Potential Security Impacts of the EU Digital Marketplace Act

Prior to the enactment of the Digital Markets Act (DMA) in Europe, Apple’s “Walled Garden Model” App Store was, like all app stores, not without security vulnerabilities – but its prohibition on “side-loading” did offer demonstrably increased security as compared to more permissive marketplaces like than Google Play. Under the recently enacted Digital Markets Act in the European Union, however, such prohibitions are less likely to remain in place for so-called “gatekeeper” companies like Apple, which we believe will reduce the security of the overall mobile application ecosystem.

The Digital Markets Act officially entered into force on November 1st, 2022, and most of its provisions became applicable in May 2023. However, on September 6th of 2023, the European Commission designated six “gatekeeper” companies, including Apple and Alphabet, Google’s parent company. It specified that each gatekeeper would be required to meet a number of compliance milestones within six months of their identification. Accordingly, as of March 6th, 2024, Apple can no longer prevent App Store users from offering mobile applications or other products or services directly to end users or through third-party services. The DMA is the latest manifestation of a decades-long tension between digital “security” and freedom. For Apple, a company synonymous with stringent app store controls, the DMA presents a blow to offering a certain kind of security. For consumers, the DMA provides a mixed bag: More freedom of choice but also more potential risk. This post delves into the DMA’s implications on app store competition and consumer choice from the perspective of an enterprise building apps for end-consumers and offers advice for enterprises looking to secure applications in the brave new DMA-mandated app store ecosystem.

The Pre-DMA Landscape

Before the DMA’s advent, the security landscape for mobile application marketplaces had historically been divided, with the App Store for iOS devices boasting superior security measures compared to those for Android counterparts. According to our 2023 Threat Report, Android apps were more likely to be exposed to unsafe environments, such as rooted phones or those running on emulators. Specifically, 76% of Android apps were run in unsafe environments compared to 51% of iPhone apps. Furthermore, Android apps were over four times more likely to be executed with modified code than iPhone apps.

This disparity may stem from various factors, including Android’s availability to third-party licensees, the proliferation of third-party manufacturers, the availability of free, fully-featured emulators, and the ease of side-loading apps—these contrast with Apple’s controlled hardware ecosystem, and most significantly, closed digital app marketplace.

The Catalysts for Change

The European Union’s motivation behind the DMA has not been viewed as directly tied to security concerns but aimed at breaking down barriers erected by tech companies and fostering competition within the app market. Disputes between Apple and entities like Epic Games and Spotify, which revolved around app store policies and fees, underscored the need for regulatory intervention. While Apple arguably provided a more secure ecosystem, they were also essentially forcing app owners to pay commission fees on revenues collected, including for in-application purchases, sometimes rising to as much as 30% of the price of products purchased. The DMA, therefore, not only sets the stage for increased consumer choice and market competition but also limits companies like Apple from leveraging a lucrative source of revenue.

The Flip Side: Security Concerns

However, the opening of digital marketplaces, as mandated by the DMA, is not without its security pitfalls and could inadvertently pave the way for trojan horse applications or “trojans” (apps containing malware that attacks other apps) as well as marketplaces for cloned apps masquerading as the “real thing.” The banking trojan “anatsa,” for example, has repeatedly surfaced in various Android app marketplaces and has been linked to attacks on more than 600 mobile banking applications worldwide. This phenomenon was limited to attacks on Android devices until now. In the future, it could find fertile ground in less-regulated app ecosystems built for iPhones.

Apple’s Response and New Security Mechanisms

Apple’s rebuttals to the DMA underscores its apprehensions regarding user security, advocating for a cautious approach to marketplace democratization. Apple has introduced a suite of new security features, including Notarization for iOS apps, mandatory authorizations for marketplace developers, and transparent disclosures on alternative payments. At best, however, these measures only offer partial mitigation of the risks third-party app stores represent while at the same time ensuring that Apple can recoup some of the monetary losses they are sure to suffer as their hold on the app ecosystem loosens.

Implications for Enterprises Making Apps for Their Customers

The DMA has the potential to introduce new risks for enterprises developing apps, particularly the increased risk of trojans and app cloning. To counteract this, enterprises should adopt more robust application-based security strategies, including integrating security–specifically App Hardening–into the Software Development lifecycle.

App Hardening includes providing a means to detect if/when applications are run in unsafe environments as well as preventing threat actors from modifying and re-publishing altered applications. It also includes protections such as signature Verification and code integrity checks, which can be used to stop those modified applications from being used to prey on end users who’ve unwittingly stumbled across them in a third-party app store. Additionally, enterprises can integrate monitoring capabilities into their apps to oversee threats to the app post-deployment. Finally, Runtime Application Self-Protection (RASP) mechanisms can empower apps to autonomously neutralize threats when operated in unsafe environments or with altered code, thus preserving app integrity in the increasingly complex market landscape.

Conclusion

The DMA attempts to open “walled garden” ecosystems to benefit consumer end users. With those efforts come risks, and those risks embody the nuanced balance required between freedom and security in the digital age. As the act reshapes the future of app stores and the broader digital market, enterprises creating apps for the iPhone will need to take greater responsibility for the security of their apps. While Apple’s responsive security measures provide a framework for maintaining user safety, enterprises must also embrace comprehensive protective strategies to navigate this new era successfully. This shift will fundamentally require organizations to adopt more shift-left strategies toward security. Shipping iOS applications in this new environment without comprehensive Application Hardening, including protections against reverse engineering, will now be more dangerous than ever.