{"id":22482,"date":"2024-03-13T08:41:29","date_gmt":"2024-03-13T12:41:29","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=22482"},"modified":"2024-03-19T14:47:40","modified_gmt":"2024-03-19T10:47:40","slug":"ios-alternative-app-stores-and-browsers-security","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ios-alternative-app-stores-and-browsers-security\/22482\/","title":{"rendered":"Apple fair: alternative app stores coming to iOS"},"content":{"rendered":"<p>iOS has been a mostly impenetrable fortress throughout the full 17 years of its existence. Users only had access to apps and functions if Apple allowed them to. But now the U.S. company has had to yield to market and regulatory pressure by changing the status quo. As of March 6, when the EU\u2019s Digital Markets Act (DMA) came into effect, the new iOS version (17.4) now allows <a href=\"https:\/\/www.apple.com\/newsroom\/2024\/01\/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union\/\" target=\"_blank\" rel=\"nofollow noopener\">installing alternative marketplaces<\/a> and third-party browsers on the iPhone \u2014 but only by EU users. At the same time, certain familiar features, such as <a href=\"https:\/\/en.wikipedia.org\/wiki\/Progressive_web_app\" target=\"_blank\" rel=\"nofollow noopener\">progressive web apps<\/a> (PWAs) running in the browser and added as icons to the home screen, will disappear. What new capabilities and threats does this bring to users?<\/p>\n<h2>How to install an alternative app store<\/h2>\n<p>To ensure fair competition, regulators have required Apple to allow third-party app marketplaces on iPhones. The user will be able to go to an alternative app store\u2019s website, tap install (that is, install the\u2026 app-store app!), and after explicitly confirming their intention, install the app-store app on their device. It can then be used instead of Apple\u2019s App Store or alongside it.<\/p>\n<p>It\u2019s still unclear what these alternative app-stores will contain, or who would want to open one. What matters is that these stores won\u2019t be required to observe all of Apple\u2019s rules, so they\u2019re expected to offer services and technology previously restricted by Apple \u2014 most notably payments outside the App Store. <a href=\"https:\/\/www.theverge.com\/2024\/2\/16\/24074873\/epic-apple-ios-developer-account-eu-games-store-fortnite\" target=\"_blank\" rel=\"nofollow noopener\">Epic Games<\/a>, a principal lobbyist behind the legal case along with Spotify, will likely want to open an app marketplace, although the <a href=\"https:\/\/www.epicgames.com\/site\/en-US\/news\/apple-terminated-epic-s-developer-account\" target=\"_blank\" rel=\"nofollow noopener\">latest episode<\/a> of the Apple vs. Epic Games tug-of-war suggests this might be a long time coming.<\/p>\n<p>Importantly, Apple appears bent on preventing anarchy: to register an app marketplace, a creator has to pass screening and provide a <a href=\"https:\/\/9to5mac.com\/2024\/01\/25\/apple-says-third-party-app-marketplace-creators-must-have-e1000000-letter-of-credit\/\" target=\"_blank\" rel=\"nofollow noopener\">\u20ac1 million<\/a> standby letter of credit. Uploading different versions of the same app to the both App Store and alternative stores is prohibited: if a developer wants to publish its app in every store it must be identical. Finally, all applications will need to pass \u201cnotarization\u201d with Apple. If the process proves identical to <a href=\"https:\/\/developer.apple.com\/documentation\/security\/notarizing_macos_software_before_distribution\" target=\"_blank\" rel=\"nofollow noopener\">macOS notarization<\/a>, rather than a manual review this will likely involve Apple running an automated scan for malware and checking compliance with certain technical recommendations.<\/p>\n<p><strong>Security implications:<\/strong> iOS will see more malware. Apple will continue to partially regulate the installation of third-party apps: you won\u2019t be able to just tap a button in the settings and install an unknown app from a shady website as you can on Android. That said, the automated scanning process designed by the Cupertino engineers for third-party app marketplaces will be even easier to fool than the App Store\u2019s human moderators. This means the quantity and variety of malware on iOS will likely increase.<\/p>\n<p>Besides obvious malware, Apple is reasonably concerned about the higher risk of apps appearing with scam content and non-transparent payment schemes. These aren\u2019t the kind of issues that can be detected with automated scanning.<\/p>\n<p>Unfortunately, the new rules do nothing to help with bringing Android-style operating-system-level antivirus and security solutions to iOS, as the latter is still missing the required functionality for such a thing. Therefore, we recommend carefully considering before installing third-party app stores and downloading from these. It\u2019s likely safe to install a marketplace created by a large company to get a famed game with tens of millions of downloads. However, the <a href=\"https:\/\/www.kaspersky.com\/blog\/malware-in-google-play-2023\/49579\/\" target=\"_blank\" rel=\"noopener nofollow\">advice to stay vigilant<\/a> that we gave to Android users earlier now also becomes relevant for European iOS users. As a reminder, malware downloads from Google Play exceeded 600 million last year.<\/p>\n<p><strong>Privacy implications:<\/strong> According to Apple, in-app tracking restrictions will apply to apps downloaded from third-party stores. However, the <a href=\"https:\/\/developer.apple.com\/app-store\/app-privacy-details\/\" target=\"_blank\" rel=\"nofollow noopener\">app privacy details<\/a>, which developers fill out before uploading their apps to the App Store, may be less in-depth or even non-existent in other stores.<\/p>\n<p><strong>Parental control implications.<\/strong> Although screen-time limits will continue to work with any apps, restrictions on in-game or family purchases and app purchase requests requiring parental confirmation may function improperly or be absent in apps downloaded from alternative marketplaces.<\/p>\n<h2>Third-party browsers<\/h2>\n<p>Alternative browsers in iOS are nothing new, but before the DMA came into force they were merely skins that wrapped around Apple\u2019s WebKit engine, which was the only option available for displaying Web content on iOS. Apple will now allow other engines \u2014 but only after they pass a special certification procedure. Truth be told, the browser engine situation on other platforms is no better, with nearly every \u201calternative\u201d browser being based on Chromium code (Blink engine) maintained by Google. Mozilla\u2019s Gecko, used in Firefox, has a notable market share, but that\u2019s about as far as consumer options go.<\/p>\n<p>Both Google and Mozilla have been seen preparing to launch Blink and Gecko on iOS, so it\u2019s very likely that EU users will see full-fledged Firefox and Chrome browsers soon. When opening Safari for the first time \u2014 or a web page from any app \u2014 users in the EU will be able to choose a default browser.<\/p>\n<p><strong>Security implications: <\/strong>these are two-sided, as we expect some security improvements in some areas, and deterioration in others. In addition to known WebKit issues, there will be potential flaws in both Firefox and Chrome, and it remains to be seen how promptly these will be fixed by their respective developers. However, both of them have solid reputations when it comes to vulnerability patching. On the other hand, zero-day vulnerabilities in Apple software, including WebKit, were always the main vector for attacks on iPhones using spyware \u2014 both commercial like <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-protect-from-pegasus-spyware\/43453\/\" target=\"_blank\" rel=\"noopener nofollow\">Pegasus<\/a>, and targeted like <a href=\"https:\/\/www.kaspersky.com\/blog\/triangledb-mobile-apt\/48471\/\" target=\"_blank\" rel=\"noopener nofollow\">Triangulation<\/a>. Today, the developers behind these attacks know for sure that victims are using Safari\/WebKit browsers. Tomorrow, the need to consider every browser option will make it more challenging to design and conduct these attacks.<\/p>\n<p><strong>Privacy implications: <\/strong>these depend on the alternative browser you choose. If Windows and macOS counterparts are any indication, switching to Firefox would likely improve the level of privacy or keep it at Safari levels, whereas using Chrome may result in reduced privacy, as suggested by these browsers\u2019 anti-tracking tools and default settings.<\/p>\n<p><strong>Parental control impact:<\/strong> it\u2019s still unclear how alternative browsers will protect kids from undesired content, but it seems that control will be technically more difficult to configure. Hence, we have doubts about its efficiency.<\/p>\n<h2>A noticeable loss<\/h2>\n<p>European users stand to both gain and lose from the DMA. Regarding the latter, to implement the functionality required for alternative browsers, Apple is completely dropping progressive web app support in the EU. Although these apps are essentially web pages, they\u2019re hard to distinguish from full-fledged apps, as they can save content on the device, send notifications, and behave very similarly in other ways. Online stores, magazines, and restaurants usually choose PWAs for their apps. All these mini-apps, so easily added to the iPhone home screen, will no longer function in the EU the next time iOS is updated. Not every company that has packaged their apps as a PWA will have enough time to adapt to the change.<\/p>\n<h2>Third-party browser and app marketplace availability outside the EU<\/h2>\n<p>Apple has gone to great lengths to make sure the new functionality is only available within the region where it\u2019s legally mandated \u2014 the European Union. Only users registered in one of the 27 EU member states will get the iOS 17.4 updates described here. Residents of other countries won\u2019t be affected by the changes, so simply turning on a Dutch VPN or going to Cyprus on vacation won\u2019t be enough to get the iOS updates in question. Furthermore, even EU residents who leave the territory of the Union for more than 30 days will <a href=\"https:\/\/www.theverge.com\/2024\/3\/7\/24093437\/apple-iphone-third-party-app-store-dma-eu\" target=\"_blank\" rel=\"nofollow noopener\">lose access to app updates<\/a> from third-party marketplaces until they return.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>With the EU&#8217;s Digital Markets Act having come into effect just days ago, both alternative app stores and true third-party browsers are set to appear on iPhones. How will this affect security, and what are iOS users losing?<\/p>\n","protected":false},"author":2722,"featured_media":22483,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[16,21,1061,26,509,695,2196],"class_list":{"0":"post-22482","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tips","8":"tag-chrome","9":"tag-firefox","10":"tag-ios","11":"tag-iphone","12":"tag-safari","13":"tag-scam","14":"tag-subscriptions"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ios-alternative-app-stores-and-browsers-security\/22482\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ios-alternative-app-stores-and-browsers-security\/27174\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ios-alternative-app-stores-and-browsers-security\/29850\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ios-alternative-app-stores-and-browsers-security\/27349\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ios-alternative-app-stores-and-browsers-security\/27106\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ios-alternative-app-stores-and-browsers-security\/29786\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ios-alternative-app-stores-and-browsers-security\/28611\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ios-alternative-app-stores-and-browsers-security\/37113\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ios-alternative-app-stores-and-browsers-security\/50777\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ios-alternative-app-stores-and-browsers-security\/21619\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/ios-alternative-app-stores-and-browsers-security\/22334\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ios-alternative-app-stores-and-browsers-security\/31064\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/ios-alternative-app-stores-and-browsers-security\/36089\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/ios-alternative-app-stores-and-browsers-security\/29015\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ios-alternative-app-stores-and-browsers-security\/27538\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ios-alternative-app-stores-and-browsers-security\/33355\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ios-alternative-app-stores-and-browsers-security\/32981\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/iphone\/","name":"iphone"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22482"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22482\/revisions"}],"predecessor-version":[{"id":22503,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22482\/revisions\/22503"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22483"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}