Apple

Changes coming to iOS App Store, browsers, and contactless payments in the EU

Posted on by

Apple has announced how it plans to open up some of its services in the European Union. These include: third-party app stores (which Apple calls “alternative app marketplaces”), the limitation on third-party browser engines, and access to the iPhone’s NFC feature for contactless payments. These changes are due to take effect as of March 2024, in the 27 EU countries, and will be included in iOS 17.4.

This change only affects the iPhone for now; the European Commission “has opened a market investigation to further assess whether Apple’s iPadOS should be designated as gatekeeper, despite not meeting the thresholds,” and should make a determination within 12 months.

Gatekeepers and Core Platform Services

The Digital Markets Act defines some tech companies as “gatekeepers.” These are companies that have a strong economic position, a strong intermediation, or an entrenched and durable position in the market. Apple meets all three of these criteria, as do five other companies: Alphabet, Amazon, ByteDance, Meta, and Microsoft.

Image credit: European Commission.

Not all of the companies’ activities are considered to be “core platform services,” which makes them subject to these new rules. The EU is currently examining whether to consider Microsoft’s Bing, Edge, and Microsoft Advertising, and Apple’s iMessage as core platform services. So far, the EC has declared that some major services and products such as Gmail, Outlook.com, and Samsung Internet Browser are not core platform services.

The Safari browser’s forthcoming changes

Some of the changes are complex, but the change affecting the Safari web browser is simple. Apple has long allowed third-party browsers in its App Store, but these browsers have been required to use WebKit, the rendering engine that Apple uses for Safari. This means that, currently, if you install an alternate browser such as Chrome, Firefox, or Edge, this app is merely a skin on the same rendering engine that Safari uses. You may be able to sync your history, bookmarks, and passwords, but the way the browser displays pages is the same.

When an EU user launches Safari on iOS 17.4, they will be presented with a screen allowing them to choose a default browser from a list of options. This list includes the 12 most popular web browsers in the user’s country at the time, and displays in a random order. If the user chooses one of these browsers as default and doesn’t have it installed on their iPhone, they will have the option to download it immediately.

You have been able to change your default browser on iOS for some time, but the biggest change here is that the browser will be able to work differently. Some web browsers may be more efficient, but some may also use more battery and slow down iPhones. As Apple says, “apps that use alternative browser engines — other than Apple’s WebKit — may negatively affect the user experience, including impacts to system performance and battery life.”

Forthcoming changes to contactless payments

The second change is related to the NFC (near-field communication) chip in the iPhone, and these changes also apply to countries in the EEA (European Economic Area): the 27 EU countries, as well as Iceland, Liechtenstein, and Norway. Apple says that “Users will be able to initiate payment transactions from a third-party banking or wallet app at compatible NFC terminals, including mobile devices.” Apple has created new APIs—application programming interfaces—for this purpose.

However, if you have an Apple Watch, and use contactless payments on that device, you won’t be able to change payment methods, because the Apple Watch isn’t covered by the DMA. So if you make a change on your iPhone, you’ll have to juggle two different services—wallets or apps—when making payments.

Changes coming to the App Store

The biggest changes involved with the DMA cover Apple’s App Store. Apple has been required to develop “new APIs and tools that enable developers to offer their iOS apps for download from alternative app marketplaces.” These changes are quite far-reaching, and usurp many of the limitations that Apple has imposed on apps since the advent of the App Store.

One of the most controversial changes has been the fact that Apple prevents developers from informing users that they can make payments, such as for subscriptions or digital content purchases, outside of their apps. Apple also takes a cut of all in-app purchases. This commission used to be 30%, but Apple has lowered this to 15% for smaller developers (those who bill less than $1 million per year). This is why Spotify doesn’t let people subscribe from their iOS app, and Amazon doesn’t sell Kindle books and Audible audiobooks through their apps.

Alternative app marketplaces vs. staying in Apple’s App Store

Going forward, developers will be able to offer apps through alternative app marketplaces that skirt these restrictions. However, Apple is imposing a “core technology fee” of €0.50 “for each first annual install per year over a 1 million threshold.” Apple says that less than 1% of developers will pay this, but it means that an app that is downloaded 2 million times will owe Apple €500,000. This could add up to a lot of money for companies such as Spotify, Facebook, and Microsoft. To be fair, Spotify, Facebook, and others have long benefited from totally free presence and downloads on Apple’s App Stores.

