Apple Lays Out Security Plan for Third-Party App Stores on the iPhone
Apple publishes a white paper explaining its system for vetting apps installed from other app stores in the EU.
Apple's upcoming iOS 17.4 iPhone update will bring a huge change for a subset of iPhone owners. For the first time, Apple is allowing users in Europe to download third-party app stores and install apps from sources other than the company's official App Store.
But that change comes with some heavy security risks, as Apple highlights in a new white paper that outlines its plan for vetting these apps through a new procedure known as Notarization for iOS.
Apple is permitting third-party apps to be installed on the iPhone in Europe to comply with the European Union's 2022 Digital Markets Act, or the DMA, which is meant to enforce fair and open competition in the tech sector. The company has also come under increased pressure to open iOS to alternate app stores in recent years following its high-profile legal battle with gaming giant Epic Games. The Fortnite maker sued Apple and Google over their respective app store policies that take up to 30% of the money made from purchases that take place in apps and through app marketplaces.
Read more: iOS 17.4 RC: Your iPhone Could Get These New Features Soon
Apple has long argued that its App Store policies keep its users safe from malware and other digital threats. The new white paper reiterates that position while introducing guardrails, like the new Notarization for iOS vetting process, meant to protect iPhone users downloading external apps.
The program uses automated and human reviews to check that a third-party app is "free of known malware and other security threats, generally functions as advertised, and doesn't expose users to egregious fraud," according to the white paper's description. The review also applies to every app update, to prevent bad actors from slipping in malware later on. It's an extension of the Notarization process Apple uses for its Mac software.
Notarization won't be nearly as robust as the "nutrition label" of information in an App Store's listing, since it notably lacks disclosures on content and in-app purchases. But it'll still give users more context about an app by providing them with descriptions and screenshots before they install it. If the app has been flagged for malware, Apple will strongly warn users before they launch it.
Anyone making a third-party app for iPhones will still have to sign up for the Apple Developer Program, which includes registering a legal name, phone number and address. In some cases, Apple will ask for further proof of identity, such as a government identification number.
Those joining the developer program must sign a license agreement requiring them to abide by local laws and avoid fraud. The policy also requires that their apps don't spam or otherwise abuse users. If they violate the agreement, Apple terminates it and the app is blocked (though the developer isn't). Apple noted that in 2022 the company terminated more than 400,000 App Store developer accounts for fraud and prevented creation of over 100,000 other fraudulent accounts.
Ultimately, there's only so much control Apple can exert outside the App Store. But the company has developed baseline criteria for alternative app marketplaces, which serve as guidelines to protect users. These include committing resources to monitoring for, and pruning, malicious apps and to offering customer support. In the white paper, Apple mentions how much effort it's made to maintain the App Store since it launched in 2008 and urges other storefronts to put in the same amount.
Though Apple will let developers accept payments outside the App Store, the company warns users that its financial protections won't apply. These include easy subscription cancellation, parental controls like Ask to Buy, and protections from getting charged a different amount than advertised. If users fall victim to predatory practices, "AppleCare agents will have limited (if any) ability to assist them," the white paper says.
While Apple's document includes its share of scare stories for users and developers -- including a warning that alternative app marketplaces could host pirated apps that steal the work of honest developers -- it's also an acknowledgment that the EU's new DMA regulations are changing the rules of app access on mobile devices. But it's also worth noting that it's in Apple's interest to keep people within the App Store, given that it's a key part of Apple's lucrative services business. It's unclear when or if other regions will get access to non-App Store apps, but this system provides a blueprint Apple could apply elsewhere.