Apple is set to make fundamental changes to its App Store in the EU to comply with the European Commission’s Digital Markets Act (DMA), but some experts are worried these changes could have serious negative security implications.
The DMA will introduce a mandate on Apple, and other designated ‘gatekeepers’ to start letting users install third-party app stores and sideload apps onto their devices, aiming to increase competition on online platforms.
Security specialists are concerned this decision will open up another attack vector for threat actors, however, and potentially result in a flood of dangerous applications being downloaded.
Jamie Moles, senior technical manager at ExtraHop, told ITPro the DMA could have unintended consequences for security of online platforms by removing the operator’s ability to freely moderate the software being distributed.
“It [the DMA] would increase the overall risks to the platform because it creates an entirely new attack vector,” he said.
“The requirements for an app to appear on the app store are, in part, designed to protect the security of the system and comply with Apple’s own privacy policy. If you remove the ability to directly audit the programs being distributed to the platform, then it is inevitable that there will be more security risks.”
For example, Moles highlighted a recent example of security flaws in the Epic Games Store, which could be accessible on iOS under the new DMA stipulations.
“The Epic Games Store (EGS), a platform that could be added to iOS if the courts rule in Epic Games’s favor, had issues with privacy upon release. EGS was deriving contacts from other games stores by directly accessing files stored locally by a competing app store, Steam, rather than using a more secure API link”, Moles commented.
“Epic Games apologized but has not changed the method by which it syncs contacts with Steam contacts. This is a security risk created by a company with good intentions, so the potential downsides for a company with bad intentions are huge.”
How will Apple respond to these changes?
Moles said he expects the changes to the Apple App Store to be limited to the EU region, as opposed to the regulation prompting a universal policy shift from the tech giant like it did with the mandated USB-C connectors for iPhones.
“Another app store is a software change, and Apple already has different software configurations for different regions. In October, Apple required an Internet Content Provider license for apps to appear on the Chinese version of the app store, so the precedent is there for each region to have its app store configured for different regulatory environments.”
Apple could introduce a series of permission layers on iOS to protect the majority of its users from inadvertently accessing unaudited marketplaces or sideloading malicious applications, Moles suggested.
Another measure Apple could use to mitigate the risks associated with this shift could be to force unverified apps to be opened in a dedicated software environment to minimize its access to the device's files and other applications.
Moles added that Apple could implement a similar approach to its policy on aftermarket hardware components, such as batteries or screens.
“Imagine when downloading or booting one of these applications, several layers of warning notifications for each permission being granted to the software will appear on screen”, he explained.
“The implementation would be similar to those in place for apps already, but likely in more explicit terms. Installing and sideloading could result in voiding warranty for devices, something Apple already does with aftermarket batteries and screens.”
Balance is needed to prevent monopolies and limit security risks
The DMA was first tabled in 2022 to address the significant advantage big tech companies have over smaller competitors in the industry by limiting the control these companies have over how business is conducted on their platforms.
The regulation is targeted at preventing gatekeepers from using their privileged position as platform operators to promote their own products or services above those of their competitors.
Discover the best practices for stopping encrypted attacks
DOWNLOAD NOW
On the subject of whether this act will produce a net benefit for consumers in the long run, Moles said, overall, the EU’s tech regulation in recent years has been warranted and in the interest of business and consumers alike, but it needs to be careful it isn’t creating more problems than it solves with the DMA.
“Most of the EU regulation in the tech space has been a good thing. The USB-C requirements are, by and large, to the benefit of consumers and GDPR, and as annoying as cookie notices can be, they set important protections on user data” Moles told ITPro.
“However, while well intentioned, this particular change exposes users to far more risk with less obvious reward. Preventing large tech monopolies is essentially a good idea, but one that has to balance the challenges of creating and operating a platform of iOS’s size.”
