The Digital Markets Act Impact on Mobile Payment

In a previous blog post, Dan Shugrue discussed how the Digital Markets Act (DMA) has affected Apple’s previously closed ecosystem by increasing choice and freedom for consumers but potentially increasing the likelihood of security threats such as code lifting and malware.

The DMA includes requirements for interoperability, forcing operating systems managed by companies designated as “gatekeepers” to provide equal access to APIs and ancillary services, like hardware or software features.

To comply with the DMA’s provisions, Apple has created and released over 600 new APIs that are available to developers, including interfaces relating to their NFC technology.

Prior to the DMA, the mobile payment and broader mobile NFC ecosystem were divided, with Apple controlling NFC operations on iOS and other entities operating on Android. This included mobile wallets, soft POS, ID providers, NFC tag readers, etc.

Less than a month after the DMA’s implementation, there was a scramble in the market to migrate NFC applications to iOS and capture market share as soon as possible, leading to several potential security challenges, including:

• Impersonation Threats: If your company does not port its app to iOS, threat actors “may do it for you,” attempting to phish your customers to trick them into sideloading a fraudulent app.
• Compliance and Regulations: In the payment industry, NFC cards and POS systems still require certification to industry standards such as PCI-DSS and EMV) which have quite stringent security criteria, necessitating a strong hardening of your application.
• Code-Lifting Threats: Being the first to market may lead your competitors to steal unique features of your application and rebrand them. Additionally, threat actors who have access to the application source code may try to embed malware in your app and offer that same sideloading option.

All the threats currently impacting Android applications are expected to eventually affect iOS apps as well, which previously benefited from the increased security of Apple’s “walled garden” ecosystem.

Digital.ai can help organizations combat threat actors by protecting their applications against reverse engineering, tampering, and code lifting, and by providing companies with early alerts to attacks through our App Aware service.

Stay ahead of app security threats in 2024—explore our Application Security Threat Report for insights on rising attack trends and effective protection strategies.