Thoughts on the App Store

- 23 mins

One year ago, I launched AltStore as a brand new way to sideload apps not allowed in the App Store, including my Nintendo emulator Delta. Since then, the conversation regarding sideloading and Apple’s control over the App Store has grown tremendously. In just the past year:

Capping things off, just last week the U.S. House released their highly anticipated tech antitrust report, in which they explicitly stated that Apple’s monopolistic power in the mobile app store market has caused real harm to developers and end users.

I’ve been wanting to write up my thoughts on the App Store for a while, but had trouble solidifying exactly how I felt about it. As a user, I love the App Store and would hate to see it become less important to iOS. In practice though, the current App Store situation has some significant problems which are getting harder and harder to ignore — several of which Congress’ antitrust report explicitly call out, such as requiring developers to implement in-app purchases or risk being thrown out of the App Store. I’ve wrestled with these two seemingly conflicting notions for a long time, but after running an alternative app store for the past year I’ve finally been able solidify my thoughts on what I believe is best for the platform.

So to celebrate AltStore’s first birthday, I decided to finally write up my thoughts on the App Store — including why I went through all this effort in the first place and why I believe sideloading is ultimately the right long-term solution for iOS. I know my opinions won’t be shared by everyone, but hopefully my perspective will at least shine some light on the real value sideloading adds today to the platform, not just in a hypothetical future.

My App Store-y: From GBA4iOS to Delta

Back in 2013 while still in high school, I built a Game Boy Advance emulator app for fun that let me play Pokémon Emerald (and every other GBA game) on my phone. It was nothing spectacular, but it worked, so once I installed it on a few of my friends’ phones I decided to upload the source code to GitHub under the name “GBA4iOS”.

I soon discovered a service that allowed anyone to install open source iOS apps over-the-air (OTA) by signing them with an enterprise certificate, so on a whim I decided to promote that as the “official” way to install GBA4iOS. Long story short: GBA4iOS blew up, and I accidentally found myself working full-time on an app not available in the App Store. Unfortunately, Apple eventually revoked the enterprise certificate I was using to distribute it (and patched the subsequent “Date Trick” that allowed it to keep working by setting your iPhone’s date back), ending my brief but exciting time working on GBA4iOS.

Following GBA4iOS’ success (and untimely death), I then got to work on my next project: Delta, an all-in-one Nintendo emulator. Rather than devote all my time to building another app that wouldn’t be allowed in the App Store, I decided to reach out to Apple directly and work with them to find a way to get Delta approved. To my delight, I was told by the App Review team that Delta could be approved as long as I provided Apple with an allowlist of games they could review and deem “acceptable” for users (sound familiar?). Willing to do anything to get Delta in the App Store, I accepted the restrictions and got back to work.

One year later I’d made significant progress with Delta, so I reached out again to Apple to discuss actually submitting Delta to the App Store. Unfortunately…that’s when Apple told me Delta would not be allowed in the App Store after all because they “can’t allow emulators”. I was stunned; Apple had led me on for a year, then when it came time to follow through they changed their minds and told me emulators were not allowed in the App Store, period. Just like that, all the work I had put into Delta was for nothing. Because the App Store was the only way to distribute apps at scale to iPhone users, I had no choice but to accept Apple’s decision and throw away all my work.

Except, I didn’t. The only thing I cared about was getting Delta into the hands of anyone who wanted it, and there was no way I was going to give up just like that. If Apple wasn’t going to give me a way to do that, so be it — I’d just have to build it myself.

Sideloading: A Sweet Solution

Contrary to popular belief, iOS does actually support sideloading apps not in the App Store. Starting with iOS 9, Apple allows anyone with an Apple ID to use Xcode and install apps they’ve developed themselves to their devices — even without a paid developer account. Apple made this change to better accommodate students who couldn’t afford Apple’s $99/year developer fee, because they realized how important it was to be able to run your own code on your device.

How then does Apple’s own approved sideloading solution work? On a technical level, it’s the same as with a paid developer account: Xcode “signs” a compiled app (.ipa) with a certificate and provisioning profile associated with your Apple ID, which allows it to be installed and pass code-signing checks on any device whose UDID is included in the provisioning profile. However, Apple also added several limitations for apps signed by non-developer accounts, in what I assume are attempts to make this too cumbersome for mainstream adoption. Here’s a comparison between the two:

Paid Developer Account

Regular Apple ID

Even with restrictions, having a way to sideload apps is way better than none at all. Yet despite some initial excitement, in practice the restrictions proved too strict for day-to-day app usage. Apple finally built a legitimate way to sideload apps, but (by design) no one was using it due to how cumbersome it was.

