Is Mandated Sideloading the Answer to App Store Deplatforming?Techdirt
Smartphone app store policies have come into focus recently, following a series of recent conflicts between app makers and app store operators (principally Apple and Google). These include the removal of conservative-oriented social media platforms Parler and Gab, and the ensuing debate about balancing free speech and harmful content. There have also been numerous conflicts over monetization, including disputes over transaction fees for digital goods and services (e.g. Spotify and Epic Games), and privacy changes that affect third party advertisers (e.g. Facebook).
With scrutiny of the tech industry at an all time high, the otherwise niche issue of app store policies has become an increasingly salient part of the broader debate over digital market competition, raising the specter of new government regulation. But what is the optimal level of openness in a competitive app ecosystem, and how does public policy help achieve it? These are harder questions to answer than they seem—involving deep technical, economic, and legal issues.
A Tale of Two Smartphone Operating Systems
According to Statcounter, the global mobile operating system market is dominated by Google’s Android operating system (72% market share), followed by Apple’s iOS (27% market share). Despite having a substantially smaller user base, the Apple App Store earns substantially more direct revenue than the Google Play Store. But this is misleading at first glance.
First, there are important demographic differences. iPhone owners are more concentrated in developed nations, and even in those countries tend to be more affluent and spend more on apps. Their business models are also different. Unlike Apple, which has limited advertising offerings, Google earns substantial revenues through mobile advertising, and even pays Apple billions each year for the privilege to be its default search engine to expand the revenues it can capture. They are also designed in fundamentally different ways. Whereas iOS is a proprietary closed system, Android is (mostly) open source. Notably, there are versions of Android without Google Play or other Google services, particularly in mainland China where it doesn’t operate. Apple, on the other hand, operates the App Store on all iOS devices; and unlike Google, does business in the lucrative mainland China market.
As a result of these different architectures, a conspicuous difference between Android and iOS is that the former allows the installation of apps outside of its Play Store. This can be either through a pre-installed third party app store that ships with the device (e.g. Samsung’s Galaxy Store or the Amazon Appstore), or direct installation of apps or even other app stores, called “sideloading.” Circumventing the Play Store also means that developers can take payments without cutting Google in, typically 30%. Meanwhile, Apple requires users to go through its App Store to download apps, where it takes a similar cut.
Grasping onto this difference, and facing pressure from lobbyists, policymakers in multiple states have proposed new legislation that would force Apple to redesign their operating system to allow circumventing both the App Store and In-App Purchase system (see similar bills in GA, ND, HI, AZ). Notably, a similar provision also exists in the European Commission’s proposed Digital Markets Act.
In theory, this sounds like a good idea. In the wake of recent controversies, many in Silicon Valley have been looking towards decentralization as the answer. Indeed, systems with more openness and interoperability tend to foster innovation and competition, and give users more freedom. The ability to install apps directly could also be an essential workaround when companies remove controversial apps, particularly where they are pressured to do so by activists or governments.
However, there are some good reasons to be wary of rushing to pass such a mandate, both as a substantial fix for digital market competition, and as a precedent for local governments dictating or overseeing software designs—something they’re not known to be particularly competent in.
Trade Offs of a Sideloading Mandate: Cybersecurity and Privacy
Suddenly forcing iOS to allow unvetted apps could introduce a flood of serious cybersecurity vulnerabilities, facilitating everything from spyware to ransomware to identify theft. Such an unanticipated requirement could pose a serious challenge to developers, potentially necessitating years of new work and investment.
A 2019 threat intelligence report from Nokia observed that Android devices were fifty times more likely to be infected than iOS, with the “vast majority” of malware distributed through trojanized sideloaded applications. Because of this risk, Android takes measures to discourage sideloading through user interface mechanisms. Google’s Advanced Protection Program also blocks sideloaded apps for this reason.
