Part of:Understanding sideloaded apps and how to deal with them
How to sideload iOS apps and why it's dangerous
IT professionals might think the hassle of jailbreaking a device deters users from sideloading iOS apps. Learn the other methods users turn to and why it's still dangerous.
Most mobile administrators know how simple it is to download and install third-party apps onto Android devices. However, they might not realize that Apple devices aren't safe from sideloading either.
The process of accessing sideloaded applications in iOS or iPadOS is easy -- really easy. Anyone can do it by jailbreaking their iPhone or iPad, as long as the current firmware version is within a specific range. Jailbreaking a device opens access to alternative app stores that are not authorized by Apple.
Anecdotally, jailbreaking isn't as popular or common as it once was. Some people still choose to jailbreak their device -- this will never completely go away -- but the number of jailbreakers is getting smaller and smaller as Apple rolls out features that were previously only possible on jailbroken devices. Also, it's easy enough to sideload apps onto a phone or tablet, so users might not find it necessary.
How to sideload apps to a device without jailbreaking it
There are two different methods to sideload apps that don't require the iPhone or iPad to be jailbroken. The simplest method is through a desktop device.
Method 1: Connect to a desktop device
The first step to sideloading on an Apple device is finding a trustworthy third-party app store. What constitutes a truly "safe" app store is a debate for another time. It shouldn't be difficult to find plenty of options. Then, download the app store to a Mac or PC. From there, the user can take the following steps:
Connect the iPhone or iPad to the computer and enable Wi-Fi sync.
Launch the alternative app store on the desktop device. Find and select the option to install it on the mobile device.
After installation, the user should be able to open the app store on their mobile device and use it to sideload apps. They can download apps directly or sideload their own IPA files by importing them through the app's interface.
The process of accessing sideloaded applications in iOS or iPadOS is easy -- really easy.
Method 2: Use Xcode
Another sideloading method is to use Xcode and a downloaded IPA file. Developers or users with access to the source code can use Xcode to sideload apps. This method requires some additional technical knowledge. The process consists of two main steps:
Create an Apple developer account, which costs $99 per year. Free accounts are also available, but then the app is only accessible for seven days.
Build and run the app directly onto the connected mobile device.
Neither method is flawless. The first method relies on the hope that Apple doesn't revoke the app's enterprise developer certificate, which will prevent it from launching. It's also important to note that IT administrators can prevent these actions with some basic device management security protections.
Risks of sideloading apps on Apple devices
The inherent issue of sideloading mobile applications is somewhat obvious: They aren't coming from approved and carefully vetted sources. The Apple App Store vets its mobile applications for malware and other potential threats before approving and distributing them. While security breaches are still possible through apps from the official app store, the world of sideloaded apps is the Wild West compared to it.
Apple takes a walled garden approach to security, where the vendor preapproves every software or service that can run within its OSes. The default is not the flexibility to run whatever users or admins want; it's security. To sideload a mobile app on an iOS device is to open the gate to that garden. The user might only crack it open, but all it takes is one malicious download to usher in malware infections and undermine the entire approach.
The security risks of sideloading tend to outweigh the benefits, but IT admins must consider this case by case. The security and privacy benefits of sticking with the authorized Apple App Store include the following:
App review. Every app submitted to the official Apple App Store undergoes a thorough review process. The review process checks for compliance with Apple's strict guidelines for security and privacy.
Continuous monitoring. Apple monitors apps even after approval, looking for any behavior that might violate App Store terms or pose a security risk.
Signature checks. App Store apps are signed with digital certificates. This ensures that they have not been tampered with since the initial review process.
Privacy labels. Developers must declare what data their apps collect and how it will be used. This added layer of transparency enables users to make informed decisions based on what information they do or do not wish to expose.
Automatic updates. Apple can push out app updates through the App Store. This approach addresses vulnerabilities quickly and applies patches automatically.
Deprecated APIs. Apple can deprecate or remove access to APIs that could pose security risks. This pushes App Store developers to update their apps on a regular basis.
App Store payments. The use of Apple's in-app purchase system for digital goods and services adds another layer of security for transactions, protecting against fraudulent apps that could steal payment information.
Keep in mind that these policies are not in place everywhere, and they might change in the future. In response to the EU's Digital Markets Act, Apple has moved to enable alternative app marketplaces in iOS 17.4. This change only applies to users in the EU. The app stores still must adhere to Apple's notarization process to ensure they meet baseline security and privacy standards. However, even these Apple-approved alternative app stores could pose unforeseen risks to devices that use them.
How to manage sideloading in the enterprise
The simplicity of the sideloading process might surprise some IT admins. Apple's ecosystem has the reputation of being a walled garden that requires all apps to go through the official App Store, but this is not always the case.
While it remains easy for users to access these apps, they open up another vector for bad actors to get spyware and other malicious software onto iOS devices. Organizations must be sure they can trust the third-party app store where the IPA file or app originated from.
Jailbreaking leaves devices even more vulnerable to attacks. In theory, malicious apps can do less damage to devices with all their security controls intact than jailbroken ones. Admins need to think about their overall threat model. From a security perspective, no method of getting unauthorized apps onto a device is great. That's why MDM platforms and similar security tools are so useful. These tools can identify and quarantine compromised devices so they don't cause undue harm.
If admins decide to jailbreak devices or sideload apps -- or they allow users to do so -- they must be very careful. The threat is especially high for devices operating on enterprise networks that contain a wealth of sensitive information.
Editor's note:This article was originally published in 2022 and was updated in 2025 to improve the reader experience.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.
Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.
