The EU Forces Open Apple’s Walled Garden

Apple has announced extraordinary changes to how iOS apps will be distributed in the European Union. In short, Apple’s App Store will no longer be the only source for iOS apps, and the company is making it known in the clearest possible terms that it’s not happy about it.

Apple’s changes were forced by the European Commission’s Digital Markets Act (DMA), passed by the European Parliament in 2022. Under the DMA, Apple is considered a “gatekeeper” of “core platform services.” As such, Apple cannot prevent its users from doing business with third parties on that platform, nor can Apple give preferential treatment to its own services.

To be fair, the DMA exists because the EU wants to protect its smaller businesses and users from abuses by entrenched tech giants running large online platforms. Whether the DMA’s requirements are the best way to accomplish those goals is a conversation worth having, but it’s undeniable that some large online platforms have behaved in anticompetitive and monopolistic ways that harm users and smaller businesses.

Here is a brief summary of what EU iPhone users can expect in the upcoming iOS 17.4 release, anticipated sometime in March 2024:

• Alternative app marketplaces: Developers will be able to create and run “alternative app marketplaces.” Don’t call them app stores! AltStore, a gray market alternative app store, has announced plansto launch an official version in the EU. We would be surprised if Apple-nemesis Epic Games doesn’t try to launch its own alternative store.
• Alternative payment providers: Developers will be able to offer in-app purchases without going through Apple’s system. They can either link to their own websites for payment or support alternative payment methods like PayPal.
• Browser choice: Safari will no longer be the default default Web browser. After installing iOS 17.4, users will have to pick a default browser from a list of options.
• WebKit-free web browsers: Apple has long allowed Web browsers other than Safari in the App Store and has even allowed you to set one as a default, but it was a somewhat meaningless choice since those browsers—like Chrome and Firefox—had to use the same WebKit rendering engine as Safari. So you were really just using Safari with a different skin. Google will now be able to provide an EU version of Chrome that uses its Blink rendering engine, and Firefox can ship a version with its Gecko engine.
• Contactless payments without the Wallet app: It will be possible for developers to access the iPhone’s NFC hardware directly to make contactless payments without going through Apple’s Wallet app. Additionally, Apple will provide an “interoperability request form” where developers can request access to other hardware and software features.
• Expanded data portability: EU users will have increased options on Apple’s Data and Privacy site to see their App Store data and export it to authorized third parties.

Note that these changes do not allow sideloading apps downloaded directly from websites, as Mac users have been accustomed to for decades. Every app must still be downloaded from an app marketplace, whether Apple’s App Store or someone else’s. However, you’ll download those alternative app marketplaces from the Web: “Marketplace apps may only be installed from the marketplace developer’s website.”

Also, as John Gruber of Daring Fireball points out, many of these changes, such as alternative app marketplaces and non-WebKit Web browsers—are coming only to the iPhone and not the iPad.

Apple Doth Protest

If this all seems very confusing, that’s at least partially intentional on Apple’s part. The company was emphatic about how it is complying with the new EU requirements only under duress.

Apple’s announcement is so bitter that we assume the PR team was biting into whole grapefruits while writing it. The press release laments:

The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.

The announcement also quotes Apple Fellow Phil Schiller, in his best “disappointed dad” voice:

The changes we’re announcing today comply with the Digital Markets Act’s requirements in the European Union, while helping to protect EU users from the unavoidable increased privacy and security threats this regulation brings. Our priority remains creating the best, most secure possible experience for our users in the EU and around the world.

Phil Schiller isn’t mad at you, EU. He’s just… disappointed.

For years, Apple has argued that its heavy-handed App Store approach was the only way to keep its platforms secure (while guaranteeing itself a nice cut of developer revenue in exchange for developing and maintaining the platform). But as Rich Mogull correctly foresaw in “Apple’s App Store Stubbornness May Be iOS’s Greatest Security Vulnerability” (8 April 2022), that same heavy-handed approach backfired and inspired the EU to go after Apple’s walled garden with a crowbar.

Apple may be exaggerating for effect, but it’s not wrong. These changes will make Apple’s platforms less secure going forward; it’s just a matter of to what degree, which is why the company is taking every conceivable measure to protect users.

How Apple Plans to Protect Users

Just because apps can be distributed outside Apple’s walled garden doesn’t mean they will escape Apple’s review.

iOS apps distributed outside of the App Store will be notarized by Apple, much like how apps are notarized in macOS. This step gives Apple a lever to prevent or ban misbehaving apps. However, there are a couple of key differences.

• While macOS offers a way to bypass notarization so you can install any app you’d like, Apple does not provide this as an option for iOS.
• Notarization under macOS is largely automatic, but the iOS process will involve some degree of human review.

That human reviews checks to “ensure apps are free of known malware, viruses, or other security threats, function as promised, and don’t expose users to egregious fraud.” However, according to John Gruber, who has had multiple briefings with Apple, apps distributed through app marketplaces will not be rejected for content. For example, while Apple will never allow adult-rated apps in the App Store, they will be permissible in app marketplaces.

Besides a baseline app review, iOS will present an app installation sheet that summarizes basic information about the app when you install an app from an app marketplace. Also, Apple will perform background malware scans when installing such apps.

Additionally, alternative app marketplaces are subject to stringent “ongoing requirements.” Not just anyone can open an app marketplace. Among other things, developers need a healthy line of credit:

In order to establish adequate financial means to guarantee support for developers and customers, marketplace developers must provide Apple a stand-by letter of credit from an A-rated (or equivalent by S&P, Fitch, or Moody’s) financial Institution of €1,000,000 prior to receiving the entitlement. It will need to be auto-renewed on a yearly basis.

Of course, Apple touts these many security measures with yet another bitter disclaimer:

However, Apple has less ability to address other risks — including apps that contain scams, fraud, and abuse, or that expose users to illicit, objectionable, or harmful content. In addition, apps that use alternative browser engines — other than Apple’s WebKit — may negatively affect the user experience, including impacts to system performance and battery life.

And developers may have a bitter pill to swallow if they decide to accept the new path the EU has forged for them.

Thorny Questions for Developers

Apple is giving developers two mutually exclusive choices. They can take the blue pill and keep things largely as they are now. Developers distribute their apps only through the App Store, use Apple as their payment processor, rely only on the WebKit rendering engine, and pay Apple a straight 30% or 15% commission.

However, developers who choose the red pill open a whole new world of alternative app marketplaces, third-party payment processors, and other freedoms, but they also face a complicated new business reality. And there is no going back:

Developers who adopt the new business terms at any time will not be able to switch back to Apple’s existing business terms for their EU apps. Apple will continue to give developers advance notice of changes to our terms, so they can make informed choices about their businesses moving forward.

If developers choose the new business terms, they can keep their apps on the App Store in addition to alternative app marketplaces and pay lower commissions of either 10% or 17%. That sounds good, but the math gets more complicated. If developers also want to use Apple’s payment processor, they will pay an additional 3% fee. Additionally, if an app is a hit, with one million or more first annual installs in the EU, the developer will pay a Core Technology Fee of €0.50 for each additional install per Apple account (which includes new downloads, re-downloads, and updates) once every 12 months. Free apps from nonprofit organizations, academic institutions, and government entities are exempt from this fee.

The new business terms also allow developers to opt out of Apple’s systems in the EU entirely and pay the company only the Core Technology Fee, but then they’re on their own for distribution, payments, and other liabilities associated with EU law.

Apple has created a fee calculator to help with the complicated math, but developers may not like the results. Developer Nikita Bier ran some numbers and estimates that some developers may only keep a small fraction of their revenue or even owe Apple money.

Relaxed Game Streaming and Sign In with Apple Rules

There are changes for everyone outside the EU as well.

First, Apple now allows game-streaming apps in the App Store. Services like Xbox Cloud Gaming and Nvidia’s GeForce Now let you play hardware-intensive games without high-end hardware. The game’s code is processed on a remote server, and the video is streamed to your device. This move likely means many more gaming options will soon be in the App Store. (Hopefully, some of these services will come to the Apple TV.)

Second, developers can now offer apps that feature “mini-apps, mini-games, chatbots, and plug-ins” for an additional in-app purchase.

Third, in the past, if an app offered the option to sign in with a Google account or other third-party authentication service, it also had to present the option to use Apple’s service. That’s technically no longer the case. Developers can also now offer “third-party or social login services” in their apps without being forced to include the Sign In with Apple option, but they must offer “an equivalent privacy-focused login service instead.” That may be a tough hurdle to clear for many developers, so the previous policy may effectively remain.

The EU as App Store Guinea Pig

Apple is overwhelmingly clear about the extent to which it feels these requirements are wrong-headed and will hurt the user experience. The company likely fears, and rightly so, that other jurisdictions around the world will demand similar concessions. After all, the infrastructure is already in place. Or—even worse–other countries might demand different concessions.

The EU has made itself a testbed for this type of governmental intervention. While Apple is begrudgingly complying, it clearly hopes—and is doing its best to ensure—that developers stick with the status quo. Apple’s announcement takes pains to highlight every possible negative of these changes, including security risks, fraud concerns, offensive content, user confusion, and reduced battery life. And you can be sure Apple will be quick to point out every such failure and explain how it could have been prevented if the EU hadn’t tied its hands.