![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/02\/Apple-iOS-App-Store-EU-DMA-compliance-hero-600x300-1.jpg\")
<\/p>\n<\/p>\n
iOS 17.4 was released this week, and it includes features that\u00a0Apple had previously announced<\/a> to open up some of its services in the European Union. These include: third-party app stores (which Apple calls \u201calternative app marketplaces\u201d), abolishing the limitation on third-party browser engines, and access to the iPhone\u2019s NFC feature for contactless payments. These changes are now in effect for all iPhone users in the European Union.<\/p>\n This change only affects the iPhone for now; the European Commission \u201chas opened a market investigation to further assess whether Apple\u2019s iPadOS should be designated as gatekeeper, despite not meeting the thresholds,\u201d and should make a determination within 12 months.<\/p>\n The Digital Markets Act<\/a> defines some tech companies as \u201cgatekeepers.\u201d These are companies that have a strong economic position, a strong intermediation, or an entrenched and durable position in the market. Apple meets all three of these criteria, as do five other companies: Alphabet, Amazon, ByteDance, Meta, and Microsoft.<\/p>\n Image credit: European Commission<\/a>.<\/p><\/div>\n Not all of the companies\u2019 activities are considered to be \u201ccore platform services,\u201d which makes them subject to these new rules. The EU is currently examining whether to consider Microsoft\u2019s Bing, Edge, and Microsoft Advertising, and Apple\u2019s iMessage as core platform services. So far, the EC has declared that some major services and products such as Gmail, Outlook.com, and Samsung Internet Browser are not core platform services.<\/p>\n Some of the changes are complex, but the change affecting the web browsers is simple. Apple has long allowed third-party browsers in its App Store, but these browsers have been required to use WebKit<\/a>, the rendering engine that Apple uses for Safari. This means that if you installed an alternate browser such as Chrome, Firefox, or Edge, this app was merely a skin on the same rendering engine that Safari uses. You were able to sync your history, bookmarks, and passwords with data you stored in the desktop versions of these browsers, but the way the browser displays pages is the same.<\/p>\n When an EU user launches Safari on iOS 17.4, they will be presented with a screen allowing them to choose a default browser<\/strong> from a list of options. This list includes the 12 most popular web browsers<\/a> in the user\u2019s country at the time, and displays in a random order. If the user chooses one of these browsers as default and doesn\u2019t have it installed on their iPhone, they will have the option to download it immediately.<\/p>\n You have been able to change your default browser on iOS<\/a> for some time, but the biggest change here is that the browser will be able to work differently. Some web browsers may be more efficient, but some may also use more battery and slow down iPhones. As Apple says, \u201capps that use alternative browser engines \u2014 other than Apple\u2019s WebKit \u2014 may negatively affect the user experience, including impacts to system performance and battery life.\u201d<\/p>\n The second change is related to the NFC (near-field communication) chip in the iPhone, and these changes also apply to countries in the EEA (European Economic Area): the 27 EU countries, as well as Iceland, Liechtenstein, and Norway. Apple says that<\/a>\u00a0\u201cUsers will be able to initiate payment transactions from a third-party banking or wallet app at compatible NFC terminals, including mobile devices.\u201d Apple has created new APIs<\/a>\u2014application programming interfaces\u2014for this purpose.<\/p>\n However, if you have an Apple Watch and use contactless payments on that device, you won\u2019t be able to change payment methods, because the Apple Watch isn\u2019t covered by the DMA. So if you make a change on your iPhone, you\u2019ll have to juggle two different services\u2014wallets or apps\u2014when making payments.<\/p>\n The biggest changes involved with the DMA cover Apple\u2019s App Store. Apple has been required to develop \u201cnew APIs and tools that enable developers to offer their iOS apps for download from alternative app marketplaces.\u201d These changes are quite far-reaching, and usurp many of the limitations that Apple has imposed on apps since the advent of the App Store.<\/p>\n One of the most controversial changes has been the fact that Apple prevents developers from informing users that they can make payments, such as for subscriptions or digital content purchases, outside of their apps. Apple also takes a cut of all in-app purchases. This commission used to be 30%, but Apple has lowered this to 15% for smaller developers (those who bill less than $1 million per year). This is why Spotify doesn\u2019t let people subscribe from their iOS app, and Amazon doesn\u2019t sell Kindle books and Audible audiobooks through their apps. Just before the release of iOS 17.4, Apple was hit with a \u20ac1.84 billion fine<\/a> because “Apple bans music streaming app developers from fully informing iOS users about alternative and cheaper music subscription services<\/strong> available outside of the app and from providing any instructions<\/strong> about how to subscribe to such offers.”<\/p>\n Going forward, developers will be able to offer apps through alternative app marketplaces that skirt these restrictions. However, Apple is imposing a \u201ccore technology fee\u201d of \u20ac0.50 \u201cfor each first annual install per year over a 1 million threshold.\u201d Apple says that less than 1% of developers will pay this, but it means that an app that is downloaded 2 million times will owe Apple \u20ac500,000. This could add up to a lot of money for companies such as Spotify, Facebook, and Microsoft. To be fair, Spotify, Facebook, and others have long benefited from totally free presence and downloads on Apple\u2019s App Stores.<\/p>\n For those developers remaining on the Apple App Store, the company is lowering commissions to 10% for app sales and 17% for digital goods and services, but there is also a 3% payment processing fee. It’s worth noting that Google is planning to charge similar fees in the Google Play Store in the EU<\/a>.