Wouldn’t it be great if there was a way to make this process just a tad bit easier, for those who really wanted it and were willing to go through the effort?

AltStore

From working on GBA4iOS, I knew there was a demand for apps that weren’t allowed in the App Store. So rather than build out a whole distribution method just for Delta, why not build it in a way so that it can be used by other developers as well? That was the crux of AltStore’s philosophy: build a home for apps that really push the boundaries of what iOS can do, and make them available for everyone.

I wanted to build a method that couldn’t easily be stopped by Apple, which is why I decided to base it on the existing Xcode sideloading support. By providing your Apple ID and password, AltStore can sign in with your Apple ID and “resign” apps so they can be installed to your device. Since iOS devices can’t sideload apps directly, AltStore sends resigned apps to AltServer — a desktop companion app for Mac/PC — which then installs the apps back to your device via iTunes WiFi Sync.

Would this really be worth it though? Would people really download a desktop app to download an iOS app to download Delta, especially when it involves trusting a stranger with their Apple ID and password? Do people really want sideloading that bad?

As it turns out: absolutely!

One year later, I couldn’t be happier with the response: AltStore has been downloaded by over 1 million people to sideload over 100 different apps to their iOS devices, and it’s still growing every day! It’s been absolutely incredible to see what ideas are possible without the constraints of App Review; in a way, it feels like a return to the early days of the App Store where creativity and indie developers flourished, rather than the more corporate marketplace it is today.

But don’t take my word for it. Here are 5 of the most popular apps available with AltStore today:

Delta
My all-in-one Nintendo emulator that allows you to play any NES, SNES, GBC, GBA, N64, and DS game on your iPhone (and soon iPad + macOS). Not allowed in the App Store because Apple doesn’t allow emulators.
Website: https://deltaemulator.com/
GitHub: https://github.com/rileytestut/Delta


Clip
My clipboard manager that can actually run in the background indefinitely and listen for changes to your clipboard to save them for later. Not allowed in the App Store because apps aren’t allowed to run forever in the background, or use private APIs (necessary for listening to clipboard changes in background).
Blog Post: http://rileytestut.com/blog/2020/06/17/introducing-clip/
GitHub: https://github.com/rileytestut/Clip


UTM
A complete Virtual Machine app based on QEMU that lets you run Windows, Linux, macOS, and more on your iOS device. Not allowed in the App Store because Apple doesn’t allow emulators.
Website: https://getutm.app/
GitHub: https://github.com/utmapp/UTM


iSH
A full-featured Linux shell for iOS, allowing users to run real Linux applications and programs with a native command line experience. Not allowed in the App Store because Apple doesn’t allow Terminal-like apps (…or Linux emulation).
Website: https://ish.app/
GitHub: https://github.com/ish-app/ish


DolphiniOS
A port of the popular cross-platform emulator, DolphiniOS allows you to play any GameCube or Wii game on your iOS device, with advanced options like upscaling graphics to 1080p (or higher!). Not allowed in the App Store because Apple doesn’t allow emulators.
Website: https://dolphinios.oatmealdome.me/
GitHub: https://github.com/OatmealDome/dolphin


Far too much focus has been spent on the financial impact of Apple’s role as Gatekeeper, but the reality is that’s just one part of this whole debate. That may be what the big companies are most concerned with, but us smaller developers are far more concerned with being able to distribute our apps at all. The above apps are all products of love by their respective developers, and no change to the App Store’s payment policies will allow these apps in the App Store.

The only solution for these apps is sideloading.

Back to the App Store

An App Store-exclusive model worked well for iOS’ first decade or so, but as the platform matures it’s becoming more and more evident what the downsides are to such strict control. Increasingly convoluted rules regarding payment systems, outright banning of new industries (without ridiculous compromises), censorship by authoritarian governments (including the United States), scam apps sneaking through review (repeatedly)…you get the picture.

Combined with the ongoing legal battles regarding Apple’s control over the App Store, I believe the tide has finally turned.

