After Apple announced the various changes it was willing to make to the iPhone in order to comply with the European Union’s Digital Markets Act (DMA), I said I was no longer worried about sideloading malware onto the iPhone. The theoretical risk, of course, remained. But Apple seemed to put in place a lot of strict checks and requirements to enforce security and accountability.
In short, Apple would still mandate basic app reviews (notarization), and only verified third-party marketplaces would be able to offer sideloadable apps.
Then Apple changed its DMA requirements in response to feedback from the European Commission (EC). Now any developer can make their iPhone apps available for download from any website. It should be noted that the obligation to notarize is still in force.
But it appears that the European Commission is indeed determined to extract more concessions from Apple, including removing the notarization process for apps distributed through third-party sources. Instead of Apple helping to prevent malware, the EC’s job will be to ensure user safety. Apparently, this is one of the conclusions of the Apple DMA workshop held by the EC.
Spotted by John Gruber of Daring fireballdetails about the notarization of the application come from the live blog of the workshop on X.
This is Jebelli covered event via a series of tweets, but you can’t watch it again because it is password protected. That sounds about right for something related to DMA and the openness it aims to enable. Also, it is a 9-hour workshop.
Here are the details of notarizing the application:
Interesting detail: The EC told Apple that they are not allowed to authenticate apps to protect users. So, “government authorities will have to act to protect” app developers and users from the risks of these third-party apps.
If this is true, Apple will have to change its DMA compliance rules again. The lack of notarization means that third-party applications will not even receive the software application review process. The certification would cover security checks against malware and identity theft. This also means that some people will be able to pirate popular apps or simply clone them.
Of course, this is not the only security protection against sideloading malware on the iPhone. Apple still has requirements for companies that want to host app marketplaces and developers that want to distribute their apps through their own websites.
Without the added protection of the notarization process, the risk of installing malicious software on the iPhone increases. Of course, certification by a public notary is another form of application review, which the EC wants to get rid of. And yes, the App Store can occasionally host bad apps; we’ve seen it happen. However, it appears that DMA will dramatically increase the risk of malicious app attacks on iPhone users.
If the European Commission plans to introduce protections for iPhone (and Android) users from sideloading mobile apps, good luck with that. I can’t wait to see how it goes.
I’ve said it before and I’ll say it every time sideloading comes up. A smartphone is not like a computer. Not all iPhone/Android users own computers. There are people who don’t even know how to install applications on a computer, but they do it on iPhones and Androids, and they trust their mobile phones unconditionally.
Moreover, smartphones contain more personal data than any other type of computer. It’s no wonder hackers want to get into smartphones, including the iPhone.
I don’t worry about these issues because I already know that I will never enable sideloading on my iPhone. But I worry about some of my friends and family who aren’t that tech savvy.
Still, we’ll have to wait and see if Apple makes any changes to its DMA provisions and if the application authentication requirement is eventually removed.