A timeline of the DMA and iOS 17.4 sideloading saga

Apple’s tight control over the iOS app ecosystem has long been seen as a security strength, but the organization now faces a significant challenge from the European Union’s Digital Markets Act (DMA). The DMA requires Apple to allow sideloading from third-party sources. Of course, it only applies to iOS devices sold in the EU. While it’s a welcome move by many, it could also undermine the platform’s perceived security advantages. 

As sideloading becomes a reality with iOS 17.4, concerns are mounting over the threat of repackaging attacks, malware, and other risks that Apple’s strict app review process was designed to mitigate. And rightly so, we’ve already discovered that the majority of iOS apps are vulnerable to repackaging attacks  —  and that was before the tech giant released iOS 17.4.

Sideloading refers to installing mobile apps from sources other than official app stores like Google Play or Apple’s App Store. While it offers users more freedom to access restricted apps, beta versions, and exercise choices over their devices, it also comes with significant security risks. For example:

• Increased risk of users installing fake or repackaged apps with malicious intent posing as legitimate ones as seen with the fake LastPass app.
• Lack of scrutiny and vetting compared to official app stores, making it easier for malicious actors to distribute malware.
• Sideloaded apps may pose data privacy risks due to varying privacy policies and alternative app store guidelines.

Sideloading has long been a subject of debate in mobile security. Apple has historically maintained a closed ecosystem, allowing only apps approved and distributed through the App Store to be installed on iOS devices. These measures have proven to be a key competitive advantage, and allowed  Apple to maintain a strong grip on its platform. This approach has contributed to the perception that iOS is more secure than Android, which has always allowed sideloading.

That was then. Now, the DMA, which went into effect for gatekeepers on March 7th, 2024 has disrupted the status quo. The act aims to level the playing field for digital services by imposing rules and obligations on large online organizations, known as “gatekeepers”.  Apple — along with Alphabet, Amazon, ByteDance, Meta, and Microsoft — has been designated as a gatekeeper under the DMA.

So, what did the Act change? Well, one of the changes Apple had to implement is to allow sideloading on iOS devices in the EU. With the release of iOS 17.4 in March 2024, users in the EU can download and install apps from sources other than the App Store, potentially impacting iOS app security.

The “iOS vs. Android security” debate

The perception that iOS is more secure than Android has been fueled by Apple’s closed ecosystem and strict app review process. However, the results of our latest App Threat Report, which analyzed the top iOS mobile apps, reveal a concerning reality: Over 90% are vulnerable to repackaging attacks.

Repackaging attacks involve an attacker obtaining a copy of an app, modifying it, then repackaging it into a new version with modified behavior that can successfully run on a device. These attacks pose severe risks, including intellectual property theft, revenue loss, exposure to malicious code, and damage to the original developer’s brand and reputation.

How did we do it? We tested 100 of the world’s most downloaded iOS apps, with a combined download count of over 4.7 billion in the past year alone, and generating nearly $11 billion in annual revenue. The testing process involved decrypting the apps, repackaging them with a custom framework, and observing if the repackaged apps would run without crashing for at least 30 seconds. 

The results showed 93 of the 100 tested apps ran successfully after being repackaged, indicating a lack of adequate protection against this type of attack. Only 7% of the apps exhibited potential signs of detecting the repackaging attempt, by either crashing or failing to run.

These findings, combined with the introduction of sideloading on iOS devices in the EU, challenge the long-held belief that iOS is inherently more secure than Android. While Apple has implemented safeguards such as app notarization and authorization for marketplace developers, the organization acknowledges that many risks remain, including potential exposure to malware, scams, fraud, and illicit or harmful content.

According to Apple, notarization is a  combination of automated checks and human review to ensure the apps are free from malware and other security threats. Another measure is the authorization process for marketplace developers. It’s basically a vetting system for third-party app stores or payment processors that want to integrate with iOS. The point, of course, is to maintain a certain level of security and quality control.

How the DMA is changing the mobile app economy

To get a clearer picture of how the DMA has affected Apple and its implications on iOS security, here’s a timeline of key events:

1 November 2022: The DMA is introduced

The Digital Markets Act was officially introduced, setting the stage for increased competition and regulation in the digital market, particularly for large online platforms or “gatekeepers.” This marked the beginning of a significant shift in the way these platforms would need to operate and comply with new rules and obligations.

6 September 2023: The European Commission designates six gatekeepers

The European Commission designated Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft as gatekeepers under the DMA, subjecting them to specific obligations and rules. This designation was a crucial step in identifying the companies that would be required to comply with the DMA’s provisions.

25 January 2024: Apple announces changes to iOS, Safari, and the App Store in the EU

In a pivotal announcement, Apple unveiled significant changes to iOS, Safari, and the App Store to comply with the DMA’s requirements in the EU. These changes included new options for app distribution, alternative payment processing, and functionality for alternative browser engines. Notably, Apple announced the introduction of sideloading capabilities for iOS devices in the EU, allowing users to download and install apps from sources other than the App Store. To mitigate the risks associated with sideloading, Apple introduced several safeguards, including app notarization, authorization for marketplace developers, and disclosures on alternative payment processing.

1 March 2024: Apple releases a whitepaper on its efforts to comply with the DMA

Ahead of the DMA’s enforcement date, Apple shared a whitepaper outlining its efforts to comply with the DMA’s requirements. The whitepaper provided detailed information on the new changes, including the specific safeguards and protections implemented to mitigate the risks associated with sideloading and other DMA-mandated changes. Apple emphasized its commitment to delivering the best, most secure experience possible for EU users, while acknowledging the increased privacy and security threats brought about by the DMA’s regulations.

5 March 2024: Apple releases iOS 17.4, with most changes only affecting users in the EU

As promised, Apple released iOS 17.4, which included the changes announced in January to comply with the DMA. However, these changes were limited to users in the 27 EU countries, in line with the geographical scope of the DMA’s enforcement.

7 March 2024: The DMA comes into force for gatekeepers

The DMA’s obligations and rules become enforceable for the gatekeepers, including Apple.

25 March 2024: The European Commission opens non-compliance investigations against Apple, Meta, and Alphabet

A few weeks after the DMA’s enforcement date, the European Commission opened non-compliance investigations against Apple, Meta, and Alphabet, expressing concerns about the effectiveness of their measures to comply with the DMA’s obligations. Specifically, the Commission raised concerns about Apple’s measures to enable users to easily uninstall apps, change default settings, and select alternative default services like browsers or search engines. 

The future: Could the DMA inspire similar regulatory measures worldwide?

While the DMA’s impact is currently limited to the EU, could other regions adopt similar regulatory measures? 

Reports indicate that countries like Japan, Britain, Mexico, South Korea, Australia, Brazil, and India are in the process of formulating regulations similar to the Digital Markets Act to curb the dominance of tech firms in digital marketplaces.

The DMA’s approach to regulating gatekeepers and mandating changes has garnered significant attention globally. Policymakers and regulators in other jurisdictions may view the DMA as a blueprint for addressing perceived anticompetitive practices and promoting consumer choice in their respective markets. 

If sideloading becomes more widespread due to regulatory changes inspired by the DMA, it could have far-reaching implications for iOS app security and the perception of the platform’s safety. The increased competition and fragmentation in app distribution channels could create additional complexities for developers, who may need to navigate multiple app store ecosystems, each with its own set of rules, guidelines, and security requirements.

Developers and security researchers may need to adapt their strategies and techniques to address the unique challenges posed by sideloading and the potential influx of apps from untrusted sources across multiple regions.