Apple has been forced by the EU to allow app purchases and installs without the App Store. The effort to enable the capabilities as securely as possible has been massive. The details continue to evolve based on developer arms regulatory feedback, and many more changes for EU customers are planned over the next year. Still, Apple continues to express concern that the Digital Markets Act that enforces all these changes could come at a cost.
Perhaps the clearest expression of that concern comes from Gary Davis, Apple’s Data Protection Officer. In an interview with iCulture, Davis summarizes his view of DMA risks. In short, the view is that it could be cheaper to target iPhone users who use non-Apple payment methods and marketplaces.
What we are concerned about and what can also be read in the whitepaper is that the “costs” for an attack on iOS could decrease. That’s because of these new potential ways to attack users. This can be done via alternative marketplaces or alternative payment methods. It’s possible we’ll see attacks we’ve never seen before. The costs of developing an iOS exploit are still very high. Our team at the Security Lab is trying to make those costs higher and higher so that it isn’t worth it for attackers to target iOS.
That is something we are concerned about at the moment. We just don’t know how it will develop. That’s why we show people who download apps from these alternative sources a special screen with more information. Together with the notarization process, we hope that users will maintain the same confidence.
In the brief interview, Davis avoids commenting on the economic prospects of payment method and marketplace competition on the iPhone in the EU given that’s outside of his expertise.
I think this properly frames something about the DMA: regulation can be good for fostering competition while also being a step back for security. It’s a win-win for Apple to control the flow of cash and potential attack vectors. But the DMA doesn’t exist to satisfy Apple or strengthen platform security.
Perhaps the cost of the market competition regulation will be user security. Or maybe this will prove a non-issue, thanks largely to how implements compliance. But it’s perfectly reasonable to fear the price for penetrating attack vectors in less now than before.
FTC: We use income earning auto affiliate links. More.