DMA Cracking Open iOS Walled Garden for Alternative App Stores: What it means for iOS Security?

There are a few instances where you would hear an authority figure claim ‘security for your own good’ as an acceptable excuse for their strict rules: an overbearing parent to their child or government regulations to their citizens.
Would it be a stretch to apply this to Apple and their users?

Apple’s tightly controlled ecosystem for its iOS platform has long been defended as essential for maintaining security, privacy and a seamless user experience. They made a choice putting users at the forefront; and while this may have worked in their favor with their branding and growing fanbase, this has also invited critics and legislators to question Apple’s motivations for keeping everything and everyone locked in their ecosystem.

What is Apple’s iOS ‘walled garden’?

The ‘walled garden’ analogy best describes the iOS ecosystem as Apple has slowly ensured that when users begin with one Apple device, they would eventually move on to use only their products and nothing else. It’s more than just the device, it’s also the apps and software products: iMessage, FaceTime, Apple Wallet, just to name a few.

In keeping everything within the walls of their garden, a user would find a lot of friction if they were to take an Apple product outside of the garden. Similarly, if you were to bring in a third-party (or an app that had not been approved by Apple) into the garden, Apple has stringent rules to its compatibility with its iOS. With creating seamlessness between their products — such as Apple Health with the Apple Watch, or Apple Wallet with the App Store — users are hard pressed to find a reason to move away from this convenience.

Once users are embedded into Apple’s ‘walled garden’, app developers and programmers are presented with a market, with the App Store as the marketplace they would need to get their apps to users. Launched in 2008, Apple had set a precedent that they would receive a 30% commission on every app sold. They, however, did not consider the reactive nature they would be forced to adopt when it came to their policies, resulting in a patchy and convoluted framework for their other stakeholders — app developers and governmental regulators.

The Digital Markets Act Cracking Open the iOS Walled Garden

Enter the Digital Markets Act (DMA) and its aim to promote contestability and fairness in European markets. On the outset it has enforced obligations for Apple to comply, and the tech giant has responded with amendments to their commission fee structures and regulations. One of those changes include the AdAttributionKit (AAK) as a solution for advertisers to use to support alternative app marketplaces.

In another one of the responses to DMA’s new regulations, Apple is conceding to opening the App Store to third-party app stores and payment processors, but with a caveat: that it intends to split its App Store in two, separating EU from the rest of the world. Meaning, it will have one store in the EU where it will allow third-party app stores and payments and another where it will remain as it always has with third parties. In other words, they’ve only opened a portion of their ‘walled garden’ within the geotags of the EU.

Is It Really Safer within Apple’s ‘Walled Garden’?

While Apple has positioned themselves as one of the more secure operating systems in the market, this does not mean they are completely immune to online threats in general. It also begs the question — are we only allowed to have one or the other? Security and privacy in exchange for the freedom to choose the apps you would have on your device?

Cybersecurity has become a bigger point of contention for users over the years. Despite Apple’s branding which has sold security synonymously, this does not keep them completely immune from all risks. Apple’s iOS is not completely ironclad, and like any device connected to the cloud or the world wide web, it is prone to malware or malicious code that could ruin data or documents stored within your device or cloud. It is also known as a ‘man-in-the-middle’ attack where an Apple device can be intercepted over an unsecured Wi-Fi network. Other security vulnerabilities on an iOS can include unauthorized access to personal information, financial data and user privacy.

Opening up parts of its ‘walled garden’ to third-party app stores and payment systems is not absolute for Apple, as new industry competitors are still required to meet Apple’s requirements, whether it’s in the form of fees, app review policies, privacy and security policies. At the end of the day, Apple still maintains an information, ecosystem and monetary advantage over its competitors through its current governing structures — collecting download data, in-app purchasing data and other data flows. And ultimately, this falls outside of the European Commission’s regulatory compliance.