Apple fair: alternative app stores coming to iOS

With the EU’s Digital Markets Act having come into effect just days ago, both alternative app stores and true third-party browsers are set to appear on iPhones. How will this affect security, and what are iOS users losing?

Third-party app stores are coming to iOS: should we brace for new threats?

iOS has been a mostly impenetrable fortress throughout the full 17 years of its existence. Users only had access to apps and functions if Apple allowed them to. But now the U.S. company has had to yield to market and regulatory pressure by changing the status quo. As of March 6, when the EU’s Digital Markets Act (DMA) came into effect, the new iOS version (17.4) now allows installing alternative marketplaces and third-party browsers on the iPhone — but only by EU users. At the same time, certain familiar features, such as progressive web apps (PWAs) running in the browser and added as icons to the home screen, will disappear. What new capabilities and threats does this bring to users?

How to install an alternative app store

To ensure fair competition, regulators have required Apple to allow third-party app marketplaces on iPhones. The user will be able to go to an alternative app store’s website, tap install (that is, install the… app-store app!), and after explicitly confirming their intention, install the app-store app on their device. It can then be used instead of Apple’s App Store or alongside it.

It’s still unclear what these alternative app-stores will contain, or who would want to open one. What matters is that these stores won’t be required to observe all of Apple’s rules, so they’re expected to offer services and technology previously restricted by Apple — most notably payments outside the App Store. Epic Games, a principal lobbyist behind the legal case along with Spotify, will likely want to open an app marketplace, although the latest episode of the Apple vs. Epic Games tug-of-war suggests this might be a long time coming.

Importantly, Apple appears bent on preventing anarchy: to register an app marketplace, a creator has to pass screening and provide a €1 million standby letter of credit. Uploading different versions of the same app to the both App Store and alternative stores is prohibited: if a developer wants to publish its app in every store it must be identical. Finally, all applications will need to pass “notarization” with Apple. If the process proves identical to macOS notarization, rather than a manual review this will likely involve Apple running an automated scan for malware and checking compliance with certain technical recommendations.

Security implications: iOS will see more malware. Apple will continue to partially regulate the installation of third-party apps: you won’t be able to just tap a button in the settings and install an unknown app from a shady website as you can on Android. That said, the automated scanning process designed by the Cupertino engineers for third-party app marketplaces will be even easier to fool than the App Store’s human moderators. This means the quantity and variety of malware on iOS will likely increase.

Besides obvious malware, Apple is reasonably concerned about the higher risk of apps appearing with scam content and non-transparent payment schemes. These aren’t the kind of issues that can be detected with automated scanning.

Unfortunately, the new rules do nothing to help with bringing Android-style operating-system-level antivirus and security solutions to iOS, as the latter is still missing the required functionality for such a thing. Therefore, we recommend carefully considering before installing third-party app stores and downloading from these. It’s likely safe to install a marketplace created by a large company to get a famed game with tens of millions of downloads. However, the advice to stay vigilant that we gave to Android users earlier now also becomes relevant for European iOS users. As a reminder, malware downloads from Google Play exceeded 600 million last year.

Privacy implications: According to Apple, in-app tracking restrictions will apply to apps downloaded from third-party stores. However, the app privacy details, which developers fill out before uploading their apps to the App Store, may be less in-depth or even non-existent in other stores.

Parental control implications. Although screen-time limits will continue to work with any apps, restrictions on in-game or family purchases and app purchase requests requiring parental confirmation may function improperly or be absent in apps downloaded from alternative marketplaces.

Third-party browsers

Alternative browsers in iOS are nothing new, but before the DMA came into force they were merely skins that wrapped around Apple’s WebKit engine, which was the only option available for displaying Web content on iOS. Apple will now allow other engines — but only after they pass a special certification procedure. Truth be told, the browser engine situation on other platforms is no better, with nearly every “alternative” browser being based on Chromium code (Blink engine) maintained by Google. Mozilla’s Gecko, used in Firefox, has a notable market share, but that’s about as far as consumer options go.

Both Google and Mozilla have been seen preparing to launch Blink and Gecko on iOS, so it’s very likely that EU users will see full-fledged Firefox and Chrome browsers soon. When opening Safari for the first time — or a web page from any app — users in the EU will be able to choose a default browser.

Security implications: these are two-sided, as we expect some security improvements in some areas, and deterioration in others. In addition to known WebKit issues, there will be potential flaws in both Firefox and Chrome, and it remains to be seen how promptly these will be fixed by their respective developers. However, both of them have solid reputations when it comes to vulnerability patching. On the other hand, zero-day vulnerabilities in Apple software, including WebKit, were always the main vector for attacks on iPhones using spyware — both commercial like Pegasus, and targeted like Triangulation. Today, the developers behind these attacks know for sure that victims are using Safari/WebKit browsers. Tomorrow, the need to consider every browser option will make it more challenging to design and conduct these attacks.

Privacy implications: these depend on the alternative browser you choose. If Windows and macOS counterparts are any indication, switching to Firefox would likely improve the level of privacy or keep it at Safari levels, whereas using Chrome may result in reduced privacy, as suggested by these browsers’ anti-tracking tools and default settings.

Parental control impact: it’s still unclear how alternative browsers will protect kids from undesired content, but it seems that control will be technically more difficult to configure. Hence, we have doubts about its efficiency.

A noticeable loss

European users stand to both gain and lose from the DMA. Regarding the latter, to implement the functionality required for alternative browsers, Apple is completely dropping progressive web app support in the EU. Although these apps are essentially web pages, they’re hard to distinguish from full-fledged apps, as they can save content on the device, send notifications, and behave very similarly in other ways. Online stores, magazines, and restaurants usually choose PWAs for their apps. All these mini-apps, so easily added to the iPhone home screen, will no longer function in the EU the next time iOS is updated. Not every company that has packaged their apps as a PWA will have enough time to adapt to the change.

Third-party browser and app marketplace availability outside the EU

Apple has gone to great lengths to make sure the new functionality is only available within the region where it’s legally mandated — the European Union. Only users registered in one of the 27 EU member states will get the iOS 17.4 updates described here. Residents of other countries won’t be affected by the changes, so simply turning on a Dutch VPN or going to Cyprus on vacation won’t be enough to get the iOS updates in question. Furthermore, even EU residents who leave the territory of the Union for more than 30 days will lose access to app updates from third-party marketplaces until they return.