Sideloading: The App Association Calls for Stricter Measures Against Piracy Apps
In the evolving landscape of mobile app distribution, the debate over sideloading has intensified, particularly in the European Union following regulatory changes mandated by the Digital Markets Act (DMA). The App Association (ACE), a prominent industry group advocating for fair competition in app ecosystems, has publicly urged Apple and EU authorities to adopt a more rigorous stance against apps distributed via sideloading that facilitate digital piracy. This call comes amid growing concerns over the proliferation of unauthorized software following the introduction of alternative app distribution channels on iOS devices.
Sideloading refers to the process of installing applications on devices outside official app stores, such as Apple’s App Store or Google Play. Traditionally restricted on iOS for security reasons, Apple was compelled to enable sideloading for EU users with the release of iOS 17.4 in March 2024. This change allows developers to offer apps through web-based marketplaces or direct downloads, subject to Apple’s notarization process—a review mechanism designed to scan for malware and ensure basic compliance. However, critics argue that this framework falls short in curbing piracy-enabling tools.
ACE, which represents companies including Epic Games, Spotify, and other stakeholders pushing for app store reforms, highlighted several high-profile examples of problematic sideloaded apps. Among them are iTorrent, a BitTorrent client capable of downloading copyrighted material directly on iPhones; UTM, an emulator that supports running legacy software including pirated games; and Delta, a retro game emulator often paired with unauthorized ROMs. Additional apps like Apollo for Reddit, ChitChat for WhatsApp, and iTorrent have been cited for either directly enabling or indirectly supporting piracy activities.
In a detailed letter addressed to Apple’s CEO Tim Cook and EU competition chief Margrethe Vestager, ACE emphasized that the current safeguards are inadequate. The association points out that Apple’s Core Technology Fee (CTF)—a 50 euro fee per install after the first million annually—and the notarization process do little to prevent the spread of piracy tools. Notarization, they argue, only performs superficial checks for known malware signatures and stability issues, lacking the comprehensive content review applied to App Store submissions. As a result, sideloaded apps can bypass policies prohibiting the facilitation of copyright infringement.
The letter underscores the broader implications for the app economy. Piracy apps undermine legitimate developers by eroding revenue from in-app purchases, subscriptions, and premium downloads. ACE estimates that unchecked sideloading could exacerbate losses already inflicted by platforms like AltStore and sideloadly, which have historically hosted such software. The group warns that without intervention, the EU’s DMA goals of fostering competition could inadvertently bolster illegal activities, damaging consumer trust and the digital single market.
Apple’s response to sideloading has been measured. The company maintains that notarization provides robust protection, blocking over 6.5 billion malware-laden installs since 2020. It also enforces eligibility criteria for alternative marketplaces, requiring them to undergo independent security audits. However, ACE contends these measures are reactive rather than proactive. For instance, while Apple can remotely revoke notarization certificates for violating apps, enforcement has been inconsistent. Apps like iTorrent remained available for weeks after initial complaints, allowing widespread distribution.
EU regulators face a delicate balancing act. The DMA aims to dismantle gatekeeper monopolies by mandating openness, yet it does not explicitly address piracy. Vestager’s office has prioritized competition over content moderation, but ACE urges a reevaluation. The association proposes several enhancements: mandatory pre-distribution content reviews for sideloaded apps, harmonized EU-wide rules on piracy facilitation, and collaboration between platforms and authorities for swift takedowns. They also advocate for transparency reports detailing piracy app detections and removals.
This push aligns with ACE’s long-standing campaign against app store dominance. Formed to challenge Apple’s 30% commission and restrictive policies, the group now pivots to safeguard the ecosystem it seeks to liberalize. Industry observers note that similar concerns have arisen on Android, where sideloading is native but policed via Google Play Protect. Yet iOS’s closed nature amplifies the stakes post-DMA.
Developers of the flagged apps have defended their offerings. iTorrent’s creator, for example, insists the app is neutral, merely providing torrent functionality without hosting infringing content. Emulators like UTM and Delta argue they enable preservation of abandonware and personal media use, not systematic piracy. Nonetheless, ACE dismisses these claims, citing real-world misuse evidenced by user forums and download statistics.
As sideloading gains traction—EU iPhone users have installed over a million apps via alternatives in the first months—stakeholders await responses from Apple and Brussels. The outcome could redefine app security paradigms, balancing innovation with intellectual property protection. For consumers, it raises questions about device safety: while sideloading expands choice, it potentially exposes users to unvetted software risks.
ACE’s advocacy signals a critical juncture. Stricter enforcement might deter piracy but could stifle legitimate alternative distribution. Conversely, lax oversight risks normalizing infringement, eroding the incentives for quality app development. With ongoing DMA compliance monitoring, the next few months will be pivotal in shaping sideloading’s future in Europe.
Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.
What are your thoughts on this? I’d love to hear about your own experiences in the comments below.