Hexnode CEO: Enterprises must get ready for app sideloading

Just because you can do it doesn’t always mean you should — and when it comes to app sideloading on iPhones and iPads in Europe, (and elsewhwere), IT must take steps to lock down their devices to ensure only trustworthy apps and data make it to Apple devices used across the company. That’s the first takeaway from my conversation with Hexnode CEO Apu Pavithran.

Hexnode is one of the growing number of companies in the Apple enterprise ecosystem; it creates its own device management solutions to protect devices.

Apple could get like Android in a bad way

Pavithran recognizes Apple’s growing space in enterprise tech. “Apple has significantly transformed its footprint in enterprise IT over the last decade, with the rise of Macs and iPhones in corporate environments stemming from their user-friendly design and strong security focus,” he said. “Both are crucial for enhancing employee productivity and experience, especially with remote work.”

But, to him, the move to open Apple’s platforms to sideloading in the EU poses challenges that need to be locked down. “Forced sideloading could open the door to risks like fake apps, malware, and social engineering attacks that have long plagued the Android ecosystem,” he warned.

Pavithran also stressed that users need to be cautious in their use of any third-party stores that may emerge in Europe. 

Enterprise users have to protect themselves

That caution extends also to enterprise IT, which must take time to thoroughly review these stores, the companies and the developers behind them — and pay particular attention to what permissions are requested by the stores and apps.

“Enterprises can’t afford to be complacent about sideloading risks,” he said. “Mobile device management (MDM) is now the bare minimum to block rogue app downloads and enforce strict policies. But MDMs alone won’t cut it…. We also need zero-trust security constantly verifying every user and device. Ongoing employee training is also critical to empower people to identify potential threats from third-party app stores. Only a multi-layered approach can protect enterprises in this new sideloading era.”

Users need time to learn the risks

Some might say that sideloading has always been possible on Android, arguing that the Apple ecosystem is exaggerating the threat. That claim seems to ignore the ample evidence of platform fragmentation and malware that impacts Android users.

“Android users have had years to adjust to the risks and practices associated with third-party app stores. iOS users might be less familiar with these risks, making them more susceptible in these early days,” he said. “Many users may not fully understand the risks of sideloading or how to verify an app’s trustworthiness and intentions.”

Apple’s approach to sideloading reflects the tightrope it must walk.  Sure, there’s an element of struggle to preserve at least some of its lucrative App Store business, but the company also recognizes the need to ensure at least minimal safeguards are in place to protect the majority of its users who don’t have the time, knowledge, or interest to empower fully informed security decisions. 

The company knows that it prevented $1.8 billion in value of App Store fraud in 2023 alone, so it recognizes the risks. It will take time for iOS users to get to understand how with sideloading at least some of the security responsibility will shift to them.

So, where does this leave enterprise IT?

A changing environment for apps

One thing we do know is that once Europe’s sideloading stores appear, the people running them will do everything they can to convince Apple’s users to purchase things from those stores. 

To do so, they’ll try a range of approaches, likely including exclusive app distribution deals, discounts on sales, and focused marketing campaigns. In the first instance, these stores will be chasing users, not sales, which means convincing people to part with their credit card details to make a purchase. (They will be hoping to get those who do make a purchase more engaged over time.)

That means the environment will be both competitive and attractive, even as the users themselves might not yet appreciate what’s happening.

Enterprise IT will want to prevent a free-for-all on company-owned devices, which means they’ll use MDM systems (such as the ‘allowMarketplaceAppInstallation’ restriction) to prevent installation of unauthorized apps or from stores that haven’t yet passed corporate security review.

Vigilance is the cost of liberty 

One thing that’s certain is the move to embrace sideloading in Europe is likely to add new layers of complexity to Apple’s ecosystem. IT will need to lock down access to third-party stores pending review, and will need to embrace zero-trust security principles and frameworks to minimize the available attack surface.

“Regardless of how the sideloading landscape evolves, admins must remain vigilant,” Pavithran said. “They need to keep a close eye on emerging threats and trends in the here and now. But they must also monitor regulatory developments that could dramatically reshape Apple’s mobile ecosystem and security approaches down the road. Staying on top of the immediate realities and potential future disruptions will be key for effective mobile security management.”

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.