Apple today published a whitepaper [PDF] detailing the privacy and security protections that it is implementing in the European Union to keep users as safe as possible while also complying with the requirements of the Digital Markets Act.
As a recap, with the upcoming iOS 17.4 update, iPhone users in the European Union will be able to install apps through alternative app marketplaces rather than the App Store. Several companies are working on marketplaces, with Setapp and Epic Games confirming plans to offer an App Store alternative.
Apps installed through marketplaces are essentially "sideloaded" and are not subject to the standard App Store review process. In an effort to minimize the risk of malware and fraud, Apple has implemented a Notarization process that app marketplaces and the apps sold through those marketplaces must submit to.
Notarization includes both an automated scan and human review to ensure that apps do not contain malware, function as advertised, and do not engage in "egregious fraud" attempts. An app can't be installed on an iPhone using sideloading unless it is signed by Apple through Notarization, and Apple is requiring developers to have a Developer account and provide legitimate details like name, address, and phone number. Apps will need to explain why they need access to sensitive data like the microphone, camera, Face ID, health data, and more, and user consent will also be required for these functions to work after an app is installed.
What Notarization won't do is look at the content of apps. Apps installed through alternative marketplaces can have adult content, copyrighted content, drug-related content, and other features that would not be allowed in the App Store. Apple will attempt to stop apps that impersonate other apps or that have undocumented features, but the company warns that sideloaded apps will not be as secure as those installed through the App Store.
Alternative app marketplaces need to adhere to baseline criteria that requires them to commit to monitoring for and removing malicious apps and providing support to users. Refunds, for example, will need to be provided by the app marketplace because marketplaces use alternative payment methods rather than in-app purchases. Alternative payment methods are also accepted in App Store apps under the DMA.
European users who install an app outside of the App Store will be presented with an app installation sheet that provides the app name, developer name, app description, screenshots, and ratings. Sheets can be turned off for a marketplace in the Settings app, and they also disappear if a marketplace is set as the default store.
Similar disclosures are also offered up for apps that use alternative payment methods. Apple provides warnings that features like easy subscription cancelation and Ask to Buy are not available, and that there is no protection from predatory pricing.
Apple says that it has received numerous emails from European users and government agencies that are concerned with the risks of alternative app marketplaces, and Apple promises to "work tirelessly" to protect users "to the extent possible under the law." There is no way for users to opt out of the DMA changes, and Apple suggests that some people may have to use alternative apps against their will. Employers and schools may require an app that is only available through a marketplace, for example.
Much of Apple's whitepaper walks through the risks that iPhone users will need to contend with and the work that alternative app marketplace operators will need to do in order to keep users safe.
Notably, Apple says that the changes that it is making have been discussed with the European Commission, and there have been no concerns raised. The DMA does recognize the privacy risks associated with alternative app marketplaces, and Apple says it is aiming to do what it can to protect and educate users under the new guidelines.
iPhone owners in the European Union who have additional concerns about alternative app marketplaces can read through Apple's full PDF to get a complete picture of the security and safety protections that Apple has put in place and the risks that still remain.
Top Rated Comments
Side-loading isn't bad. Competition (different stores) isn't bad... unless you're an AAPL shareholder, of course.
Why do we need a "whitepaper" for a basic feature that every other popular modern OS supports (excluding iPadOS lol) ?
Nice try Apple.
Yes, we all have survived with the PC/Mac app procurement model but does that mean it is the best or that other types of models shouldn't exist? Personally, I wish the walled garden extended to the Mac.
Millions of businesses across the world use Windows, pretty much every server runs Linux and Android smartphones which "sideload" apps. The actual feature and functionality of it is not the problem and iOS/iPadOS should implement it worldwide.
Apple is just scared and desperately trying to not lose money.
You're also ignoring the fact that even Google/Android inform their users of the risks of side loading, and Google even recently issued a statement advising users to NOT side load because of those risks. If I remember correctly, Google is even testing BLOCKING downloads of apps, even if you confirm on the verification that you actually want to download that side loaded app. While the EU is forcing Apple to be more open like Google, Google is trying to impose limits like Apple does. Gee, maybe the ecosystem that allows it actually thinks it's not that great of a thing! Why else would they be trying to reign it in? Multiple stories about users getting scammed spring to mind.
Apple informing the user base of the risks of side loading isn't any different than what Google does. Save your fake outrage for something where it's actually warranted.
I trust business to make critical decisions on privacy and safety in tech much more than I trust Government to make those decisions; or at least I trust Apple more than I trust the EU.
I would like Apple to allow me to close off Alternate App stores on my child's devices.
I appreciate those of you who want to live in an open os ecosystem.
But why do you insist on taking my choice away? Why do you empower governments to make these choices?