Worship at the Steve Jobs Cathedral or Embrace the EU’s Bazaar: How to Navigate the Digital Marketplace Act

Prior to March 7, Apple’s App Store was not exactly a “Cathedral” of security purity – but it did offer demonstrably more secure apps than Google Play store apps. The Digital Marketplace Act, which went into effect in the EU on March 7, will weaken Apple’s ability to offer a relatively “pure” experience and essentially create more of a “bazaar” for European iPhone consumers. The DMA is the latest manifestation of a decades-long tension between digital “security” and freedom. For Apple, a company synonymous with stringent app store controls, the DMA presents a blow to offering a certain kind of security. For consumers, the DMA provides a mixed bag: More freedom of choice, but also more risk. This post delves into the DMA’s implications on app store competition and consumer choice from the perspective of an enterprise building apps for end-consumers and offers advice for enterprises looking to secure applications in the brave new DMA-mandated bazaar.

The Pre-DMA Landscape

Before the DMA’s advent, the security landscape for mobile devices was divided, with iOS devices boasting superior security measures compared to their Android counterparts. According to our 2023 Threat Report, Android apps were more likely to be exposed to unsafe environments, such as rooted phones or those running on emulators. Specifically, 76% of Android apps were run in unsafe environments compared to 51% of iPhone apps. Furthermore, Android apps were over four times more likely to be executed with modified code than iPhone apps.

This disparity stems from various factors, including Android’s availability to third-party licensees, the proliferation of third-party manufacturers, the availability of free, fully-featured emulators, and the ease of side-loading apps—these contrast with Apple’s controlled hardware ecosystem, and most significantly, closed digital app marketplace.

The Catalysts for Change

The European Union’s motivation behind the DMA was not directly tied to security concerns but instead aimed to break down barriers erected by tech companies to foster competition within the app market. Contentious disputes between Apple and entities like Epic Games and Spotify, which revolved around app store policies and fees, underscored the need for regulatory intervention. While Apple arguably provided a more secure ecosystem, they were also essentially forcing app owners to pay a “tax” on revenues collected by third parties – and those fees could rise to as much as 30% of overall app revenue. The DMA, therefore, not only sets the stage for increased consumer choice and market competition but also denies Apple a lucrative source of revenue.

The Flip Side: Security Concerns

However, the opening of digital marketplaces, as mandated by the DMA, is not without its security pitfalls. The relaxation of app store monopolies could inadvertently pave the way for trojans (apps containing malware that attacks other apps) as well as a marketplace for cloned apps masquerading as the “real thing.” The banking trojan “anatsa,” for example, has repeatedly surfaced in various Android app marketplaces and has been linked to attacks on more than 600 mobile banking applications worldwide. This phenomenon was limited to attacks on Android devices until now. In the future, it could find fertile ground in less-regulated app ecosystems built for iPhones.

Apple’s Response and New Security Mechanisms

Apple’s rebuttal to the DMA underscores apprehensions regarding user security, advocating for a cautious approach to marketplace democratization. Apple has introduced a suite of new security features, including Notarization for iOS apps, mandatory authorizations for marketplace developers, and transparent disclosures on alternative payments. At best, however, these measures only offer partial mitigation of the risks third-party app stores represent while at the same time ensuring that Apple can recoup some of the monetary losses they are sure to suffer as their hold on the app ecosystem loosens.

Implications for Enterprises Making Apps for Their Customers

The DMA introduces new risks for enterprises developing apps, particularly the increased risk of trojans and app cloning. To counteract this, enterprises must adopt more robust application-based security strategies. Those strategies involve integrating security—specifically App Hardening—into the Software Development lifecycle.

App Hardening includes providing a means to detect if/when applications are run in unsafe environments as well as preventing threat actors from modifying and re-publishing altered applications. It also includes protections such as signature Verification and code integrity checks to stop those modified applications from preying on end users who’ve unwittingly stumbled across them in a third-party app store. Additionally, enterprises can integrate monitoring capabilities into their apps to oversee threats to the app post-deployment. Finally, Runtime Application Self-Protection (RASP) mechanisms can empower apps to autonomously neutralize threats when operated in unsafe environments or with altered code, thus preserving app integrity in the increasingly complex market landscape.

Conclusion

The DMA attempts to turn the cathedral into a bazaar. With those efforts come risks, and those risks embody the nuanced balance required between freedom and security in the digital age. As the act reshapes the future of app stores and the broader digital market, enterprises creating apps for the iPhone will need to take greater responsibility for the security of their apps. While Apple’s security measures provide a framework for maintaining user safety, enterprises must also embrace comprehensive protective strategies to navigate this new era successfully. This shift will fundamentally require organizations to adopt more shift-left strategies toward security. Shipping iOS applications in this new environment without comprehensive Application Hardening, including protections against reverse engineering, is now more dangerous than ever.