EU Says Apple Isn’t Allowed to Protect iPhone Users from Malware

During a compliance workshop on its new Digital Markets Act, the European Commission reportedly told Apple that its decision to notarize apps to protect users could run afoul of the new legislation since it’s the government’s job to protect iPhone users from malware and other threats, not Apple’s.

Over the past few weeks, Apple has been gradually relaxing its app distribution policies in the European Union in response to the DMA forcing it to open things up to wider competition and, most significantly, sideloading of apps via third-party app marketplaces.

Even though Apple has taken a relatively conservative approach to the EU’s Digital Markets Act (DMA), the changes are unprecedented in the history of the App Store. A late January announcement revealed that Apple would begin allowing third-party “alternative app marketplaces” in iOS 17.4 — albeit only for users in the 27 EU countries — relaxing its fee structures and some of its rules in the process.

Apple also opened the door to full alternative web browsers and unlocked the iPhone’s NFC hardware to permit third-party apps to access it for payments. The first means browsers like Chrome can use their own rendering engines rather than simply being wrappers for Apple’s WebKit, and the second lets banks and other financial institutions bypass Apple Pay in favor of their own wallet apps. In other words, Google Wallet could someday come to the iPhone.

Nevertheless, Apple’s measured approach also means the company has had to course-correct a few times as it seemingly discovered that its interpretations of the DMA might not align with those of the European Commission.

For example, the rules allowing third-party browser engines initially led Apple to believe it would have to eliminate Home Screen web apps or be faulted for favoring its own Safari browser over competing alternatives. After what we can only assume was a closer examination of the DMA, Apple reversed course on that policy earlier this month, suggesting that it didn’t need to be as strict in that area as it had thought at first reading.

On the flip side, it appears Apple is being forced to open up broader sideloading than it thought necessary. A new policy will allow developers to distribute apps directly from their own websites later this spring (likely in iOS 17.5). No reason was given for the change, but it stands to reason that it’s another scenario where Apple either realized or was told behind the scenes that forcing distribution through app marketplaces wasn’t going to fly.

Notarization Could Be a No-Go

Now, it looks like Apple may also be forced to adjust its notarization policies.

Since the advent of the App Store in 2008, Apple has always required apps distributed onto its devices to be “signed” or “notarized” with a digital certificate issued by Apple. iOS won’t launch apps that lack a proper signature.

When Apple announced its big European changes, one of the things it wasn’t about to give up on was this notarization requirement. Although the company promised to use a much lighter hand on censoring apps for content, it still insisted on vetting all apps distributed through alternative app marketplaces to ensure that they worked as advertised and were free of any malware, obvious scams, or anything that might cause security problems for iPhone users.

However, during this week’s compliance workshop, the European Commission seemingly took a dim view of that strategy, telling Apple that it’s not allowed to notarize apps to protect users. Instead, the EC maintains that it’s the government’s job to ensure that its citizens don’t fall prey to malware and digital scams — because, you know, they’ve been doing such a great job of it so far.

As noted by Daring Fireball’s John Gruber, the workshop itself is a nine-hour affair locked behind a password, but computer engineer and competition lawyer Kay Jebelli followed along and provided his followers with a play-by-play on Twitter/X.

Interesting detail: the EC told Apple that they aren't allowed to notarize apps to protect users. So "government authorities are the ones that are going to have to step up to protect" app developers and users from the risks of these 3rd-party apps.— Kay Jebelli ?? (@KayJebelli) March 18, 2024

While Jebelli didn’t elaborate much further, Gruber summarizes what this sounds like rather concisely:

In other words, the EC has a problem with Apple doing any vetting whatsoever on apps distributed outside the App Store. The EC will take care of making sure malware, phishing, scams, clones, IP rip-offs, and pirated apps aren’t getting through. John Gruber

The position isn’t particularly surprising for those who have followed the thinking of European regulators. Some have argued that the entire DMA is based on the notion that the European Commission knows how to run the iPhone business far better than Apple does. Indeed, previous comments have hinted at this, such as a 2022 interview with France’s then-outgoing Minister of State for Digital, Cédric O, who referred to Apple’s control of the App Store as an “aberration to democracy.”

The argument goes that it’s up to “democratically elected governments” to decide what apps users should be able to install on their mobile phones and not a company (and especially not an American company).

It remains to be seen if this will force Apple to adjust any of its policies. However, the comment Jebelli cites suggests that the EC doesn’t necessarily care if Apple notarizes apps; it just can’t use “protecting users” as a reason for doing so. If so, Apple can likely find some wiggle room to still enforce the notarization of apps for other reasons that European regulators will find more palatable — or at least won’t be able to argue against successfully.