By Jason Snell
January 25, 2024 6:37 PM PT
Apple changes App Store rules in the EU, and the world watches
More than a year ago, Bloomberg’s Mark Gurman broke the story that Apple was actively preparing to allow alternative app stores on iOS in Europe, among other changes, as a result of the EU’s Digital Markets Act (DMA). Four hundred and eight days later, here we are.
These are huge changes. Apple claims there are going to be more than 600 new APIs for app developers, along with numerous other alterations to policies and technology required by the DMA. You can see why Apple has essentially been working on this since the iOS 17 development process started a year ago—this is essentially an entire segment of the iOS 17 update that was never announced last June but instead sat and waited for a final rollout just as the DMA was about to take effect.
As is painfully clear from Apple’s press release on Thursday, the company deeply dislikes being mandated by law to make these changes. At every turn, while assuring the public that Apple is going to do its best to keep users as safe and secure as possible, it stops to point out that the DMA will make iOS less secure.
There’s no denying that these changes increase the danger for EU iPhone users. Apple has spent a decade honing the techniques it will use in the EU in a vital testbed—the Mac. While I wouldn’t call the Mac a hotbed of malware and scams, there’s far more of it on the Mac than there is on the iPhone. There will undoubtedly be more of it in the EU, post-DMA-rollout, than before.
But also new to the EU will be true competition with Apple in browsers and app stores. The economics of app sales in Europe will change. Apps that might never have been approved by Apple will have other avenues for sale. App developers fed up with Apple’s 30 percent cut will be able to strike out on their own.
For years, Apple has been preparing for this moment, not just by introducing features like notarization on the Mac, but by denouncing the concept of “sideloading” apps (i.e., loading them from outside the App Store) as a danger to all users. Beginning in March, the entire world will be watching the EU to see if Apple’s warnings were true—or if it was just a smokescreen designed to scare regulators and legislators out of creating laws like the DMA.
Here’s what Apple says is going to change:
Alternative app marketplaces. It doesn’t seem like Apple will let any old developer offer apps on their websites, as is the case on macOS. Instead, Apple has created a new set of tools that allow developers to build alternate app stores. If you’re a developer who wants to make an app—let’s say a video game emulator, since those are frequently rejected from the App Store—you can’t sell it or give it away yourself. You’ll need to find a place in an alternative app store.
Altstore has been a sideloading marketplace on iOS for a while now, taking advantage of bugs and limitations in iOS. According to Altstore, it’s going legit in the EU, doing the work to become an official “alternative marketplace.” You can bet Facebook and Epic Games will be there. I’d imagine that SetApp, the seven-year-old app subscription service, will jump in, too. (Apple will apparently require that alternative app marketplaces show proof of a substantial line of credit—presumably to prevent fly-by-night operations that show up, take everyone’s money, and run.)
Apple will also let users set an app marketplace other than the App Store as their default. That’ll be weird.
Alternative payment systems. Not only will apps in the EU be able to link out to external websites, but even in-app purchases and subscriptions can bypass Apple and use other means. Apple has built new APIs for developers to use for both of these scenarios.
Alternative browser engines. While there are currently several web browsers on iOS, they’re all using Safari’s rendering engine, WebKit, under the hood. That’s because Apple doesn’t allow other browser engines on the platform, period. This will change in the EU, which means that (for example) Google Chrome on the iPhone in Europe could use Google’s rendering engine. This has intriguing web-app implications since some web apps just don’t run on Safari but do run on Chrome, Firefox, and Edge.
Contactless payment without Wallet. Currently, all apps that want to use the iPhone’s tap-to-pay functionality for purchases, transit passes, and even door locks all run through Apple’s Wallet app. Apple will now allow apps to access Apple’s tap-to-pay hardware directly throughout the European Economic Area (which includes non-EU countries Iceland, Liechtenstein, and Norway.) In the EU, Apple will let a third-party app be the default for tap-to-pay transactions.
I’m not clear on how this will make things better for users, but it does mean that EU banks will be able to force users to open their apps to pay for things, presumably bypassing Apple taking a cut of Apple Pay transactions.
It’s not an app free-for-all. App developers who go outside the App Store will still need to notarize their apps, which allows Apple to scan them for malware and cryptographically sign them. That signature allows the operating system to identify if an app has been modified in any way, which is a good security feature, and it allows Apple to revoke its security approval if the developer turns out to be distributing malware.
Part of the notarization process will actually contain data about the app and its functionality, including screenshots—and that information will be displayed by iOS when an app is going to be installed from an alternative source. This means that what we think of now as an app’s “App Store description” will actually ride along with an app outside the App Store. And Apple will see it beforehand and approve it.
In addition to notarization, Apple is adding new features that will warn users of what they’re getting themselves into. Apps on the App Store that use payment processors other than Apple will get a warning label. Warnings will also appear in the app when going to non-Apple processors, and Apple will add layers of the App Review process itself to make sure that apps communicate that they’re not using Apple’s services.
It may seem like Apple has essentially reserved the right to reject all apps from its platform, even those in alternative app marketplaces, by rejecting notarization. But in practice, it’s unlikely to happen. Not only is Apple’s five-year track record on Mac notarization pretty clean, but Apple knows that the EU is watching the company carefully, and any capricious use of these security features would be frowned upon.
App developers: Deal or no deal? As a part of its announcements, Apple has offered app developers completely new financial terms—if they want them. Under the new terms, developers on the App Store pay either 10% (for small developers, down from 15%) or 17% (down from 30%). There’s an additional 3% fee if they use Apple’s payment processing. For large developers, it’s a dramatic reduction in the amount of money Apple’s taking from every purchase—presumably as an inducement to keep apps in the App Store.
There’s one other interesting catch to this new set of terms: A new “Core Technology Fee” that Apple is charging for access to its development tools and operating systems. Presumably convinced that demanding that developers outside the App Store continue to pay Apple 27% of sales might not fly with EU regulators, Apple has instead built a new fee system that charges 50 euro cents per year for (essentially) each active user.
So let’s say you’re Spotify, and you have roughly 40 million iPhone users in the EU. You’d pay Apple €19.5 million a year for access to its platforms, but you’d be able to sell your own subscriptions separately, without Apple forcing you into Apple’s payment systems and taking a cut (30% for year one, 15% after that). Spotify will have to do the math on that one and make a decision.
Apple gives app developers the first million users for free, which means this will be much less likely to hurt small developers. As we already saw when Apple cut its percentage share from small developers in half, Apple doesn’t care about money from small developers—it just wants to make sure that the big boys are paying up.
It’s also important to note that these new terms are not required. If an app developer doesn’t want to use an alternative payment method or alternative distribution, it can stay in the App Store as is, and the existing App Store terms apply. Developers of free and low-cost apps may want to choose these options as insurance against their app going viral—the last thing an indie developer of a free app wants is for their app to go viral and discover they owe Apple a million Euros.
So what happens next?
Developers got access to the software and documentation that enables these features on Thursday when the iOS 17.4 developer beta was released. Given that the DMA goes into effect in March, iOS 17.4 will ship by then—and then this grand experiment begins.
If you’re not in the EU, nothing should change. Will there be sneaky ways to “move” to Europe and install software outside the App Store? I’d imagine that Apple has tried very hard to make that impossible, but there are always workarounds, and I imagine a new game of cat-and-mouse will ensue.
That said, the existence of these features almost certainly ensures that the EU won’t be the only place to have them. Undoubtedly, every other legislator and regulator in the world is watching this situation and preparing their own DMA-like regulations. Some may rush in, while others may wait and see just what happens.
After all, we don’t actually know how this will go. Apple has insisted all along that features like these increase the danger for users and that all of its policies were designed to protect its customers. Of course, the other perspective is that these policies were also created in order to give Apple complete control over both policy and economics on the App Store and to generate enormous amounts of App Store revenue without any competition.
Both things can be true. I think it’s certainly the case that the EU rules will create a cottage industry of scammers who will provide detailed instructions about how to bypass Apple’s safety settings and then overcharge them or spy on them or do other nefarious deeds. We know this because it already happens on the Mac!
I have to think that Apple will have a team of security people watching carefully as these features roll out across the EU. But there will also be a team of PR people ready to publicize any incident that feeds into Apple’s narrative about the DMA endangering EU citizens.
This is a risky game for Apple, though. As the rest of the world watches to see the result of what will happen in Europe, Apple’s statements about the dangers of sideloading will be put to the test. If there aren’t major security issues with the rollout of these new features, Apple’s protests will be revealed as toothless and self-serving, and these changes will likely be mirrored all over the world.
I don’t think Apple is actually rooting for EU customers using these new features to be victims of crimes and scams—because that will reflect badly on Apple, not just the DMA. But I do think that Apple executives are confident that such ugly events are inevitable—and the company will be poised to loudly point them out and blame the DMA.
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.