[luuurker]

Apple controls the OS and the sandbox apps run on independently of the source of the app. Facebook would be able to tell users "you have to give us location access or the app won't run", but Apple controls what data is given to the app. Facebook could implement something to track users in the background, but the sandbox still kills/freezes the app as soon you hide it. They could implement some kind of tracking, but again, remember that the app runs in a sandbox and Apple controls that sandbox.

This is why a malware app on an iPhone can only do limited damage. It can't access all files, it can't encrypt the storage, it can't launch a DDoS in the background because the OS doesn't let it run, etc. iOS or Android are not Windows.

If you want to know how it works in practice, look at Android. It has supported sideloading for a long, long time. People do install a lot of crap, but that's from the app store. My parents are really bad with tech and never sideloaded anything.

And there are other layers of security too. If you go to a store, buy a Samsung, a Google Pixel, a OnePlus, Nokia, etc, they all come with Google Services, which includes Google Play Protect... essentially an anti-virus that looks at your apps and flags anything that is known to be malicious.

Are there any downsides? Yes. Are they as bad as some say? The Android example tells us that it doesn't have to be that bad.

[judge2020]

> They could implement some kind of tracking, but again, remember that the app runs in a sandbox and Apple controls that sandbox.

Sandbox escapes are incredibly common, Apple still controls eliminating your business from iphones if you attempt to use an exploit to pull user data when you distribute through the App Store.

If you can do distribution via your own site, it becomes a whack-a-mole game with Apple - where data exfiltration exploits are found, Apple fixes them in a new update, then we have to wait for people to update.

And until most users update, the at-fault company is busy siphoning data from any user who can't update (e.g. no wifi / limited data plan) or any user who is slow to approve the update dialog. Eventually the company's app will grow to contain an exploit for the last dozen iOS versions that conditionally execute based on the iOS version/feature detection/probing for exploit availability.

[luuurker]

> Sandbox escapes are incredibly common

If iOS' sandbox is that insecure, then they have a problem on their hands.

[judge2020]

The sandbox is the largest attack surface ever and trying to lock it down from everything forever is basically impossible.

[Gud]

And as soon as app X starts exploiting a sandbox vulnerability, apple will patch it.

[judge2020]

Apps without app store review could also start delivering dynamic code packages that aren't included in the binary. There could be targeted attacks via these apps on specific users (say, journalists, politicians and their families, etc) not delivered to everyone; Apple thus can't analyze until it's been delivered to a device they control. App Store rules forbid dynamic native code delivery.

[luuurker]

Perhaps journalists and politicians should stick with the App Store (which is what 99% of users do on Android, where you can sideload apps) and use Lockdown Mode.

[hagbard_c]

> Are there any downsides? Yes.

There are downsides for Apple to the rate of their 30% cut. That is why they are doing their best to keep sideloading off their devices. Not to protect users - as you already stated there are many other layers of protection in place for that - but to protect their revenue.