After Apple announced the various changes it’s ready to make to the iPhone so it can comply with the European Union’s Digital Markets Act (DMA), I said that I was no longer worried about sideloading malware on iPhone. The theoretical risk remained, of course. But it looked like Apple had instituted plenty of robust checks and requirements to enforce security and accountability.
To put it briefly, Apple would still make basic app reviews (notarization) mandatory, and only verified third-party marketplaces would be able to offer apps that could be sideloaded.
Then, Apple changed its DMA requirements in response to feedback from the European Commission (EC). Now, any developer can make their iPhone apps available for download from any website. Of note, the notarization requirement is still in place.
But it turns out the EC is really determined to extract more concessions from Apple, including the removal of the notarization process for apps distributed through thrid-party sources. Rather than Apple aiding with malware prevention, it’ll be the EC’s job to ensure that users are safe. Apparently, that’s one of the conclusions from an Apple DMA Workshop that the EC held.
Spotted by John Gruber of Daring Fireball, the app notarization detail comes from a live blog of the workshop on X.
Kay Jebelli covered the event via a series of tweets, but you can’t rewatch it because it’s password-protected. That sounds about right for something related to the DMA and the openness it aims to facilitate. Also, it’s a 9-hour workshop.
Here’s the detail concerning app notarization:
Interesting detail: the EC told Apple that they aren’t allowed to notarize apps to protect users. So “government authorities are the ones that are going to have to step up to protect” app developers and users from the risks of these 3rd-party apps.
If this is correct, Apple will have to change its DMA compliance policies again. The absence of notarization means third-party apps won’t even get the soft app review treatment. Notarization would cover anti-malware and anti-phishing security checks. It also means some people will be able to pirate popular apps, or just clone them.
That’s not the only security protection against sideloading malware on iPhone, of course. Apple still has requirements in place for companies that want to host app marketplaces and developers looking to distribute their apps via their own websites.
Without the extra protection of the notarization process, the risk of installing malware on iPhones increases. Sure, notarization is another form of app review, which is something the EC wants to get rid of. And yes, the App Store can host bad apps occasionally; we’ve seen that happen. However, it appears as though the DMA will dramatically increase the risk of malicious apps attacking iPhone users.
If the EC plans to enforce the protections of iPhone (and Android) users against sideloading mobile apps, well, good luck with that. I can’t wait to see how that goes down.
I said this before, and I’ll say it every time sideloading comes up. The smartphone isn’t like a computer. Not all iPhone/Android users also own PCs. There are people who wouldn’t even know how to install apps on a computer, but they do it on iPhones and Androids, and they trust their handsets implicitly.
Moreover, smartphones hold more personal information than any other type of computer. It’s no wonder hackers want to get into smartphones, iPhone included.
I’m not worried about these issues for myself since I already know I’ll never enable sideloading on my iPhone. But I do worry for some of my friends and family who aren’t as tech-savvy.
That said, we’ll still have to wait and see whether Apple makes any changes to its DMA provisions, and whether the app notarization requirement will end up being removed.
