Skip to main content

AltStore allows limited sideloading of iPhone apps Apple doesn't approve

As Apple faces pressure to open up the iPhone to third-party App Store providers, one developer has been helping users sideload apps since 2019 — and has issues with overbroad legislation demanding users be able to sideload.

Apple has been persistently consistent and clear on its view that sideloading brings malware risks, and it's going to take changes in the law to make it allow unapproved apps onto the iPhone. Yet developer Riley Testut has been using one of Apple's own tools to allow users to install apps from outside Apple's curated App Store.

According to Fast Company, AltStore has been downloaded over 1.5 million times since its 2019 launch. It reportedly has over 300,000 active monthly users, and almost 6,000 of those contribute to Testut's Patreon, paying over $14,500 for him to work on the service full time.

Once installed, AltStore lets users add apps made by Testut. Users can also add any app they can find from anywhere, so long as it is using the .ipa format. Versions of social media apps that have had their ads removed are reportedly popular, as are classic game emulators.

AltStore exploits the fact that Apple's Xcode development platform allows users to load apps they're developing, straight onto their own iPhones.

"When Apple announced that [feature in 2015], I was like, 'Oh, so there's some way to install apps onto iOS just with an Apple ID,'" says Testut. "And from there I expanded that into a full solution."

The full solution is not straightforward. It requires a user to install a Mac or PC app called AltServer, then AltStore security signs an app so that appears to have been made by the user.

Apps can only be installed when iPhone and Mac or PC are on the same Wi-Fi network, and running AltServer. Only three such apps can be installed at any time, and one of those is the mandatory AltStore.

It is possible to swap out apps, but there are limits on this too. Any one user can only sideload up to 10 apps per week, and moreover FastCompany says that every app installed must be "refreshed" by connecting to AltServer once a week.

AppleInsider staffers have used the AltStore periodically since release. We can confirm that it works, and does what it is advertised to do. However, the installation of both the AltServer and apps through it can be finicky.

LifeProof SEE SERIES Case for iPhone 13 Pro Max & iPhone 12 Pro Max - MOTIVATED PURPLE

  • Was: $31.16
  • With Deal: $26.92
  • You Save: $4.24 (14%)

There’s a new vision of sustainability and simplicity. Meet SEE, the clear-backed case that’s making a big impact. Made with over 50% recycled plastic and DropProofto 2 meters, SEE has a small environmental footprint and withstands big calamities —while keeping your phone on display. And its low-profile, form-fitting design leaves your phone feeling just right in your hand and back pocket.

Sideloading is a risk

Testut may not be able to circumvent these and other Apple limitations, but he plans to create a security system that will ensure sideloaded apps are not malicious.

"There's a lot of risk to sideloading," continues Testut. "Because we're the tool that people are using, it's our responsibility to make sure that we're doing what we can to prevent people from accidentally screwing themselves over."

So perhaps ironically, Testut agrees with Apple about sideloading, or at least he does when it's potentially on a large scale. He does not approve of proposed legislation that would conceivably allow any consumer to download any app, without some protection.

"We don't like the bills, actually," he told Fast Company. "We really think they are too broad, and they have serious ramifications for consumer privacy."

However, Testut does very much believe that everyone should have the right to sideload if they want to. And he believes that the app industry needs that freedom.

"Apple takes an approach to the App Store where they only approve what they imagine already," he says, "so anything that pushes the boundaries of that, Apple will just reject."

"We need a way for apps that push the boundaries to first exist, and then people will see it exist and want it in the App Store," he continues. "No cool, fun apps are coming out. We want to see more small, but quirky, fun apps in AltStore."

Popular posts from this blog

Twitter has hidden the chronological feed on iOS again – and I'm furious

In a controversial move, Twitter has brought back a feature that removes the 'Latest Tweets' view for users on iOS, which is something that many users, including me, hated back in March 2022 – and it's now rolling out. The first time the company decided to do this, 'Home' would appear first in a tab at the top, and there was no way of changing it so that 'Latest Tweets' would be the default view. It was reverted back after the company said it was a 'bug' for iOS users. This time though, it's no bug. Instead, it's 'For You' and 'Following' where you can only swipe between them now, which doesn't make much sense for a platform where you're using the platform to keep up to date with who you follow. It's a bizarre change that makes me ask – who wants this, especially during a time when its new owner, Elon Musk, is bringing in and reversing changes almost every week still? This one change will have big consequenc

Port of Lisbon hit by ransomware attack

One of Europe’s busiest seaports, the Port of Lisbon, has been hit with a ransomware attack that knocked some of its digital systems offline. "All safety protocols and response measures provided for this type of occurrence were quickly activated, the situation being monitored by the National Cybersecurity Center and the Judicial Police," a statement shared by the Port of Lisbon Administration (APL) with local media earlier this week said. The incident failed to impact the port’s operations, but did take its official website, portodelisboa.pt, offline. LockBit taking responsibility "The Port of Lisbon Administration is working permanently and closely with all competent entities in order to guarantee the security of the systems and respective data," the statement concludes. While the company doesn’t explicitly say it was targeted with ransomware, the LockBit ransomware operator has added APL to its leaks website, taking responsibility for the hit.  The databas

This new Linux malware floods machines with cryptominers and DDoS bots

Cybersecurity researchers have spotted a new Linux malware downloader that targets poorly defended Linux servers with cryptocurrency miners and DDoS IRC bots. Researchers from ASEC discovered the attack after the Shell Script Compiler (SHC) used to create the downloader was uploaded to VirusTotal. Apparently, Korean users were the ones uploading the SHC, and it’s Korean users who are targets, as well. Further analysis has shown that the threat actors are going after poorly defended Linux servers, brute-forcing their way into administrator accounts over SSH.  Mining Monero Once they make their way in, they’ll either install a cryptocurrency miner, or a DDoS IRC bot. The miner being deployed is XMRig, arguably the most popular cryptocurrency miner among hackers. It uses the computing power of a victim's endpoints to generate Monero, a privacy-oriented cryptocurrency whose transactions are seemingly impossible to track, and whose users are allegedly impossible to identify. Fo

Code-generating tools could be more of a security hindrance than help

New research by a group of Stanford-affiliated researchers has uncovered that code-generating AI tools such as Github Copilot can present more security risks than many users may realize. The study looked specifically at Codex, a product of OpenAI, of which Elon Musk is among the co-founders.  Codex powers the Microsoft-owned GitHub Copilot platform, which is designed to make coding easier and more accessible by translating natural language into code and suggesting changes based on contextual evidence. AI-coding problems Lead co-author of the study, Neil Perry, explains that “code-generating systems are currently not a replacement for human developers”. The study asked 47 developers of differing abilities to use Codex for security-related problems, using Python, JavaScript and C programming languages. It concluded that the participants who relied on Codex were more likely to write insecure code compared with a control group. Read more > These are the best laptops for progr