iOS 17.4 was released this week, and it includes features that Apple had previously announced to open up some of its services in the European Union. These include: third-party app stores (which Apple calls “alternative app marketplaces”), abolishing the limitation on third-party browser engines, and access to the iPhone’s NFC feature for contactless payments. These changes are now in effect for all iPhone users in the European Union.
This change only affects the iPhone for now; the European Commission “has opened a market investigation to further assess whether Apple’s iPadOS should be designated as gatekeeper, despite not meeting the thresholds,” and should make a determination within 12 months.
The Digital Markets Act defines some tech companies as “gatekeepers.” These are companies that have a strong economic position, a strong intermediation, or an entrenched and durable position in the market. Apple meets all three of these criteria, as do five other companies: Alphabet, Amazon, ByteDance, Meta, and Microsoft.
Not all of the companies’ activities are considered to be “core platform services,” which makes them subject to these new rules. The EU is currently examining whether to consider Microsoft’s Bing, Edge, and Microsoft Advertising, and Apple’s iMessage as core platform services. So far, the EC has declared that some major services and products such as Gmail, Outlook.com, and Samsung Internet Browser are not core platform services.
Some of the changes are complex, but the change affecting the web browsers is simple. Apple has long allowed third-party browsers in its App Store, but these browsers have been required to use WebKit, the rendering engine that Apple uses for Safari. This means that if you installed an alternate browser such as Chrome, Firefox, or Edge, this app was merely a skin on the same rendering engine that Safari uses. You were able to sync your history, bookmarks, and passwords with data you stored in the desktop versions of these browsers, but the way the browser displays pages is the same.
When an EU user launches Safari on iOS 17.4, they will be presented with a screen allowing them to choose a default browser from a list of options. This list includes the 12 most popular web browsers in the user’s country at the time, and displays in a random order. If the user chooses one of these browsers as default and doesn’t have it installed on their iPhone, they will have the option to download it immediately.
You have been able to change your default browser on iOS for some time, but the biggest change here is that the browser will be able to work differently. Some web browsers may be more efficient, but some may also use more battery and slow down iPhones. As Apple says, “apps that use alternative browser engines — other than Apple’s WebKit — may negatively affect the user experience, including impacts to system performance and battery life.”
The second change is related to the NFC (near-field communication) chip in the iPhone, and these changes also apply to countries in the EEA (European Economic Area): the 27 EU countries, as well as Iceland, Liechtenstein, and Norway. Apple says that “Users will be able to initiate payment transactions from a third-party banking or wallet app at compatible NFC terminals, including mobile devices.” Apple has created new APIs—application programming interfaces—for this purpose.
However, if you have an Apple Watch and use contactless payments on that device, you won’t be able to change payment methods, because the Apple Watch isn’t covered by the DMA. So if you make a change on your iPhone, you’ll have to juggle two different services—wallets or apps—when making payments.
The biggest changes involved with the DMA cover Apple’s App Store. Apple has been required to develop “new APIs and tools that enable developers to offer their iOS apps for download from alternative app marketplaces.” These changes are quite far-reaching, and usurp many of the limitations that Apple has imposed on apps since the advent of the App Store.
One of the most controversial changes has been the fact that Apple prevents developers from informing users that they can make payments, such as for subscriptions or digital content purchases, outside of their apps. Apple also takes a cut of all in-app purchases. This commission used to be 30%, but Apple has lowered this to 15% for smaller developers (those who bill less than $1 million per year). This is why Spotify doesn’t let people subscribe from their iOS app, and Amazon doesn’t sell Kindle books and Audible audiobooks through their apps. Just before the release of iOS 17.4, Apple was hit with a €1.84 billion fine because “Apple bans music streaming app developers from fully informing iOS users about alternative and cheaper music subscription services available outside of the app and from providing any instructions about how to subscribe to such offers.”
Going forward, developers will be able to offer apps through alternative app marketplaces that skirt these restrictions. However, Apple is imposing a “core technology fee” of €0.50 “for each first annual install per year over a 1 million threshold.” Apple says that less than 1% of developers will pay this, but it means that an app that is downloaded 2 million times will owe Apple €500,000. This could add up to a lot of money for companies such as Spotify, Facebook, and Microsoft. To be fair, Spotify, Facebook, and others have long benefited from totally free presence and downloads on Apple’s App Stores.
For those developers remaining on the Apple App Store, the company is lowering commissions to 10% for app sales and 17% for digital goods and services, but there is also a 3% payment processing fee. It’s worth noting that Google is planning to charge similar fees in the Google Play Store in the EU.
Apple has said that they will require “notarization” for apps sold through alternative app marketplaces. This is, “a baseline review that applies to all apps, regardless of their distribution channel, focused on platform integrity and protecting users. Notarization involves a combination of automated checks and human review.” (This is different from notarization on macOS, which is a quick and purely automated process.)
Apple has published a support document, About alternative app marketplaces in the European Union, explaining how these new app stores affect users. One notable point is the fact that “you must be physically located in the European Union” to use these third-party app stores. And there is a very serious risk of using apps from third-party app stores, if you leave the EU.