12 years on, it’s clear that while band-aids can be applied to the App Store Guidelines every few years or so to quell developer dissent, the underlying philosophy that Apple maintains sole discretion over which apps are allowed to run on its platform is showing its age. Imagine a world where Apple had rejected Uber or Lyft on the basis ride-sharing was inherently unsafe. That would have been completely defensible — I personally would have most likely supported it — but without iOS the entire ride-sharing market would simply never have existed. Now imagine a world where Apple rejects all vape-related apps on the basis vaping is inherently unsafe — oh wait, that one actually happened.

I don’t fault Apple for these decisions — I think it’s entirely reasonable for them to reject potentially unsafe apps from their store out of an abundance of caution. In fact, I’d love to see Apple become even more strict with App Review so we can actually trust that apps we download from the store aren’t scams. The problem is not so much App Review, but rather the fact that if you don’t pass App Review you cannot exist on iOS at all. This simple fact has two notable repercussions:

  1. The overall quality of apps in the App Store has decreased, since App Review must accommodate all apps that want to be on the platform, not just the “good” ones.
  2. Apps that don’t fit Apple’s philosophies — like emulators, clipboard managers, virtual machines, command-line shells, etc. — can never officially exist on iOS.

Sure, Clip can’t be approved because it uses private APIs which could break at any time — but is it really better for the platform that clipboard managers can’t exist at all, rather than just be available for those who really want it? I’ve used a clipboard manager on my Mac for years now and have yet to see any negative effect, so it seems strange to me I can’t make the same decision for my iPad where it would be even more useful (especially for writing this blog post!).

What, then, should Apple do to fix this situation? Based on my experience with AltStore, I’m confident the only reasonable long-term solution is to allow some form of sideloading. This would actually allow Apple to be even more strict with App Review, since apps that didn’t follow the guidelines could still be installed, rather than outright banned from the platform. Antitrust complaints would almost immediately disappear, and Apple would still maintain control over the central place for apps.

Most importantly though: I do believe iOS would suffer if the App Store was no longer the place to download apps. For that reason, any sideloading solution should be cumbersome enough that the App Store remains the central place to download apps. Having one central place to download apps is a tremendous usability win, and lowering the bar for sideloading too much might tempt developers who otherwise would’ve just put their app in the App Store. In other words, the App Store should remain the way to download all apps allowed by App Review; only apps that aren’t allowed in the App Store should be distributed separately.

Given these constraints, I see two possible sideloading solutions.

Option 1: Gatekeeper for iOS

I’ll start with what I believe is the most straightforward solution: bringing macOS’s Gatekeeper feature to iOS. Gatekeeper is a great security feature that prevents you from launching apps unless they have been signed with a “Developer ID” certificate and notarized with Apple. What does this mean? Basically:

  1. Notarization allows Apple to scan all apps for known malware before distribution.
  2. Malicious apps can be remotely killed by revoking their Developer ID certificate, allowing Apple to block installations if needed — despite not being in the App Store.

A hypothetical Gatekeeper for iOS would function very similarly. Disabled by default, users would be able to choose to allow installing apps from outside sources as long as the apps are properly signed and notarized. The sandbox would remain in place, so apps would still need to explicitly ask permission to access sensitive data/hardware (photos, camera, microphone, etc), and the apps would be 100% removed when deleted from the home screen. Additionally, Apple already prevents Mac apps from using certain features when not distributed through the Mac App Store (such as iCloud), so Gatekeeper for iOS should also restrict what apps can do without going through App Review.

I do expect one major difference from macOS: I don’t think on-device sideloading should be allowed. Instead, Apple should require you to use a Mac or PC to sideload apps over lightning (/USB-C). Letting iOS devices sideload apps directly would certainly be more convenient for legitimate use-cases like AltStore (as mocked-up in this great “informal design document” by Zach Knox), but I’m worried such a low bar would make it easily abused by malicious individuals. By requiring a desktop computer, you’d need to go through the same cumbersome process for each app installation (and app update). This would implicitly force users to contemplate whether each app they want to sideload is worth the effort, reducing chances of accidentally installing malware.

Of course, there’s another reason why sideloading should remain complicated: should it be too easy, what’s to stop apps from exiting the App Store en masse like they’ve done with the Mac App Store? Developers left the Mac App Store because distributing apps via the web was ultimately more convenient than dealing with App Review, and I’m worried the same thing would happen on iOS. Requiring a computer, however, would still allow developers to distribute apps not allowed in the App Store, while also raising the barrier-to-entry enough to keep the App Store as the preferred method to distribute apps.

