The default choice allows App Store plus signed apps, and a well-documented but user-unfriendly method and presentation of opening unsigned apps. Double-clicking an app with an "unidentified developer" results in a dialog that tells the user it cannot be opened, but Control-clicking the app and selecting the Open item bypasses security. This subtlety is certainly beyond the ken of most users. (A signed app that's been tampered with, or for which the developer certificate has been revoked, cannot be installed through this method.)
A friend, Kerri Hicks (spouse of Bare Bones' founder Rich Siegel), explained to me recently that as the web manager of a university's library system, she is regularly consulted by other members of her team when they see the the Gatekeeper dialog. Baffled, they come to her as the expert; it's both nonintuitive and hard to train an average user in the bypass. While I rarely open an unsigned app, Kerri says it's a frequent occurrence in her field, which incorporates free, open-source, and other forms of software in which developers may not want to take the time, spend $99 per year, or jump through Apple's hoops to get a digital signature attached.
An ad-hoc entrance to the walled garden
iOS also has a workaround, although it's extremely limited. Apple allows regular developers to distribute test versions of apps as "ad hoc" releases to up to 100 devices registered in the developer's account. Enterprise users, who pay $299 per year, can distribute apps completely outside Apple's processes, but such distribution is supposed to be limited to employees of the firm with the account. (TestFlight is another option for software testing, now owned by Apple, but Apple handles distribution of releases.)
An ad hoc app is unlikely to be found in the wild except in very particular attacks, because of the unique device limit: without the UUID of an iOS device, an app signed with the ad hoc certificate can't be installed. Enterprise-signed apps were used in WireLurker and are most of the threat of Masque Attack, although it's possible "spearphishing" (highly targeted attacks) could make use of ad hoc provisioning as well.
In both cases, though, either when downloaded or installed, such apps require a user to approve them, with one or two steps, tapping Install or Trust at a prompt that provides little information and none of it validated — a malicious developer can claim to be installing "New Flappy Bird" and instead overwrite any non-Apple app. (Apple can centrally revoke any enterprise certificate, which has shut down WireLurker, and makes it quite difficult to use the Masque Attack, as once it's discovered, an improper or hijacked enterprise developer account can be disabled along with its certificates.)
Sign up for Computerworld eNewsletters.