Application Security & Online Fraud , Fraud Management & Cybercrime , Standards, Regulations & Compliance
Will Third-Party App Stores Play With Apple's Walled Garden?EU Legislation Says Mobile Platforms Must Grant Access to Third-Party Apps, Stores
Apple is reportedly making efforts to comply with the inevitable and allow European iOS mobile device owners to access third-party app stores. It's unclear what that means for Apple's highly effective walled garden security model.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Bloomberg, citing people with knowledge of Apple's plans, reports the tech giant is overhauling its platform in anticipation of satisfying a mandate from the Digital Markets Act that all providers of core platform services - aka gatekeepers - allow users by 2024 to access third-party applications and app stores. Apple fought against the act becoming law, but the law won.
In a move reminiscent of how Microsoft lost its web browser monopoly, the act requires gatekeepers such as Apple to "allow the third-party software applications or software application stores to prompt the end user to decide whether that service should become the default and enable that change to be carried out easily." What's currently unclear is if the DMA requires gatekeepers to allow unrestricted sideloading, meaning allowing users to install any app without having to obtain it via an app store.
The act is meant to foster competition by giving consumers greater choice. But will it come with a security cost?
Apple's walled garden approach is arguably one of the biggest security success stories of the past decade. Devices running iOS and iPadOS are incredibly secure. All apps must undergo a security review by Apple before they're available for App Store distribution.
The risk from allowing laissez faire app stores is clear: Without proper checks and balances, app stores can give attackers a quick and easy way to infect mobile devices. Unless developers maintain an app and issue security updates, users could be at risk if attackers find exploitable vulnerabilities (see: UK Government Rolls Out Security Guidance for Mobile Apps).
Contrast Apple's approach with the Android ecosystem. Google Play Store, which is installed by default on almost every Android device - it's not accessible from mainland China - is relatively secure. Google uses both human and automated reviews to assess apps before allowing them to be distributed via its app store. But it seems to let through more spyware and adware than Apple, perhaps because Android by default typically doesn't enforce similar levels of privacy or security.
Other large Android app stores include the Samsung-only Galaxy Store, which has a less sterling security reputation than Google Play Store. Numerous other Android app stores large and small are also available, but users need to proceed with caution since dodgy apps abound. Promising free versions of paid apps in particular is a common tactic employed by criminals keen to infect mobile devices with malware.
How Apple will implement DMA provisions remains unclear. Bloomberg reports Apple is already rethinking its requirement that all iOS browsers must be based on WebKit.
Choice Doesn't Mean Adoption
In practice, it's possible that a majority of iOS users will ignore third-party app store options.
"The ultimate impact will be minimal as most consumers are creatures of habit and are very satisfied with the platform," Angelo Zino, a stock analyst at CFRA, tells Reuters. "We expect a majority of consumers will keep the status quo" and stick with Apple's own App Store, he says.
For anyone who does look to a third-party app store, Apple will be keen to ensure its brand doesn't become tainted by malicious or scam apps. Likewise, for anyone who might sideload apps, it will want to ensure that those apps don't become a Trojan horse allowing the Apple devices to target others.
The DMA gives gatekeepers the right to ensure that third-party apps or app stores "do not undermine end users' security." Specifically, it allows gatekeepers "to implement strictly necessary and proportionate measures and settings, other than default settings," to protect end users.
Today, getting an app reviewed for App Store distribution comes with two requirements:
- Anyone who wants to distribute apps on Apple's App Store needs to pay for a Developer Program account, at an annual cost of $99.
- Apple takes a commission of up to 30% on all App Store purchases.
Apple has been mum on its plans so far, including whether it will allow third-party payment services.
At stake is a serious amount of revenue. In the first half of this year, Apple's App Store generated approximately $43.7 billion from in-app purchases, subscriptions, and premium apps and games, mobile analytics firm Sensor Tower reports. DMA violators face fines of up to 10% of their annual profits.