Option 2: Expanded Free Developer Account Sideloading

Rather than introduce a new feature, Apple could instead decide to just expand upon the existing sideloading feature used by AltStore. When Xcode 7 first introduced sideloading, users were required to re-sign their applications every 3 months to prevent them from expiring. This was annoying, but understandable in order to dissuade developers from using it instead of the App Store. About a year later though, this time limit was reduced from 3 months to just 7 days. In practice, having to refresh apps every week is too much of a burden for continued app usage, especially when the process involves connecting to your computer. Furthermore, iOS also limits you to installing only 3 sideloaded apps at a time; if you want to install a 4th, you have to delete another one first.

By simply removing the 3-app limit and extending app expiration back to 3 months (or longer!), suddenly this existing feature could be reasonably used to distribute apps. Just like with a Gatekeeper approach, all iOS security protections such as the sandbox would remain in place. A computer would still be necessary like it is today, resulting in the same benefits I mentioned above. Basically, it would be like AltStore but without having to refresh your apps every 7 days. Most importantly for Apple though, they could easily spin such a change as “improving the development experience for students” rather than as an explicit response to App Store controversies — implicitly leaving it up to AltStore (or others) to leverage it and turn into a legitimate distribution method while relieving antitrust pressure.

However, compared to Gatekeeper this does come with some notable downsides. Because each app is self-signed, there’s no easy way for Apple to remotely disable a malicious app (since each user’s copy has a different signing certificate). Resigning apps can mess with entitlements, such as accessing the keychain or app groups. Self-signed apps also lose access to certain cross-platform functionality like Handoff, which normally requires the same developer team for both Mac and iOS for security reasons. These trade-offs are the same that exist today with AltStore and are mostly manageable, but might become a bigger issue at scale.

So what will Apple do?

At this point, I think the real question is not whether Apple will expand support for sideloading, but whether they’ll do so before legislation forces them to. Australia, Russia, the EU, and the United States are all independently investigating Apple and the App Store for antitrust practices, and it would take just one of them to pass a law requiring Apple to allow apps from outside sources. I want to believe Apple knows this and is planning their own solution, but I’m worried they won’t see the writing on the wall until it’s too late.

AltStore has proven it’s possible to embrace sideloading without threatening the central App Store model — as long as it remains sufficiently more inconvenient than the App Store. Either one of the above options would meet that criteria, but personally I think the Gatekeeper approach is best for the platform. The App Store would remain the place to download apps, but any apps that simply can’t be in the App Store could still be sideloaded via a computer. Apps would be signed with the developer’s Developer ID and notarized, allowing Apple to remote kill any malicious apps that pop-up. Just like macOS, but without compromising any iOS security.

Regardless of which option Apple chooses, by requiring a computer Apple could continue positioning iOS devices as “managed devices” (or “consoles”, depending on who you ask), while also sticking to their rationale that the Mac is the tool for tinkerers who want to mess with their devices. Plus, either solution would most likely prevent Epic from launching their own Epic Games app store due to the complexity — another benefit for Apple.

Thankfully though, we have some power to shape how iOS evolves. The App Store will almost certainly be the main topic of discussion for the next year in the Apple community, and historically major grievances like this are addressed in the next major iOS version. To name a few:

By keeping the conversation about the App Store going, we’re letting Apple know this is something we care strongly about. Who knows, maybe with enough noise Apple will adjust their plans for iOS 15 and fix this App Store mess once and for all 🤞

My intention was never to go to war with Apple; Apple remains my favorite company, and I am extremely thankful for the opportunities they’ve given me as a developer. All I wanted was to positively shift the status quo towards something better for everyone. Rather than refuting countless straw man arguments, I decided to prove there was another way forward — a way to embrace sideloading without compromising the benefits of the App Store. Today, millions of people are now sideloading apps with AltStore — onerous restrictions and all — and the App Store is in no worse position for it.

All I care about is distributing my apps to anyone who wants them. Please, Apple, just let me do that 💜

Riley Testut

Riley Testut

Independent iOS developer, USC student, and Apple fan.

comments powered by Disqus
rss facebook twitter github youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora