Application Security & Online Fraud , Fraud Management & Cyber Crime , Standards, Regulations & Compliance
EU law says mobile platforms must allow access to third-party apps, stores
Matthew J. Schwartz (euro infosec) •
December 15, 2022
Apple has reportedly adhered to the inevitable and is making efforts to give European iOS mobile device owners access to third-party app stores. It’s unclear what that means for a simple walled-garden security model.
Related item: Find enterprise password management solutions
Bloomberg reports that Apple is overhauling its platform and app store, citing people familiar with Apple’s plans. Apple opposed this practice becoming law, but the law won.
In a move that recalls how Microsoft lost its web browser monopoly, the act tells gatekeepers such as Apple that “a third-party software application or software application store decides whether to make its service the default.” , prompting the end user whether to enable it”. Easy to change. What’s currently unclear is whether DMA will require Gatekeeper to allow unlimited sideloading, meaning users will be able to install apps without having to obtain them via the app store. Whether or not
The law is intended to encourage competition by giving consumers more choice. But does it come at a security cost?
Apple’s walled garden approach is arguably one of the biggest security success stories of the last decade. Devices running iOS and iPadOS are highly secure. All apps must undergo a security review by Apple before they can be distributed on the App Store.
The risks of allowing a laissez-faire app store are clear. Without proper checks and balances, app stores could provide a quick and easy way for attackers to infect mobile her devices. Unless developers maintain their apps and issue security updates, users may be at risk if attackers find exploitable vulnerabilities (see: UK government rolls out security guidance for mobile apps).
Compare Apple’s approach to the Android ecosystem. The Google Play Store, which is installed by default on almost all Android devices, is not accessible from mainland China, but is relatively safe. Google evaluates apps using both human and automated reviews before allowing distribution through the app store. However, it seems to let more spyware and adware through than Apple. This is probably because Android typically doesn’t enforce a similar level of privacy or security by default.
Other large Android app stores include Samsung’s exclusive Galaxy Store, which doesn’t have the same security reputation as the Google Play Store. There are many other Android app stores large and small, but users should proceed with caution as they are full of dangerous apps. Promising free versions, especially of paid apps, is a common tactic used by criminals trying to infect their mobile devices with malware.
It remains unclear how Apple will implement the DMA provisions. Bloomberg reports that Apple is already reconsidering his requirement that all iOS browsers must be WebKit-based.
Choice Doesn’t Mean Adoption
In practice, the majority of iOS users may ignore third-party app store options.
CFRA equity analyst Angelo Gino told Reuters, “Most consumers are creatures of habit and are very happy with the platform, so the ultimate impact will be minimal.” said. “We expect the majority of consumers to stick with the status quo and continue to use Apple’s own App Store,” he said.
For those looking to third-party app stores, Apple is keen to ensure its brand is not undermined by malicious or fraudulent apps. Similarly, anyone who might sideload apps should prevent those apps from becoming Trojan horses and allowing Apple devices to target other devices.
DMA gives gatekeepers the right to ensure that third-party apps or app stores do not “compromise end-user security.” Specifically, it allows gatekeepers to “implement strictly necessary and appropriate measures and settings beyond the default settings” to protect end users.
Currently, there are two requirements for an app to be reviewed for distribution on the App Store:
- Anyone who wants to distribute apps on Apple’s App Store must pay for a Developer Program account, which costs $99 annually.
- Apple takes a commission of up to 30% on all App Store purchases.
Apple has so far been tight-lipped about its plans, including whether it will allow third-party payment services.
At stake is a serious amount of revenue. In the first half of this year, Apple’s App Store generated about $43.7 billion from in-app purchases, subscriptions, and premium apps and games, reports mobile analytics firm Sensor Tower. DMA violators will be fined up to 10% of their annual profits.