<\/p>\n Apple has said that they will require \u201cnotarization\u201d for apps sold through alternative app marketplaces. This is, \u201ca baseline review that applies to all apps, regardless of their distribution channel, focused on platform integrity and protecting users. Notarization involves a combination of automated checks and human review.\u201d (This is different from notarization on macOS, which is a quick and purely automated process.)<\/p>\n Apple has published a support document, About alternative app marketplaces in the European Union<\/a>, explaining how these new app stores affect users. One notable point is the fact that “you must be physically located in the European Union” to use these third-party app stores. And there is a very serious risk of using apps from third-party app stores, if you leave the EU.<\/p>\n If you leave the European Union, you can continue to open and use apps that you previously installed from alternative app marketplaces. Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union,<\/strong> and you can continue using alternative app marketplaces to manage previously installed apps. However, you must be in the European Union to install alternative app marketplaces and new apps from alternative app marketplaces.<\/p>\n<\/blockquote>\n The fact that you can no longer update apps after 30 days could be a security nightmare. For many apps, such as games, there’s not a lot of risk, but for web browsers, which are often the target of malware and malicious websites, not being able to apply security updates can put users at risk.<\/p>\n Apple may have implemented this to prevent people from installing a third-party app store when in the EU, if they don’t live there permanently, then going to another country and continuing to access apps. But many people leave the European Union for longer periods for work, or to study in universities. There is a serious danger of not allowing these users to update web browsers, regardless of how they were installed.<\/p>\n Even though the European Commission considers Apple to be a gatekeeper, these changes only apply to iOS; that is, only to the iPhone. They do not apply to the iPad, Apple Watch, or Apple TV. And they don\u2019t apply to the Mac at all, because you can download software from any source to a Mac. However, the new payment terms and commissions will apply to these other Apple devices.<\/p>\n This introduces some complications for users. If you buy an app from an alternative app marketplace on your iPhone, you will not be able to download the same app on your iPad. It\u2019s not clear yet whether apps like this will also be able to install Apple Watch versions. You won\u2019t benefit from family sharing, unless alternative app marketplaces develop a family-sharing system similar to what Apple uses. And apps downloaded outside the App Store will not work with Screen Time.<\/p>\n Most users will probably continue using Apple\u2019s App Store for all of their purchases. They may install alternative app marketplaces to have access to games or specific apps, but it\u2019s unlikely that these third-party App Stores will make a huge dent in Apple\u2019s control over iOS apps. For example, Epic Games<\/strong>\u2014a company that has been in a court battle with Apple\u2014was expected to be allowed to run its own app store on Apple devices, along with other game developers, but Apple apparently terminated their developer account<\/a> just before the update went live, so it’s not clear whether you’ll be able to play Fortnite on an iPhone any time soon.<\/p>\n Alternative app marketplaces will allow categories of apps, and individual apps, that Apple has previously banned from its App Store. It could also pave the way for apps that Apple has removed from its App Store because of violations of the store’s terms and conditions. While Apple\u2019s notarization process does mean that Apple representatives must review and “notarize” these apps, Apple can no longer refuse non-harmful apps based solely on their content or features. This could pave the way for the introduction or return of app categories such as game console emulators<\/strong> as well as malicious file scanner (anti-virus) apps<\/strong>. Apple banned malware scanners from the iOS App Store<\/a>\u00a0in 2015. (Users of Intego VirusBarrier X9<\/a> for macOS can currently scan for malware files on iPhones, iPads, and iPod touch devices attached to their Macs<\/a>.)<\/p>\n Last April, we wrote an article discussing the potential security implications for sideloading<\/em><\/a> (i.e. the installation of third-party apps via some source other than Apple’s own App Store) on iOS. However, at the time, we weren’t aware of the issue around third-party app stores not functioning after a user is outside the EU “for too long,” which therefore cannot update apps. If you do travel a lot, or don’t live in the EU but want to use a workaround to install a third-party app store, it’s a good idea to not install an alternative web browser.<\/p>\n We could potentially see an increase in scam apps in third-party app marketplaces (although recently Apple has had<\/a> a<\/a> poor<\/a> track<\/a> record<\/a> at keeping them out of its official App Store anyway).<\/p>\n Apps obtained via third-party stores could potentially be more privacy invasive, or less clear up front about how they will respect user privacy.<\/p>\n We could also see apps exhibiting self-modifying behavior, which is prohibited in the official App Store but may not be from third-party stores. For example, an app could appear to be legitimate at the time of review, but unlock potentially harmful or privacy-invasive functionality sometime after installation.<\/p>\n Time will tell whether apps will be able to get away with using Apple’s own private APIs, although Apple’s new manual notarization process may prohibit this.<\/p>\nGatekeepers and Core Platform Services<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/02\/dma-gatekeepers.png\")
Changes to the web browsers<\/h3>\n
Changes to contactless payments<\/h3>\n
Changes to the App Store<\/h3>\n
Alternative app marketplaces vs. staying in Apple’s App Store<\/strong><\/h4>\n
\n
What isn\u2019t changing, at least for now<\/h3>\n
What these changes will mean for users<\/h3>\n
Potential implications for end-user security and privacy<\/h3>\n
Third-party app stores’ potential negative impacts<\/strong><\/h4>\n