Apple says it will no longer be able to fully protect iOS users from cyber threats as it prepares to comply with the European Union’s Digital Markets Act (DMA) this week.
Ahead of the looming March 7 DMA compliance deadline, Apple published a 32-page whitepaper on March 1 that details security and privacy changes it’s making in response to the new regulation.
The rule, designed to protect competition in European digital markets, applies to 22 services from six “gatekeeper” companies – including the Apple App Store. To comply with the DMA, Apple will need to allow “sideloading” of iOS apps from alternative app marketplaces in the EU, as well as enable payment options other than Apple Pay for EU users making App Store purchases.
“Because users trust Apple to keep their devices protected, they have not had to worry about whether their source of third-party apps or their in-app payment system posed a threat to them. Users will no longer be able to assume that protection,” the paper states.
The changes explained in the paper are expected to come with the release of iOS 17.4 this week and only apply to users in the EU. However, Apple said “this newly incentivized level of criminal investment in building tools, services and infrastructure to target iOS users risks spilling over and lowering the cost of attacking even those users who only use the App Store.”
The other companies required to comply with the DMA this week are Alphabet, Amazon, ByteDance, Meta and Microsoft.
“Sideloading apps will allow users more freedom to download and install the apps of their choice. But it will also blur the familiar boundaries that have safeguarded the iOS ecosystem for years,” David Richardson, vice president of threat intelligence at Lookout, told SC Media.
“It will get harder to effectively vet and monitor the numerous apps available outside of the App Store. For one, it’ll be nearly impossible to track all the apps being circulated and downloaded,” Richardson said.
New iOS app review process, warning screens implemented
The Apple whitepaper states the company has built more than 600 new application programming interfaces (APIs) and developer tools to accommodate the DMA-related changes. It also describes the launch of new security, privacy and safety features applying to the sideloading of apps and use of alternative payment methods in the EU.
Notarization for iOS is Apple’s new method for determining the safety of apps outside of its full App Store Review process and follows a similar method to its existing Notarization for macOS feature. Any app that will be distributed on iOS devices, whether from the App Store or a third-party marketplace, must be reviewed for compliance with the Developer Program License Agreement and digitally signed in order to be installed.
The Notarization of iOS review process includes both automated testing for known malware and security threats, and a human review for content such as phishing or novel malware not recognized by the automated system. Apps outside of the App Store are also still required to get permission from the user before accessing sensitive data and device services.
The notarization process is repeated for every update to an app and for apps that are altered after being digitally signed will not be able to run. However, Apple says it will not have as much oversight over apps from third-party marketplaces due to inability to monitor user reports, reviews and other marketplace data for suspicious activity.
Instead, Apple sets criteria for alternative app marketplaces to perform their own monitoring and remove malicious apps. The company said it removes more than 185,000 apps from the App Store per year for violating Apple guidelines.
Richardson noted that for both Apple’s iOS and Google’s Android, the latter of which has always allowed for the sideloading of apps, not having to go through an official app store “does create a lower barrier for malicious app authors.”
However, he noted the use of Google- or Apple-run app marketplaces can create a “false sense of security” that all the apps are safe and will handle their data securely.
“Of course there are malicious apps that manage to circumvent app store approval, apps that harvest data in an unauthorized manner that open your device to security vulnerabilities that have been readily available in the official Apple App Store or Google Play Store,” Richardson said.
Another measure Apple is implementing in the EU is the use of two new pop-up information screens – an “app installation sheet” and an “in-app disclosure sheet.”
The app installation sheet displays information from the notarization review of alternative marketplace apps – such as developer name, description, screenshots and age rating – prior to their installation. Apple says the sheets, which cannot be changed by the app creator, are designed to provide transparency about app content but do not replace the more detailed “Privacy Nutrition Labels” required in the App Store.
In-app disclosure sheets appear when a user attempts to make an app purchase using a non-Apple payment option, informing the user that they are “no longer transacting with Apple.” Apple says this warning is intended to prevent “misleading payment information, predatory pricing, and missing subscription disclosures.”
Apple butts heads with regulators, Spotify over EU competition regulations
While Apple says the main purpose of its whitepaper is to describe its security efforts and DMA compliance plans, a significant portion of the paper is dedicated to emphasizing the risks and limitations created by the regulation. The document includes more than a dozen samples of feedback from Apple users decrying the potential threats of app sideloading.
The paper is also sprinkled with additional examples of these threats, such as a mention of an SMS phishing scam that tricked users into downloading a fake postal service Android app and a description of a meeting between Apple staff and a developer who turned out to be involved with the distribution of pirated software.
Apple also says that the changes forced by the regulation will “create new and lucrative markets for malicious actors,” claiming that its platform’s built-in security measures are “why most bad actors have concluded that trying to infect iOS with malware is not a worthwhile investment of their time, energy, and resources.”
“Threat actors are already interested in targeting iOS users, but they’re currently more reliant on other ways to target iOS users such as phishing, social engineering or exploiting vulnerabilities,” Richardson explained. “[Sideloading] gives them additional ways to target the platform, so we will likely see an increase in app threats on the iOS platform.”
Richardson noted that currently, threats like spyware that are commonly installed on Android devices through sideloaded apps have also been used to target iOS users through methods such as compromising iCloud accounts or leveraging browser vulnerabilities.
He also said that Lookout research shows iOS users are more likely to click phishing links than Android users, with 16% of enterprise iOS users tapping at least one phishing link per quarter compared with 10% of enterprise Android users.
Apple’s clash with the EU’s competition regulations hit a new height on Monday, when the European Commission fined the company more than €1.8 billion (nearly $2 billion USD), ruling it violated EU antitrust rules by using anti-steering measure against non-Apple music subscription services.
The company responded with a scathing statement against the commission’s ruling and its music streaming rival Spotify. Spotify was a main proponent of the EU action against Apple, which the company described as “an effort by the Commission to enforce the DMA before the DMA becomes law.”
Spotify also published a open letter on the same day Apple published its whitepaper, which is co-signed by 33 other companies and associations and titled “A Letter to the European Commission on Apple’s Lack of DMA Compliance.” The letter argues Apple’s compliance plans fall short due to factors including extra fees for developers who choose to distribute apps outside of the App Store.
The letter also refers to “unfounded privacy and security concerns” behind Apple’s approach and refers to the new information sheets displayed for alternative marketplace apps and payment methods as “scare screens.”
Apple has said it plans to appeal the European Commission’s antitrust ruling regarding music streaming competition.