The European Union's Digital Markets Act (DMA) takes significant steps toward reshaping digital marketplaces affecting the so-called gatekeepers: Apple and Google. While the DMA aims to foster competition and innovation by breaking down monopolistic barriers, it indirectly shines a spotlight on mobile app security.
In supporting alternative app stores and “sideloading,” the DMA encourages competition that can motivate developers to differentiate themselves, including through offering advanced security features and testing processes. The DMA has the potential to serve as a driving force towards a more secure mobile application landscape.
Apple’s AppStore and Google Play have dominated the mobile app distribution and payment markets for more than a decade. While this offers user's convenience, critics including Epic Games and Spotify argue it has stifled innovation and resulted in ecosystems that are both more costly and less secure.
Despite Apple and Google’s formal review processes, malicious apps still get through. Users are exploited through insecure apps, malware and spyware, including apps that bypass privacy policies by collecting and transmitting user data without proper consent. Fraudulent apps, mimicking legitimate ones can also get approved, misleading users into downloading apps that may compromise security and or privacy. In addition, many apps have improperly secured APIs that can expose sensitive data, allowing unauthorized access or data breaches.
Apple fiercely contests the EU stance, along with the opinions of many of the mobile app developer community and now the U.S. Department of Justice as well. Apple asserts that permitting app sideloading and other modifications will further compromise the security of the iOS ecosystem and they are “working tirelessly to make sure iPhone remains the safest of any phones available.”
App developers have traditionally navigated the "walled garden," where success was contingent upon compliance with the stringent regulations of the App Store. The DMA introduces pivotal changes, compelling gatekeepers to relax their control over app distribution, most notably through permitting the installation of apps from external sources beyond the proprietary app stores.
With the escalating confrontation between EU regulators and Apple and Google, we find ourselves witnessing a modern-day rendition of the classic paradox: an unstoppable force meets an immovable object or in this case two immovable objects.
The struggle for a fair and secure digital marketplace has reached an impasse. On one side, developers clamor for a reduction of the exorbitant "app tax," aiming for a more palatable figure much closer to 3% than the prevailing 30%. Consumers, on the other hand, demand the liberty to choose their apps freely, aspiring for a marketplace where safety is a given — not infallible, but adhering to reasonable industry standards. Regulators strive to dismantle the monopolistic structures that stifle innovation, aiming to cultivate a fertile ground where small companies can flourish under the sun of competition rather than wilt in the shadow of gatekeepers.
Breaking the deadlock
The resolution to this deadlock begins with an acknowledgment of these multifaceted desires, recognizing that they are not mutually exclusive, but rather components of a functioning ecosystem. Achieving this balance requires an approach that respects the legitimate security concerns posed by open ecosystems while embracing the innovation and competition that sideloading and alternative app markets promise. There’s a path forward characterized by fairness, security, and competition.
The first step: acceptance that the existing security review process employed by Google and Apple for mobile apps is critically flawed, extremely expensive, and lacks transparency, while failing to address numerous known mobile threats. Mobile apps face significant security concerns, such as insufficient data encryption, insecure data storage, and vulnerabilities within both the communication channel and with backend services (APIs).
A more effective security approach might involve embracing open standards, such as the framework provided by the Open Worldwide Application Security Project (OWASP). The OWASP Mobile Top 10 and the OWASP MASVS guidelines, can help drive better mobile app security as they are built on transparency and collective expertise.
Open security products already promote advanced technologies that make it much harder to reverse engineer an app's code, and verify app authenticity after download, as well as protect the communication channel between the app and the cloud. Enhancing security by preventing credential theft, implementing robust authentication methods, and conducting run-time security assessments and attestations can help identify unusual activities both within the app's operational processes and device environment.
We should also encourage developers to incorporate standardized Software Bill of Materials (SBOMs) as integral components of their release process on all platforms. Vendors that adhere to rigorous open standards could be awarded a certification indicating their compliance by an independent standards body, not a proprietary notarization process for a specific platform. Similar to food nutrition labels, these security certifications could serve as clear indicators for consumers, letting them make informed decisions and ensure the safety of the apps they choose to install.
Another step in fixing the deadlock has already been under way, as Apple recently agreed to let EU developers directly distribute apps from their websites in a manner similar to computer software. Adopting a distribution model for mobile apps akin to that of Windows, Mac, and Linux software could significantly enhance both security and competition within the ecosystem.
Allowing users to directly download applications from the developers' websites for mainstream applications like Spotify, Facebook, and Fortnight will place the onus of security directly on those vendors, who are more likely to prioritize the protection of their brand reputation through stringent security measures, especially if they can dramatically slash the commissions and fees associated with distribution through the app stores. This direct-to-consumer model fosters a close relationship between app developers and users, potentially increasing trust and transparency, and reduces the dependency on centralized app stores, thereby mitigating the risks associated with a single point of failure.
Furthermore, the emergence of multiple app stores might introduce healthy competition into the marketplace and bring Google and Apple commissions more inline. The app stores generate billions of dollars, which should attract strong competition from startups and existing brands like Amazon, Alibaba, Microsoft, or Meta. This openness promises a wider range of choices for consumers, stimulates innovation among app marketplaces, and could lead to the development of specialized security standards tailored to different types of apps and industries, ultimately cultivating a more secure and competitive mobile app landscape.
Innovative mobile security products are readily available, and if the EU DMA eliminates market constraints, and hidden taxes like bundling security with marketplace access, they will only get better. Emerging companies and new technologies can offer robust protection that works across platforms, including sideloaded apps, and crucially, doesn't rely on Apple or Google's proprietary infrastructure or APIs. Allowing developers to prioritize security fits well with the increased use of cross-platform development platforms. Developers must aim to reduce the cost of maintaining separate code-streams for Apple and Android and need to embrace emerging platforms such as BharOS, Harmony OS, and non-GMS Android to secure mobile devices operating in India, China, South America, the Middle East and Africa, where Apple and Google tend not to dominate.
Rather than precipitating a security crisis, the DMA’s encouragement of sideloading might actually start a revolution in mobile app security. With increasing concern over AI-enabled threats, there’s a pressing need for more advanced, versatile security products that transcend platform boundaries and aren’t shackled by Apple or Google’s approval processes. With more developer freedom comes more developer responsibility. The new landscape may witness alliances between smaller security firms and app developers such as Epic Games and Spotify, which have previously contested the supremacy of the app store gatekeepers. Cooperative efforts could offer a formidable challenge to the status quo maintained by Google and Apple, and also stimulate further investments in stronger, autonomous security measures.
Ted Miracco, chief executive officer, Approov Mobile Security