Because Android is a more open system than iOS, its privacy and security features are constructed differently. While both operating systems have some form of automated threat detection, app containerization, and other features to limit an app’s access to sensitive systems, these are architected based on different assumptions.
For Apple, a closed-system approach is at the heart of its strategy for iOS. If Apple engineers could no longer count on vetting during the app review process, they may be forced to build new redundancies from scratch, or even redesign major parts of the operating system. Because iOS isn’t open source like Android, it’s hard to tell how much of an architectural challenge this will be.
Apple’s preference for closed systems can be traced to Steve Jobs’ philosophy of end-to-end control of hardware and software, and lack of patience for consumer tinkering, going all the way back to the first Macintosh computer. In 2007, around the launch of the first iPhone, Steve Jobs described applying this thinking to iOS (then “iPhone OS”) in an interview with the New York Times:
You don’t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn’t work anymore….These are devices that need to work, and you can’t do that if you load any software on them…That doesn’t mean there’s not going to be software to buy….but it means it has to be more of a controlled environment.
Apple may not give you every option you might want, but it may be a worthwhile tradeoff if your priority is security and privacy, or a seamlessly integrated ecosystem. In recent years Apple’s marketing department has leaned into this as a competitive advantage, and it’s what their customers have come to identify with its brand.
There are also ways out of Apple’s walled garden. The simplest workaround is to access applications directly from a mobile web browser. For instance, if you really want to use Gab, you can create a home screen icon from Safari and access it like an app. Similarly, you can make purchases there without Apple taking a cut. There are, of course, limitations to what you can do in a mobile browser (notably third party browsers are required to use Apple’s WebKit rendering engine and, as with other parts of iOS, Apple reserves some private API functions for itself).
In the US, determined users can legally jailbreak iOS devices to sideload apps without requiring too much technical skill (here’s a handy guide). This works on most Apple devices, after which users can install a range of unauthorized apps and even app stores. But caveat emptor. Unauthorized app stores don’t do much of anything to combat malware. There are other downsides of jailbreaking, including making it much harder to update software, having certain apps break, and potentially voiding your warranty. Notably, Apple has also argued for making jailbreaking illegal.
For those that don’t want to jailbreak their device, there’s also the option to sideload apps from your computer to iOS directly through a known exploit, or through developer environments like Xcode and Testflight. With this approach you can still access third party app stores, such as AltStore or AppValley, albeit with more limitations than jailbreaking. Importantly, installing unauthorized apps through these methods can still expose you to malware.
In short, it’s not *that* hard to circumvent Apple’s restrictions on unauthorized apps if you really want to. Particularly if you’re doing something simple like trying to access an alternative to Twitter that isn’t in the App Store. But if you decide to go all the way and jailbreak your phone, you might be wise to use your banking app on a different device.
Good Reasons to Limit Local Government Control of Digital Markets
There are good reasons to be wary of governments dictating and implementing software design requirements—particularly at the state and local level. As I’ve discussed at length elsewhere, both Congress and federal agencies face serious capacity gaps for in-house policy expertise—particularly for science and technology issues. Yet, relative to states, they have a wealth of competence.
According to the National Conference of State Legislatures, only 4-10 states have legislative bodies that can be considered full-time, well-paid, and sufficiently staffed. Many states have part-time legislatures where lawmakers work other jobs and are supported by a skeleton crew of staff. Whereas Congress is assisted by thousands of support staff at legislative agencies—including the Government Accountability, Congressional Research Service, and Congressional Budget Office—legislative support agencies in the states vary widely in staffing, resources, and services offered, and generally pale in comparison. For instance, while CRS has over 600 staff with expertise in different policy areas, Arizona’s service agency has only five staff, and is also in charge of fixing the computers. State regulatory agencies likewise vary in quality, staffing, and technical competence.
Given the cross-jurisdictional nature of digital commerce, it’s less than ideal to have a patchwork of state regulations, or to allow a single jurisdiction to dictate policies for everyone (as we’ve seen with California’s costly and error-filled privacy laws). As such, if we’re truly set on creating and implementing a mandate for app store interoperability, it would be best to leave this to Congress and federal regulators.
