Security Analysis of new Sideloading Possibilities on iOS 17.4 / iPadOS 18
The Digital Markets Act (DMA) of the European Union forced Apple to relax its position as the gatekeeper of the iOS and iPadOS operating systems over the course of 2024. Among other things, the DMA stipulates that users should be able to obtain applications from sources not under Apple’s control. Since some key security mechanisms (such as code signing) are based on the fact that apps have so far been signed by Apple, extensive adjustments to the security architecture of the platform were to be expected.
In addition to the expanded possibilities for end-users, the anticipated changes also created new opportunities for security research on the platform. In particular, it was expected that research questions already examined under the competing Android system could now also be addressed under iOS.
However, after the release of iOS version 17.4, which was supposed to bring DMA compliance to at least the iPhone operating system, it became apparent that Apple only half-heartedly implemented some of the requirements. This project investigated to what extent the implemented changes affected the security architecture of the platform and what new research opportunities have emerged.