If you leave the European Union, you can continue to open and use apps that you previously installed from alternative app marketplaces. Alternative app marketplaces can continue updating those apps for up to 30 days after you leave the European Union, and you can continue using alternative app marketplaces to manage previously installed apps. However, you must be in the European Union to install alternative app marketplaces and new apps from alternative app marketplaces.
The fact that you can no longer update apps after 30 days could be a security nightmare. For many apps, such as games, there’s not a lot of risk, but for web browsers, which are often the target of malware and malicious websites, not being able to apply security updates can put users at risk.
Apple may have implemented this to prevent people from installing a third-party app store when in the EU, if they don’t live there permanently, then going to another country and continuing to access apps. But many people leave the European Union for longer periods for work, or to study in universities. There is a serious danger of not allowing these users to update web browsers, regardless of how they were installed.
Even though the European Commission considers Apple to be a gatekeeper, these changes only apply to iOS; that is, only to the iPhone. They do not apply to the iPad, Apple Watch, or Apple TV. And they don’t apply to the Mac at all, because you can download software from any source to a Mac. However, the new payment terms and commissions will apply to these other Apple devices.
This introduces some complications for users. If you buy an app from an alternative app marketplace on your iPhone, you will not be able to download the same app on your iPad. It’s not clear yet whether apps like this will also be able to install Apple Watch versions. You won’t benefit from family sharing, unless alternative app marketplaces develop a family-sharing system similar to what Apple uses. And apps downloaded outside the App Store will not work with Screen Time.
Most users will probably continue using Apple’s App Store for all of their purchases. They may install alternative app marketplaces to have access to games or specific apps, but it’s unlikely that these third-party App Stores will make a huge dent in Apple’s control over iOS apps. For example, Epic Games—a company that has been in a court battle with Apple—was expected to be allowed to run its own app store on Apple devices, along with other game developers, but Apple apparently terminated their developer account just before the update went live, so it’s not clear whether you’ll be able to play Fortnite on an iPhone any time soon.
Alternative app marketplaces will allow categories of apps, and individual apps, that Apple has previously banned from its App Store. It could also pave the way for apps that Apple has removed from its App Store because of violations of the store’s terms and conditions. While Apple’s notarization process does mean that Apple representatives must review and “notarize” these apps, Apple can no longer refuse non-harmful apps based solely on their content or features. This could pave the way for the introduction or return of app categories such as game console emulators as well as malicious file scanner (anti-virus) apps. Apple banned malware scanners from the iOS App Store in 2015. (Users of Intego VirusBarrier X9 for macOS can currently scan for malware files on iPhones, iPads, and iPod touch devices attached to their Macs.)
Last April, we wrote an article discussing the potential security implications for sideloading (i.e. the installation of third-party apps via some source other than Apple’s own App Store) on iOS. However, at the time, we weren’t aware of the issue around third-party app stores not functioning after a user is outside the EU “for too long,” which therefore cannot update apps. If you do travel a lot, or don’t live in the EU but want to use a workaround to install a third-party app store, it’s a good idea to not install an alternative web browser.
We could potentially see an increase in scam apps in third-party app marketplaces (although recently Apple has had a poor track record at keeping them out of its official App Store anyway).
Apps obtained via third-party stores could potentially be more privacy invasive, or less clear up front about how they will respect user privacy.
We could also see apps exhibiting self-modifying behavior, which is prohibited in the official App Store but may not be from third-party stores. For example, an app could appear to be legitimate at the time of review, but unlock potentially harmful or privacy-invasive functionality sometime after installation.
Time will tell whether apps will be able to get away with using Apple’s own private APIs, although Apple’s new manual notarization process may prohibit this.
If Apple allows sideloading in iOS 17, how will iPhone security be affected?
Apple is also warning that, if browsers bring their own third-party engines rather than using WebKit, it could increase iPhones’ attack surface by opening up the platform to additional browser-based vulnerabilities.
As we mentioned previously, one potential upside for security and privacy could be the return of virus scanners (that is, malicious file scanners—not full-fledged, system-wide antivirus, like is possible on other platforms).
And, interestingly, there’s also the possibility that third-party app stores could actually vet apps better than Apple currently does; between Apple’s new notarization process and additional vetting from the company that runs the store, we might actually see fewer shady apps on some third-party iPhone app marketplaces.
For now, these new rules only apply to the European Union. But other countries around the world who have been investigating Apple’s market dominance may be tempted to require similar changes. Just as the EU’s GDPR incited many countries to tighten their data protection laws, the EU’s example around app stores, browsers, and contactless payments may lead other countries to follow suit. They know that Apple can make these changes easily with a software update, and that makes it easy for other countries to insist that Apple must impose similar rules in their markets as well.
For now, no company has launched a third-party app store, and they will take some time to roll out. But in the coming weeks and months, we could see many such stores, and we’ll then have a better idea of the user experience, and the quality of apps that users can download.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: