By 6 March 2024, Apple will allow third-party app stores on iOS devices, in accordance with a new EU legislation. While it will give access to a series of new tools for journalists using iOS in the European Union, this will also bring new security risks to the fore. Reporters Without Borders (RSF) takes stock of the situation.
Apple’s iOS, which has only ever operated as a closed system, is marketed as having enhanced security. However, a new European Union (EU) legislation — the Digital Markets Act (DMA) — will now require Apple and other tech “gatekeeper” companies to open up their platforms by 6 March 2024. Apple’s iOS 17.4 update will allow users within the EU to use third-party app stores, download third-party apps, and “side-load” apps (i.e. transfer an app file directly to a new device). This will give journalists access to new apps and tools including messaging platforms, secure vaults to store confidential information, secure browsers and payment services, but it may have serious consequences for user security. Journalists should be wary of the risks before downloading any third-party app.
Main changes to iOS
- Monitoring apps. Apple has already announced some measures to mitigate the potential risks they associate with the DMA. Apple will maintain its level of oversight and review for official apps on the App Store, while adopting a new evaluating system for external apps before they can be installed.
- Disabling web apps. Apple is permanently disabling Progressive Web Apps (PWA, web browsers that only access one website and behave like apps such as Uber, Starbucks, or Spotify). Apple considers the DMA’s requirement to allow PWAs that are not based on its own tools to pose a security risk, and thus decided to disable PWAs entirely, which could bring major inconvenience to journalists especially since many media outlets such as Financial Times, Forbes or Medium, use PWAs.
- Hardship for third-party app stores. Apple has revised its terms of service, and has created a pathway for the development of independent “app marketplaces” on iOS, but which has also made it very difficult for developers to use. The benefits for journalists wishing to use new tools may therefore be reduced by the complications faced by third-party developers.
New risks
- Closed system to ensure safe content. Apple operates a closed system in order to vet and restrict the permissions of any applications available on iOS devices. This has offered users a degree of comfort that the apps they download are legitimate and safe. But now, Apple argues, users could download malicious apps, or apps which are able to independently download additional apps unknown to the user.
- Opening up to potential harmful content. These third-party apps could also host scams, frauds, abuse, and the distribution of harmful content. Of significant concern to journalists is the possibility that such apps may compromise the security of their iOS devices and enable malicious actors to access their communication or data. More broadly, Apple fears that they may not be able to provide the same level of customer support and protection when issues arise in relation to third-party apps.
Recommendations to mitigate risks
- Only download official apps. The ultimate effects of the DMA will not be known for some time, but for now, Apple’s overall level of security and protections will remain the same for applications downloaded through the official App Store and journalists are advised to only download apps through this storefront.
- Be cautious when using new apps. When downloading apps through third-party app stores or when making purchases within apps, be aware that Apple has only limited ability to protect users. Be cautious of any unfamiliar app, and only make payments if the developer is trusted and known.
- Never transfer an app directly. One should not directly sideload an app from one device onto another unless the developer of the app is trusted and known, because this process bypasses Apple’s protections and could bring harmful content within the new device.