Organizations can expect mobile application security and mobile app privacy risks to intensify across Europe when the Digital Markets Act regulation takes effect in March. Users within Europe will be able to download mobile apps from outside the trusted mobile ecosystems of the Apple App Store and Google Play Store. While new third-party app stores may expand opportunities, these marketplaces will increase the threat landscape by providing additional avenues for cyberattackers to distribute malware, malicious code and intrusive mobile apps.
The European Union (EU), a political and economic group of 27 European countries, passed the Digital Markets Act (DMA) in 2022 to ensure fair digital markets. The DMA legislation aims to regulate the digital economy to address the dominance of technology titans such as Amazon, Apple, Google, Meta and Microsoft. One DMA provision mandates that tech companies support alternative mobile app marketplaces by March 7, 2024. That means Apple must open up the iPhone ecosystem to allow users in the EU to download and pay for mobile apps via third-party app distribution.
Security Implications of iOS 17.4
Sideloading apps refers to the process of installing a mobile app from a source other than the official app store associated with the mobile device platform of choice, such as Google Play for Android or Apple App Store for iOS. Potential reasons to do this include beta testing apps, accessing apps that aren’t available through official app stores or installing apps that have been removed or restricted by app store regulations. Sideloading provides greater access and flexibility but also creates significant mobile security risks that businesses and users need to be aware of.
Mobile app developers who seek third-party app distribution and organizations whose employees download mobile apps must exercise caution. Developers and security analysts should mitigate risk by performing thorough mobile application security testing prior to release and companies should perform thorough mobile app vetting to ensure mobile apps are safe for use.
In late January 2024, Apple announced several changes to iOS 17.4 to comply with the Digital Markets Act and support new options distributing iOS from alternative app marketplaces. However, the company noted that third-party app distribution and payment processing “open new avenues for malware, fraud and scams, illicit and harmful content, and other security and privacy threats.”
“The changes we’re announcing today comply with the Digital Markets Act’s requirements in the European Union, while helping to protect EU users from the unavoidable increased privacy and security threats this regulation brings,” said Apple Fellow Phil Schiller. “Inevitably, the new options for developers’ EU apps create new risks to Apple users and their devices.”
To reduce risk, Apple will institute the following safeguards for iOS 17.4 or later beginning in March:
- Notarization for iOS apps — baseline review for all apps focused on platform integrity and protecting users
- App installation sheets — provide at-a-glance descriptions of apps and their functionality before download
- Authorization for marketplace developers — commit to ongoing requirements to protect users and developers
- Additional malware protections — prevent apps from launching after installation if they contain malware.
Despite steps by Apple, Google and others to mitigate risk, some will remain. “While I’m thrilled at the prospect of increased interoperability as well as opportunities for developers to control their own app marketplace, I have grave concerns around the impact this will have on mobile security and privacy,” said Michael Krueger, NowSecure Senior Director of Application Security. “The introduction of the DMA, while done for the right reasons, is likely to result in an increase in reports of malware, fraud, privacy compromise and more as these tightly controlled ecosystems open to outside influence. Proactive mobile app security testing is now more important than ever and user vigilance is a key component of that.”
Tips for Strengthening Mobile Security
The DMA increases cybersecurity risk from alternate third-party app stores and payment processing methods that pop up. And that risk extends to the new app marketplaces which will find their digital storefronts under attack. The looming March 7 compliance requirements deadline underscores the imperative of ensuring your organization has strong mobile application security and privacy practices to counter threats and safeguard sensitive information.
Whether you publish a mobile app in the EU region and have employees in the continent or not, mobile app developers and security analysts should implement the following preventative measures to reduce mobile application security risk:
- Integrate mobile application security testing into the dev pipeline to test each and every build prior to release to find and fix security vulnerabilities faster. Attackers could exploit security and privacy issues to harvest swaths of sensitive data or intellectual property or perform code tampering for nefarious purposes. NowSecure Platform applies a mix of testing technology (SAST/DAST/IAST and API testing) and includes policy-based controls and remediation resources.
- Carefully consider where to publish mobile apps if you pursue third-party distribution outside of official app stores. Apple and Google have added many defenses to protect consumers and provide transparency around user privacy rights.
For example, Google Play apps include Data Safety information that details data collection practices and also offer optional App Defense Alliance (ADA) Mobile Application Security Assessment (MASA) independent security review to ensure apps meet basic industry-standard security requirements. Apple requires developers to complete Privacy Nutrition Labels that cover data used to track users, data linked to users and data not linked to them. In spring 2024, Apple compliance requirements will include iOS developer completion of a privacy manifest for any mobile apps that have the potential to be misused for fingerprinting. - Perform mobile app vetting to assess the security and privacy of apps that employees use to determine if they are safe and proactively manage the mobile app portfolio. Implement mobile application management technology to manage the risk of sideloaded apps.
- Alternative app stores must earn the trust of consumers and mobile app makers alike by establishing clear mobile security and privacy practices to safeguard their personal data and brands. Consumers will abandon any digital marketplaces that don’t look out for their safety. Third-party distribution channels will need to perform mobile application security testing and checks to root out dangerous code and ensure their commercial survival.
While the DMA heralds a new era of digital market regulation in the EU, organizations will face challenges in properly securing a broad new mobile app landscape. Mobile application security testing and mobile app vetting are imperative to maintaining brand reputation and fostering a safe, secure and privacy-focused digital ecosystem for all
