it just requires some additional technical knowledge), and a downloaded IPA file. First, create an Apple developer account; you can create a free one or pay $99/year for one. With Xcode, push your provisioning profile onto the iOS device (follow these directions) and then use Cydia Impactor to re-sign the IPA to your developer profile. Trust your profile on the device and you’re done!
Neither method is flawless, though. The first method relies on the hope that the enterprise developer certificate the app uses doesn’t get revoked, as this will prevent the app from launching. Meanwhile, the personal provisioning profile created with a free developer account will expire after 5-7 days unless you paid the $99.
Kind of shocking in its simplicity, isn’t it?
Or not, if you’re one of the 11% that already routinely adds sideloaded apps to your iOS device. But, I feel like we’re all sort of “taught” that iOS is a walled garden where you have to go to the official App Store to get your apps. Apparently not!
That said, while it remains easy for users to get these apps, it also opens up another vector for bad actors to get spyware and other malicious software onto your iOS device—be sure you can trust the third-party app store where you got the IPA or app.
The other thought is that jailbreaking leaves your device more vulnerable—in theory, malicious apps would have less of an effect on jailed apps than jailbroken. You need to think about the overall threat model here. No method to getting unauthorized apps onto your device is great though, as a Lookout whitepaper says that any sideloaded iOS apps will have unfettered access [PDF] to your device, along with APIs.
So, be careful if you decide to jailbreak or sideload iOS apps, especially if you use your device for work.