With Apple reportedly set to enable sideloading of apps for EU iPhone owners, blockchain security firms have warned that the practice could increase the risk of phishing attacks for crypto users.
According to a recent Computer World report, Apple is set to let iPhone users in the EU install apps without needing to use its official App Store, in order to comply with the region’s Digital Markets Act. This echoes previous reporting from Bloomberg in late 2022.
But a recent report from blockchain security firm SlowMist has highlighted the dangers of app sideloading, with Chinese Android phone users suffering hundreds of thousands of dollars in losses from phishing attacks linked to a fake Skype app downloaded from outside the official Google Play Store.
Were Apple to enable app sideloading, crypto users could be targeted by “phishing attacks, asset theft, account password theft and other risks,” SlowMist told Decrypt.
“If Apple permits sideloading of apps, the inherent risks primarily revolve around the potential presence of malicious developers releasing applications that mimic legitimate ones, aiming to steal user data,” David Schwed, COO of blockchain security firm Halborn, told Decrypt.
Although Apple’s iOS and iPadOS include security features including sandboxing, declared entitlements, and Address Space Layout Randomization (ASLR), Schwed said, “These protections might not fully mitigate the risks posed by skillfully crafted, deceptive applications designed to exploit user trust and may lead to theft of data including credentials.”
While Apple declined to comment on the specific reports above, the company has previously warned of the risks of sideloaded apps in an October 2021 whitepaper. In the document, Apple argued that, “More harmful apps would reach users because it would be easier for cybercriminals to target them—even if sideloading were limited to third-party app stores only.”
In addition, cybercriminals could trick users into sideloading apps by mimicking the appearance of the App Store, the company warned.
Protecting against phishing attacks
Blockchain security firms provided advice on how crypto users can protect themselves against phishing attempts from sideloaded apps. “Don’t click on unknown links; master the basic method of identifying phishing links; maintain suspicion and continuous verification of all authorization and passwords,” a spokesperson for SlowMist told Decrypt. The company also pointed to its Blockchain Dark Forest Safeguard handbook.
“Users can take proactive measures by scrutinizing the source of sideloaded apps,” Halborn’s Schwed told Decrypt, who added that “users should exercise caution by examining the app developer’s credibility.”
Ultimately, though, the best protection from sideloaded malware is simply not to sideload apps, he said: “Opting for applications from established and reputable app stores like Apple’s App Store or Google Play Store, where apps undergo rigorous security reviews, can significantly reduce the risk of encountering harmful software.”
Edited by Andrew Hayward