Questions of interoperability policy are tricky, involving a range of tradeoffs and technical challenges. As policymakers approach these issues, regulatory humility is warranted. While iOS is almost certainly below the optimal level of openness, it’s also worth remembering that Android phones are readily available and consumers are free to choose them.
Furthermore, it’s unclear that a sideloading mandate would dramatically change the competition landscape. Even on Android, few users in the US take advantage of sideloading. Nor has the availability of this option pushed down their ~30% Play Store transaction fees. Even in the market for PC software, where users can download anything from the Internet, popular stores like Steam and GoG still charge app developers around 30%. Although some are lower, like Epic Games (12%) and Microsoft (15%), large stores clearly add value (such as through vetting and aggregation) and are not just exploiting a captive market.
Enacting a sideloading mandate to allow Parler or Gab, as some Republican policymakers may want, also isn’t a compelling argument. These sites don’t require complex API access, and it’s easy enough to access them through a mobile browser. But that’s not to say the underlying concern about speech restrictions on closed platforms isn’t legitimate in some circumstances.
Our system of government’s respect for free speech and the rule of law makes it so US policymakers have a limited ability to coerce companies like Apple and Google to take down apps. But this isn’t true everywhere. And this debate isn’t just about US consumers. For instance, Google’s transparency report indicates they complied with removal requests in Russia and Thailand for apps engaged in “government criticism.” Similarly, Apple’s transparency report shows governments, including China, have pressured or required the company to remove numerous apps. And mobile browsers aren’t safe. In some parts of the world, product design choices have implications for human rights, and for helping empower people to resist oppressive governments.
Going back to the US, it’s not clear the sideloading mandate some states have proposed makes sense, either in theory, or how it would likely turn out in practice. Dramatic interventions in the market—such as dictating and overseeing software designs—should meet a substantial burden of proof to demonstrate their necessity and consistency with American principles governance. It’s not clear that the proponents of these proposals have overcome this burden.
But there’s also a normative question: Should Apple voluntarily embrace interoperability for iOS and allow third party app stores, alternative payment systems, and sideloading?
First, we have to consider the potential downsides. They could lose out on revenue from big apps like Fornite that can leverage alternative distribution channels, they would likely have to invest in architectural changes to their operating system, and it could weaken their reputation for security and reliability (e.g. devices your grandparents can use without accidentally downloading a virus).
But smartphones have made a lot of progress since Steve Jobs expressed concerns about reliability and user experience in making the first iPhone in 2007. While sideloading still poses serious security risks, Android has demonstrated that it can be implemented as an option for advanced users, without compromising reliability for everyone else. Despite Android being more open, the Play Store still brings in a lot of revenue for Google, even without factoring advertising. If Apple were to move iOS towards being more open, it could also have benefits for diffusing criticism of the company, particularly as it expands its business in China and other repressive countries.
Today our phones are handling increasingly sensitive information—including our banking, identification, and health records. This makes them a valuable target for bad actors, and so it’s easy to see why many people would choose security over openness. But this can be a false dichotomy. If products are built with the right assumptions, we can have a high degree of both. This doesn’t mean risks go away; merely that users are allowed to make an informed decision to cross the guard rails and take them on.
Those interested in constructive ways to support a more open app ecosystem should also look to Cory Doctorow’s writings on “adversarial interoperability” at the Electronic Frontier Foundation. This concept outlines a series of mechanisms that support permissionless competition through reforming overbearing laws like software patents, the Digital Millennium Copyright Act (which governs jailbreaking), and the Computer Fraud and Abuse Act. These changes have the advantage of improving the entire ecosystem, rather than targeting one company, deregulating protectionist policies. Steve Jobs, who first teamed up with Steve Wozniak in the 1970s to sell illegal phone phreaking gear, might even approve.