For those developers remaining on the Apple App Store, the company is lowering commissions to 10% for app sales and 17% for digital goods and services, but there is also a 3% payment processing fee.

Apple has said that they will require “notarization” for apps sold through alternative app marketplaces. This is, “a baseline review that applies to all apps, regardless of their distribution channel, focused on platform integrity and protecting users. Notarization involves a combination of automated checks and human review.” (This is different from notarization on macOS, which is a fast and purely automated process.)

What isn’t changing, at least for now

Even though the European Commission considers Apple to be a gatekeeper, these changes only apply to iOS; that is, only to the iPhone. They do not apply to the iPad, Apple Watch, or Apple TV. And they don’t apply to the Mac at all, because you can download software from any source to a Mac. However, the new payment terms and commissions will apply to these other Apple devices.

This introduces some complications for users. If you buy an app from an alternative app marketplace on your iPhone, you will not be able to download the same app on your iPad. It’s not clear yet whether apps like this will also be able to install Apple Watch versions. You won’t benefit from family sharing, unless alternative app marketplaces develop a family-sharing system similar to what Apple uses. And apps downloaded outside the App Store will not work with Screen Time.

What these changes will mean for users

Most users will probably continue using Apple’s App Store for all of their purchases. They may install alternative app marketplaces to have access to games or specific apps, but it’s unlikely that these third-party App Stores will make a huge dent in Apple’s control over iOS apps. For example, Epic Games—a company that has been in a court battle with Apple—is expected to be allowed to run its own app store on Apple devices, along with other game developers.

Alternative app marketplaces will allow categories of apps, and individual apps, that Apple has previously banned from its App Store. It could also pave the way for apps that Apple has removed from its App Store because of violations of the store’s terms and conditions. While Apple’s notarization process does mean that Apple representatives must review and “notarize” these apps, Apple can no longer refuse non-harmful apps based solely on their content or features. This could pave the way for the introduction or return of app categories such as game console emulators as well as malicious file scanner (anti-virus) apps. Apple banned malware scanners from the iOS App Store in 2015. (Users of Intego VirusBarrier X9 for macOS can currently scan for malware files on iPhones, iPads, and iPod touch devices attached to their Macs.)

Potential implications for end-user security and privacy

Last April, we wrote an article discussing the potential security implications for sideloading (i.e. the installation of third-party apps via some source other than Apple’s own App Store) on iOS.

Third-party app stores’ potential negative impacts

We could potentially see an increase in scam apps in third-party app marketplaces (although recently Apple has had a poor track record at keeping them out of its official App Store anyway).

Apps obtained via third-party stores could potentially be more privacy invasive, or less clear up front about how they will respect user privacy.

We could also see apps exhibiting self-modifying behavior, which is prohibited in the official App Store but may not be from third-party stores. For example, an app could appear to be legitimate at the time of review, but unlock potentially harmful or privacy-invasive functionality sometime after installation.

Time will tell whether apps will be able to get away with using Apple’s own private APIs, although Apple’s new manual notarization process may prohibit this.

If Apple allows sideloading in iOS 17, how will iPhone security be affected?

Apple is also warning that, if browsers bring their own third-party engines rather than using WebKit, it could increase iPhones’ attack surface by opening up the platform to additional browser-based vulnerabilities.

Third-party app stores’ potential positive impacts

As we mentioned previously, one potential upside for security and privacy could be the return of virus scanners (that is, malicious file scanners—not full-fledged, system-wide antivirus, like is possible on other platforms).

And, interestingly, there’s also the possibility that third-party app stores could actually vet apps better than Apple currently does; between Apple’s new notarization process and additional vetting from the company that runs the store, we might actually see fewer shady apps on some third-party iPhone app marketplaces.

All of this only applies to EU member nations, for now

For now, these new rules only apply to the European Union. But other countries around the world who have been investigating Apple’s market dominance may be tempted to require similar changes. Just as the EU’s GDPR incited many countries to tighten their data protection laws, the EU’s example around app stores, browsers, and contactless payments may lead other countries to follow suit. They know that Apple can make these changes easily with a software update, and that makes it easy for other countries to insist that Apple must impose similar rules in their markets as well.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →