Luckily, the EU included substantial anti-circumvention provisions in the DMA. I'm not a lawyer, but based on the excerpts from the regulations below, it seems likely the EU would have grounds to open legal proceedings against Apple's new rules.
4. The gatekeeper shall not engage in any behaviour that undermines effective compliance with the obligations of
Articles 5, 6 and 7 regardless of whether that behaviour is of a contractual, commercial or technical nature, or of any other
nature, or consists in the use of behavioural techniques or interface design.
7. Where the gatekeeper circumvents or attempts to circumvent any of the obligations in Article 5, 6, or 7 in a manner
described in paragraphs 4, 5 and 6 of this Article, the Commission may open proceedings pursuant to Article 20 and adopt
an implementing act referred to in Article 8(2) in order to specify the measures that the gatekeeper is to implement."
Apple is going full frontal attack and saying the DMA creates security risks in the headline, and then repeating that messaging throughout the article. Hard to believe the ECJ is going to stand by and watch Apple convince millions that the EU is working to harm their constituents security but that Apple is here to save them.
Yes, it's been Apple's modus operandi with the App Store from the start: trick consumers into thinking the App Store being a monopoly is the only thing that can protect them against malware, illicit and questionable app content, pirated software, scams, and fraud.
Most consumers understand those concepts and fear those things. Most understand nothing about the economic impact of monopolies and anti-competitive business behavior and the harms they cause consumers in the form of higher prices, lack of innovation, reduced choice, and poorer quality products and services.
So Apple plays off those fears by using language consumers understand, making them actually want the very monopoly that is being forced on them and actually harming them while making billions for Apple.
It's unethical behavior, no more defensible than Sam Bankman-Fried's effective altruism, a.k.a. "mostly a front." This is all right out of Apple's standard playbook.
> Apple is going full frontal attack and saying the DMA creates security risks
Because it does create security risks.
App code in 3rd party app stores is not going to be reviewed, which means anyone is free to craft a rootkit embedded in an app and release it to a 3rd party app store.
It's my understanding that iOS is generally considered a more secure alternative than Android, and that part of this is the app review process, that is part of the App Store. So isn't there at least some truth in that opening this up will create a less secure environment?
Not only that, they're going to try and scare users away from third party app stores with warning dialogs:
> The changes also include new disclosures informing EU users of the risks associated with using alternatives to the App Store’s secure payment processing.
There are 22 instances of the word "risks" on that page. Pathetic.
Yeah, right. I know there's this tendency in America to worship Europe but I can't help but laugh when anyone suggests a democratic government passes laws that are going to improve security. "We're from the government and we're here to help."
Yup. They could have security by allowing the user to see and control the sandboxing that the operating system imposes on the apps. The app store is not required, but they act like it is.
They definitely talked with their lawyers and the EU regulators, but this doesn’t mean that where Apple ended up today was mutually agreed. They very likely ended up in disagreement and basically told their EU regulators to take them to court if they don’t like it. This happens all the time.
During USB-C debates, Apple reportedly tried to circumvent EU regulation and got an explicit public warning from EU commissioner who read the secret plan from the media outlets. Then they retracted their MFi for USB-C plan.
I'm reasonably sure Apple didn't reveal most of their compliance plans to EU, since they will ask Apple to implement the most strict interpretation of the regulation and it would be headaches in the court if there's any evidence that Apple knowingly ignored such requests.
They definitely consulted a bunch of lawyers. The App Store makes on the order of $100B profit annually. Given that, a reasonable budget for consulting lawyers - on a matter which may result in them losing a substantial amount of that profit - would be massive. Even $1B in attorney fees would be a tiny price to pay to protect that.
Yes, we know they talked with the EU, but we don't know the content of those discussions. It's easy to assume they were checking whether their proposed implementation would satisfy the regulators. It's equally likely, even more likely, they were gathering information, posturing and probing to see how the EU would react, to gauge how best to craft their scheme to outwit them and what they could or could not easily get away with.
You can hold a negotiation and still screw the other side over afterwards - isn't that actually the best way to do it? Holding a meeting first to learn what cards your opponent has in their hand is just a better way to play any game.
Look at the long list of massive fines levied on the US tech giants for GDPR violations [1]. Every one of them consulted lawyers (and likely substantially ignored their advice).
So, why do you think Apple is doing this? Presumably their lawyers aren't stupid and Apple does not want to be fined 10% of their worldwide annual turnover.
For the same reason Trump has opened so many legal challenges in his trials. It's a stalling tactic. Every year Apple can continue their App Store business monopoly without adequate competition is another year Apple earns $100B (or whatever their profit is - Apple does not disclose the figures [1]). They are trying to delay any threat to that as long as possible. No doubt they have done their cost/benefit calculations very carefully, weighing the potential fines and legal fees against the revenue they will be able to keep earning this way, and they have decided this is the best way forward.
Yeah this is brutal for any truly free app that risks getting popular. The only exceptions are for "Nonprofit organizations, accredited educational institutions, and government entities", so I guess at least Mozilla will find a way to distribute Firefox.
Wait what? The nonprofit organisation thing seems very significant. That makes it fairly easy to get around if you’re just developing an app for fun, or for open source organisations to get apps distributed.
So what are we left with? Apps where users are the product, like Facebook, and freemium apps where you end up paying to get anything useful done with it anyway. Apps where the parent company is making millions if not billions. Is anybody upset that those guys have to chip in for iOS development?
I personally think Apples approach is the lesser of two evils. We don’t pay for OS explicitly anymore. But look at Windows and Android… you end up paying somehow in the end anyway. I’d rather it be through fees on apps than more insidious approaches.
And no. Paying for the phone is not a viable way to pay for the OS. That incentives the phone maker to ditch OS updates for old phones. And we know that’s a real issue. As long as we pay through app fees the phone makers are incentivised to keep releasing OS updates for old phones.
I wonder if Mozilla will even be considered a nonprofit, given that they have a for-profit subsidiary, and they're not the only nonprofit with that structure.
Depends if they consider Mozilla Corp (a for-profit corporation) or Mozilla Foundation (the no-profit owner of the Corp) the developer of the browser. All the engineers are employed by the corp.
They’ve introduced pricing that their lawyers think is compatible with the regulation (the regulations don’t ban egregious pricing). Frankly, I think Apple should have just allowed third party app stores without any guarantee of malware/fraud protection, let consumers decide for themselves if they want to risk it or not.
1. Developers can continue to use the existing terms.
2. If a smaller developer elects to use the new terms, they pay less commission (10%) and a 3% transaction fee. That’s 2% less.
3. If they have more than 1 million users download their app, then there is an additional €0.50 Core Technology fee. If the developer is a commercial entity, then yes, they have to pay but in reality, it’s the end user that will have to pay.
3. If the app is free but offered by a commercial entity, they pay nothing in commission or payment fees (13% X $0
) but they reach 1 million installs, then they do have to pay €500k. If the business has no revenue - that’s a weird business model.
4. If the app is offered by a not for profit, then they don’t pay the CTF.
So, the new terms seem better for developers and users in the EU.
So if I develop a Catalyst app for an M1 powered Mac I can distribute it outside of the Mac App Store, and freely use Apple's SDK (as long as I pay the yearly 99 fee to enter their developer program).
But if I distribute that exact same app on an M1 powered iPad outside of the App Store, I'll be subjected to a fee if my app goes viral, unless I agree not to profit from it and set up a non-profit organization?
> So if I develop a Catalyst app for an M1 powered Mac I can distribute it outside of the Mac App Store, and freely use Apple's SDK (as long as I pay the yearly 99 fee to enter their developer program).
As far as Apple is concerned, this is a huge oversight, and will be rectified in the coming years. The idea of computing devices as uncontrollable platforms is a mistake to them. It's only a matter of time.
The penalty being hefted by truly popular free apps, this seems clearly aimed at protecting Apple’s investment into their own free apps, such as: Pages, Numbers, Keynote, Garageband,
Why? Because if you affect one aspect of Apple’s carefully crafted business model, you touch many more.
For instance, the fact that there’s no good free calculator on the iPad is bonkers. Why is it bonkers? Did Apple go “oopsie, we never got around to finishing the iPad calculator app.” for years? No. It’s a calculated decision.
Another example, why did Apple never have a weather app for the iPad UNTIL they bought out their best competition, which happened to be web-based?
Apple factors in everything. Will X push more sales of Y product or Z service? Will the fact that this feature is randomly not present in this set of devices help sell more mac/iPad/iPhone?
Apple loses more than the face-value (which is a lot) of their App store control. They lose a portion of control over their less-tangible business model.
If this wasn’t the case, they’d still be selling iPods.
> For instance, the fact that there’s no good free calculator on the iPad is bonkers. Why is it bonkers? Did Apple go “oopsie, we never got around to finishing the iPad calculator app.” for years? No. It’s a calculated decision.
2,000,000 updates acquires a minimum of $45,000 in fees per month!
I hope the EU fines them for blatantly trying to circumvent the law, and makes it a reoccurring monthly fine until they properly comply with the DMA.
[0] "A first annual install may result from an app’s first-time install, a reinstall, or an update from any iOS app distribution option — including the App Store, an alternative app marketplace, ..."
https://developer.apple.com/support/core-technology-fee/
It’s up from $100 USD, which is the yearly fee of a developer account. And you can choose the now-existing model, which obviously makes sense for a free app, so no, it stays 100.
You're missing the point. The point of this legislation is to open the platform up to competition. These fees accomplish the exact opposite, they ensure that alternative marketplaces aren't viable for freemium apps, i.e. most of them.
No, that's wrong. Multiple news sites are getting that wrong but Apple announcement is very clear that the fee applies to even App Store:
> Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.
It's not, at least not if developers opt into the new terms, which is a trapdoor decision. It's also unclear how long the old terms will remain available, and whether new companies can still sign up for them.
Not sure why you're downvoted. Developers are given a choice on the new system or the current. Anyone distributing a free app will stick with the current.
From a quick look at that page, that's only the case if you're selling things in your app, not for free apps. And at 2 million installs, you'd only have to be making $0.03 per install to cover that amount.
> Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.
Can't imagine that flying with the EU...
The regulator will argue that the technology in the phone has already been paid for by the buyer of the hardware (which came with a license for iOS)
I’m paying how much to buy a phone from Apple, and then they also want to get paid every time I install something whether they’re involved or not? It’s none of their business what I want to do.
It's such brazen, inexcusable rent-seeking. Apple wants to insert themselves into everyone's personal business and demand a cut, like some mob boss. "That's a nice app you got there. Be a shame if something were to...happen to it."
Charge developers at-cost for hosting/distribution. Want more compensation for producing the hardware/platform? Here's my $1,000 receipt. Now go away.
Setting aside whether it is justified or not, Apple is involved. Your app is heavily dependent on Apple built APIs (and hardware). Up till now, developers paid $100/year plus a value based per user royalty that was(is) part of Apple's cut of App Store purchases. Now developers will pay $100/year plus a per user royalty when the user count exceeds 1 million. If the developer stays on the App Store with a free app, there will still not be a per user charge.
Edit: I should have been specific that I was referring to the Core Tech Fee that will apply even to free apps with more than a million users. Developers will still pay a value based royalty of 10% (small devs) or 17% (large devs) for paid apps.
You aren’t the only party in the transaction. There’s also the entity providing the application in the first place. Don’t use loaded phrases like “none of their business” which make the privacy wonks start salivating when that’s is not what this is about.
I don't think the DMA factors into it too much. In the Netherlands, AirBnB got fined for billing service costs both to renters and landlords. I think the legal term was 'serving two lords' or something along those lines. Dutch law (and I suspect European law) prohibits billing intermediary fees to both sides. I'm very much being an armchair lawyer, but you can probably make a very similar case here: the user has already paid for the Core TechnologyTM as part of the phone, therefore you can't bill app creators for the same thing.
(Disclaimer: I'm no lawyer, armchair or otherwise)
The installation of apps from alternative app marketplaces is entirely controlled by Apple and iOS, and can only be done via a set of new APIs called AppLibrary [1]. That will make it very easy for Apple to track installs.
Those apps still have to be notarized by Apple, and the notarization will be checked upon installation. Presumably this will require an online check. So yes, Apple will track those.
I had the same thought. I imagine that Apple will have a very strict templated way to install and run an alternate App Store, you’ll have to use certain API calls to register the apps installed so that they show up on the Home Screen etc. So the reporting side of this should be reasonably easy.
I wonder if the alternate App Stores will have to be installed via the official App
store?! That’s the way I would do it. Gives Apple a way to shut them down if they try to circumvent the reporting piece to bypass the 0.50 fees.
The same way they can take a percentage of any completely external purchase "initiated" via an iOS app. It's literal racketeering and the courts are ok with that.
How are they doing to be able to track this? If there is an alternative App Store, I would assume they don’t share their download numbers with Apple. Is Apple going to track all apps running in iPhones?
They already do, and surely they continue to do so in the future, regardless of where the app came from. So finding out these numbers should be simple from a technical standpoint.
> The regulator will argue that the technology in the phone has already been paid for by the buyer of the hardware (which came with a license for iOS)
The user paid for the technology in the phone, but the dev didn't pay for use of Apple's IP to build their own product which they are offering to users.
I don't see regulators being able to challenge this (nor is it particularly unfair).
Hardware-platform SDKs generally cost tons of money. Visual Studio Professional Enterprise — essentially (if you think about it) the SDK for the Windows platform — costs $250 per month per seat!
(And that's cheap, compared to the SDK costs for proprietary platforms that people don't usually consider "computers." How much do you think Blackberry charges for a QNX SDK? There's a reason that maybe five companies in the whole world ever bothered to develop car infotainment "partner apps", before Apple CarPlay and Android Auto came along to make the platform moot.)
These SDK fees pay for "the platform" — but specifically, in IP terms, they give you a license to use the source code and libraries that come with the SDK, a license to redistribute the outputs of the compilers that come with the SDK — and so forth.
PC and smartphone platform vendors stopped charging so much for SDKs (or at least their non-enterprise-level SDKs) right around when they introduced App Stores. Because they changed the model, to one where the license you got with the SDK, said that your IP license to the stuff in the SDK, is paid for through royalties, by the revenue you make from publishing your app on their App Store.
And that's a perfectly valid arrangement. If you breach the contract, by not giving Apple royalties, then you don't have IP rights to redistribute the derivative works from their SDK any more!
The vast majority of Windows software doesn't need VS Professional or Enterprise; Community edition works just fine, and still enables you to access the entirety of the platform as a developer. Not to mention numerous alternative development toolchains, use of which doesn't require paying anything to Microsoft.
And then on top of that, Apple already charges developers for tooling via their dev license program. Which at least makes some sense since it's a fixed fee. The notion that maker of the toolchain gets to claim a percentage of what the app written using it brings in is ridiculous by all industry standards.
Apple already charges for the SDK, the $99/year developer fee. This is a second, unrelated, app install fee. There's certainly nothing similar on PC, Mac, or Android
Professional and Enterprise are two distinct editions. Professional is $45/user/month, and it's a capable IDE even if Enterprise has some extra features.
My take is that Apple are doing the maximum possible to protest their disagreement with consumer protection laws interfering with their ability to do whatever they want. Their announcement has the tone of a spoilt child, with an air of punishment to be applied to EU users and particularly developers. It’s bad faith compliance.
Rather than protecting the interests of users, they are more interested in obstructing the DMA and its attempt to promote competition and protect consumers from monopolistic practices.
Fortunately, there are quite a few clauses in the original regulation[0], like 31-33, and some clauses in the 50s IIRC, that explicitly mention some of the coercive tactics Apple is employing.
Like leveraging other mandatory services provided by Apple to incur fees.
My favorite part: "EU users will be confronted with a list of default browsers before they have the opportunity to understand the options available to them. The screen also interrupts EU users’ experience the first time they open Safari intending to navigate to a webpage."
I mean it's like saying that having a choice before being educated by one of the parties among the choices is a bad thing and it looks bad.
But this is the argument with the cookie banners again, isn't it? "Surely choice isn't a bad thing", except that everyone hates them and just clicks allow anyway. At least this regulation is only going to annoy people in the EU and not globally this time.
"Confronted" not presented. Lol the screen should also state in bold lettering "This freedom is forced on you by EU which we hate. You will pay for this, and it's THEIR fault, not ours. No hard feelings."
The serious issue is for apps having more than 1 million installs (YouTube, Zoom, Slack, Outlook, Amazon, etc.). Strong "coincidence": these are the companies you don't want to allow to create alternative stores to, because they have their own payments methods: how long would it take Amazon, Google or Microsoft (the only one without a payment service, AFAIK) to run their brand new "Google/Amazon Store for iOS"? Probably they have it already half baked there waiting to be released.
Now, they will have to either accept to use the App Store "way" (the current way, so all good) or pay huge fees for their own apps. Will they do it? Is it worth it? I am very curious!
Alternative, smaller stores for smaller apps, instead, will be there and should be OK, as long as the apps don't exceed 1 million installs in a year (which is a lot, I guess).
EDIT: I missed Meta Pay, apparently another payment method from one of the companies with the most downloaded apps. Yeah, it seems really that Apple doesn't want other stores from big companies.
This is absolutely not a win by any stretch of the imagination, it's a farce. Every single app will still require Apple's blessings and approval to exist in any app store on iOS.
The moment any app on "f-droid for iOS" does something that Apple disapproves of, they can revoke its notarization and banish its developer from their walled garden.
> In order to establish adequate financial means to guarantee support for developers and customers, marketplace developers must provide Apple a stand-by letter of credit from an A-rated (or equivalent by S&P, Fitch, or Moody’s) financial Institution of €1,000,000 prior to receiving the entitlement. It will need to be auto-renewed on a yearly basis.
It doesn't seem like the fee waiver removes this requirement.
And it seems like the cost for a standby letter of credit is roughly 1-10% of its value per year? So effectively it costs €10,000 to €100,000 per year just to have an alternate marketplace, separate from the core technology fee....
App notarisation will likely prohibit F-Droid self-building of apps, as developers would still have to provide 'notarised' binaries to third-party app-stores, which kinda kills the model of F-Droid. And Apple will charge developers directly for their installs, so F-Droid being non-profit doesn't really matter.
You keep posting about an F-Droid-like store for iOS is not only possible, but imminent now. I doubt that - how many devs will make something exclusively for the smaller EU market, how many will do so for free, and how many will be willing to register as a non-profit?
The centre of that Venn diagram is developers for apps on iOS's F-Droid-like, and I think that's a very small subset indeed - especially considering the paperwork required to become a non-profit.
Maybe the store itself will put in the work, but do you honestly believe every dev with an app on F-Droid will put up with the requirement to register as a non-profit?
As far as I can tell The Commons Conservancy is not a 501c3 (or Netherlands equivalent), at least from their "organization" page. Not making money != a nonprofit organization.
Apps outside the app store are still subject to Apple's review. So don't hold your breath hoping for most apps you value from F-Droid making it on IOS.
Yeah it’s a win for me. I do not care about other huge corporations making money via alt stores. I do care about an FDroid like alternative that will let me download emulators!
App installs through alternative stores can not use the ‘1 million install credit’ that comes with the apple developer program.
As in, you pay from the first install. (Except as ngo)
No, that's only for the alternative store app itself. Epic will have to pay the €0.50 fee on the first install of Epic Games Store but not on the first million installs of Fortnight.
I don't think it's necessarily required for an alternative app store itself to be an iOS app, so Google, Microsoft etc. could presumably at the same time be running a (web-based) iOS app store and continue publishing their own apps (Youtube, Gmail, Outlook etc.) via the old terms without a per-install fee.
This is just my very preliminary reading of the terms though, I might be wrong and the two might actually be coupled!
You're right - in my previous message I made the mistake of implicitly "mixing" the apps with the app stores.
However, this is due to the fact that no average company typically has the time/money/interest to run an app store as their side project, except for the big players, which in many cases happen to be the same people producing high volume apps and having payment methods capabilities. You could claim that Telegram or Zoom have no app store and they would never plan to do so, and you'd probably be right, but the BIG or very BIG ones are MS, Google, Amazon and Meta one way or another have already their own app stores. They even mention that "less than 1% of the developers would be affected by the Core Technology Fee". You want to really keep these guys on your app store, because imagine if you didn't find office, zoom, gmail, youtube on the official App Store. That'd be really weird - it reminds me of the microsoft store (on some old windows phone I had the pleasure to setup...) that didn't have some important apps.
To answer the other question - they could be running an app store...:
Why would Google or Valve run a store for lower-volume apps?
Please note that they mention "less than 1% of the developers", not "less than 1% of the apps hosted". It means: google, facebook, ms, epic games, etc. Those are the guys that you will probably never have on the alternative app store (because of the huge fees that they might have to pay).
EDIT: In 2022 there were about 34 million registered developers [0]. 1% is 340'000. This is where the big money is.
More like Epic. Valve had 15 years to consider a steam store on Android games (and honestly that was my biggest hope with all this disruption. Proper premium games to come back to IOS/Android), but they only really have a front end for the PC store in that time.
Epic has had an Android store in the roadmap since the beginning of the EGS. They still seem years out but I imagine this news will accellerate development for that.
Alphabet, Meta, Amazon, Netflix and Microsoft should just demand 30 % of the device purchase price before allowing access to any services. If Apple is allowed to limit access at their own terms then others should be able to do so too.
I don't think any company with a huge market share should be able to do so, so I hope Apple will have to open up at least to the degree Android has done.
This seems that Apple went to way too much thought to avoid a simple solution: Just let users sideload apps and put up a few warning messages like Android. Must have had a bunch of high-priced lawyers think this up.
Also, what is this Core Technology Fee for all apps? Maybe Apple has been losing money on the App Store infrastructure so they want to make it up? Or is this just a bid to try and keep as much control as possible? Seems that Apple wants to go into this kicking and screaming...
As someone in cybersecurity, I understand the need for secure apps, but I think Apple has been going about it in the wrong way.
It's about preventing someone like Epic asking Fortnite players to download Epic store to download Fortnite. It's about preventing that sweet Apple tax going to zero. Apple tax on games is a huge chunk of app store revenue. It might be about not creating many app stores, launchers in the ecosystem, but for Apple, it's always about getting that service revenue, to protect the stock price, margins, profitability, and getting a good review on wall street. No many app stores, security is just a way to sell to consumers. Like many mentioned, there are many ways to design the system that offers security, even content moderation without all of the hoops.
> This seems that Apple went to way too much thought to avoid a simple solution: Just let users sideload apps and put up a few warning messages like Android. Must have had a bunch of high-priced lawyers think this up.
You know how every few weeks there’s an article about something dodgy in an alternate Android store which the scammer never even bothered to submit on iOS? There’s a real problem here and these seem generally like solid technical moves but paired with heavy handed language which reminds me of the way so many websites put up those “look at all the cookies the mean old EU is making us tell you about!” warnings. Notarization in particular seems like a good move for avoiding the common problems around impersonation or silent alteration of binaries, and I think the browser engine requirements are justifiable solely by looking at how many popular Electron apps take months to patch critical vulnerabilities.
> You know how every few weeks there’s an article about something dodgy in an alternate Android store which the scammer never even bothered to submit on iOS?
Every few weeks there is an article about that!? That doesn't happen. It's a non-issue. Likewise on MacOS or Windows. I suspect these scenarios in the comments here are just made up by Apple fans to create FUD.
"Maybe Apple has been losing money on the App Store infrastructure so they want to make it up" is a plausible theory, but there's no data to support it since mobile gacha/gambling apps pull in billions a year and Apple pockets 30% of it. Those games don't make particularly heavy use of Apple's infrastructure either, so I would guarantee that they are making a healthy profit every year on the store.
Even more succinctly if it were the case then the new offering wouldn't be limited to Europe and the old offering wouldn't be an option to retain going forward there either.
Apple considered the App Store commission to be compensation for the value delivered by the entire iOS developer ecosystem, not just the mechanical/infrastructure parts of the app distribution process. It was a pretty good setup: aside from the $100/year membership fee, the charges scaled with revenue, which in most cases is a good approximation for the value provided (there were some edge cases where that falls apart, like digital content purchases). Unlike, say Microsoft, they didn't charge $250/seat/year for their full-fat IDE. The also haven't charged licencing fees for the SDK, like is common in the video game space.
Device price is sufficient compensation for the value delivered by the entire iOS developer ecosystem.
If a user wants to specifically avoid this 'ecosystem' and have a direct relationship with the app developer, such user should be allowed to run the app without Apple's consent, permission or even knowing.
> Notarization for iOS apps — a baseline review that applies to all apps, regardless of their distribution channel, focused on platform integrity and protecting users. Notarization involves a combination of automated checks and human review.
Does anyone know if notarization is something you could turn off? If you can't, then I'm pretty sure the EU won't like this; obviously "malicious compliance."
I don't see how this isn't effectively an app store in itself. If Apple can forbid an app from running on user devices, then they need to approve every app that is installed. More importantly, they are effectively blackmailing developers to pay them "per install," which is only enforceable through the notarization process.
That sounds an awful lot like an app store.
I agree, the EU will not like this. Too bad it'll take another 3-5 years to fix.
This falls squarely under the exemptions for security reasons under article 6 sub 4 of the DMA.
> The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper.
Furthermore, the gatekeeper shall not be prevented from applying, to the extent that they are strictly necessary and proportionate, measures and settings other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores, provided that such measures and settings other than default settings are duly justified by the gatekeeper.
The "duly justified" might not be that far reaching. Sure, notarization seems like a valid cause, but there is no reason why it should be exclusively the provider of one specific app store who offers notarization. In particular, if it happens that it is more onerous or restrictive on non-Apple stores, that justification starts looking very shaky.
I think perhaps notarization is OK, for example you have to pass requirements to publish on other closed platforms like games consoles. What I think is very underhanded is charging per install for 'core services' rather than per app review. It's not like the app has to be notarized/reviewed for every install.
> for example you have to pass requirements to publish on other closed platforms like games consoles
But those would be the requirements of those platforms.
I can make and publish games for the Pico-8 console without any requirements. Could you imagine if Microsoft had the ability to veto any Pico-8 game I wanted to make?
The entire point of this legislation is to open up the Apple's mobile platforms to competition. It's not (supposed to be) a closed platform. With notarization requirements, third party app stores are just an extension of Apple's app store with a different logo!
While I don't disagree that the EU won't like it, I don't see this as malicious compliance. The only reason this hasn't been in iOS up until now was distribution was already restricted through the app store. There was already signing going on. This just moves the signing to being an explicit step because distributors won't be signing for the App Store.
Notarization has been enforced for all apps on the Mac for years. Would the DMA have an issue with requiring signed drivers? Seems a similar baseline. Personally I’m totally ok with that. I haven’t seen a single instance of them not notarizing something or revoking it for something that wasn’t actually malicious.
No, notarization can be turned off on the Mac in ~15 seconds. Open a Terminal and type `sudo spctl --master-disable`. Enter your password and press enter.
You can also right click an individual unnotarization .app bundle and select `open`, then affirm your intention in the scary warning prompt.
P.S. The Mac also lets you disable SIP, install unsigned kernel extensions, and rewrite kernel memory to your heart's content. This is admittedly a bit more involved.
Does Apple charge Mac developers a price per notarization? Because it sounds like that's effectively what they're doing here with iOS developers, since they require notarization and also require a fee per install for distributing outside the app store.
It's a protection racket - pay us and we won't flag your app as malware.
You can install any app you want on the Mac, notarized or not. You might get some kind of warning, but that's irrelevant.
And Apple only allows certain kinds of apps through their notarization process. They can't have pornogrpahy, they can't allow things that could break copyright etc.
Apple and the EU have been discussing the implementation for some time so it seems extremely likely this has all been OKed already. In particular, I’m sure the issue of apps (FB app with a virus or spyware) on a random App Store is a concern to the EU.
Not defending Apple per se (they sure don’t need help) but going with the public statements of both Apple and the EU leading up to this.
“Officials from the European Commission, the EU’s executive body, have been holding meetings in recent months with Apple and other tech companies to discuss the new rules. Apple hasn’t provided a final package describing its solution to the commission or tested its plans with market participants.
Once it does, the commission will review the full package to look at whether it will make the market more open and contestable, and whether the company’s plans meet all the individual provisions of the law, according to a person familiar with its plans.”
If they actually okayed it, then I hope the EU reconsiders. In effect, Apple's tight grip on what apps you could run remains. I am also disappointed that those changes are EU-only, I hope most governments impose similar laws so that Apple just gives up and makes it global.
The problem with disabling notarization, is that it's something any trojan-horse malware author would have a glossy slideshow walking you through doing as part of the install process for their "meet sexy singles in your area and double your money instantly!" app.
And then you'd run the app, and it wouldn't blow up your phone, but just be a bit disappointing and something you'd delete — but meanwhile, the app would have used some 0day exploit to get a foothold outside the app sandbox, and so now your phone would be a silent node in a botnet, able to be C&Ced to DDoS targets or act as a VPN for nefarious account registrations or so forth.
(Did you know that there are many such botnets made of Android devices? But none so far for iOS devices. There's a reason for that!)
---
If it's not clear, by the way, Apple's "notarization" is, under the covers, just plain-old code signing. Just like every modern consumer OS has for apps, regardless of whether you get them from an app store or from the web. So that the platform can protect users from obvious viruses by just revoking the code cert.
Mind you, notarization is code-signing that requires you to submit your binary to Apple... but it's my understanding that this notarization still operates in two phases — a quick, synchronous phase, and a slower, asynchronous phase — and that the synchronous checks in the notarization process, before you get your cert signed, are only checks against the known signatures of various exploit techniques. (Again, just like every other consumer OS comes up with some way to get done — whether that be through required submission at signing time, or by submission of novel software by virus scanners that find the software on your disk, or even by web browsers as they download the software. Just try to develop Windows software, on Windows, without implicitly submitting binary "samples" to Microsoft through some route or another. It's very hard!)
Apple is somewhat unique among platforms, in having certain other virus-signature like patterns that their notarization backend takes note of, that won't trigger synchronous rejection, but rather will trigger Apple employees to do an async review of the application. (AFAIK, when this happens, you still get your app's cert signed right away; the cert might just get blacklisted some time later, if it turns out under closer human scrutiny that you were in fact doing something malicious.)
It is my understanding that the things Apple flags for human investigation, consist of use of certain system framework calls, that only very powerful and low-level system software should be doing — think, the sorts of calls unique to Virtual Machine hypervisor software, or to third-party file-system driver software. Rootkit code-smells, in other words.
Note that none of this is about what your app does for the user. Apple's notarization system — as Gatekeeper on macOS, or as part of Enterprise MDM iOS app deployment — has never suppressed or censored any app due to its nature. It's only about what it's doing that it's not supposed to be doing "according to what's on the tin." Apple is doing the same thing through notarization that the FDA does to foods and drugs: holding companies to their claims of their products being fit-for-purpose and non-adulterated.
(And although this is currently entirely a thing Apple is simply trusted to do in good faith, there's nothing stopping the EU from mandating that Apple's notarization going forward, consist of exactly these kind of technical checks and no more. I think that'd be a great idea, personally.)
>To qualify for the entitlement, your app must: Be available on iOS in the European Union only
kicking and screaming. i mean, yes, that is "complying". but it is ridiculous. and, am i getting this right, just gonna create a bunch of "[browser name] EU Edition" apps, which is just gonna be wonderful. users can look forward to having something like Chrome (International) and Chrome EU (limited EU edition) be installed side by side, i guess. can we look forward to "[browser name] [country name] edition" per each country that'd fancy to have itself some regulation similar to that? that'd be so many browsers! dozens, hundreds! what an optimal solution.
That's one way to bring the number of installs per app below Apple's arbitrary threshold so perhaps app devs and publishers will start doing that regardless. Good luck picking out the legit one among the clones. Apple may have a point about this being a security issue but only due to their hostile implementation.
Last time I checked (~7 years ago) they didn't even share reviews between regions.
It was infuriating in Iceland where for obvious reasons all but the most popular apps had less than 5 reviews.
Readit News
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
"Article 13: Anti-circumvention
4. The gatekeeper shall not engage in any behaviour that undermines effective compliance with the obligations of Articles 5, 6 and 7 regardless of whether that behaviour is of a contractual, commercial or technical nature, or of any other nature, or consists in the use of behavioural techniques or interface design.
7. Where the gatekeeper circumvents or attempts to circumvent any of the obligations in Article 5, 6, or 7 in a manner described in paragraphs 4, 5 and 6 of this Article, the Commission may open proceedings pursuant to Article 20 and adopt an implementing act referred to in Article 8(2) in order to specify the measures that the gatekeeper is to implement."
Most consumers understand those concepts and fear those things. Most understand nothing about the economic impact of monopolies and anti-competitive business behavior and the harms they cause consumers in the form of higher prices, lack of innovation, reduced choice, and poorer quality products and services.
So Apple plays off those fears by using language consumers understand, making them actually want the very monopoly that is being forced on them and actually harming them while making billions for Apple.
It's unethical behavior, no more defensible than Sam Bankman-Fried's effective altruism, a.k.a. "mostly a front." This is all right out of Apple's standard playbook.
Because it does create security risks.
App code in 3rd party app stores is not going to be reviewed, which means anyone is free to craft a rootkit embedded in an app and release it to a 3rd party app store.
Enjoy!
> The changes also include new disclosures informing EU users of the risks associated with using alternatives to the App Store’s secure payment processing.
There are 22 instances of the word "risks" on that page. Pathetic.
I'm reasonably sure Apple didn't reveal most of their compliance plans to EU, since they will ask Apple to implement the most strict interpretation of the regulation and it would be headaches in the court if there's any evidence that Apple knowingly ignored such requests.
Yes, we know they talked with the EU, but we don't know the content of those discussions. It's easy to assume they were checking whether their proposed implementation would satisfy the regulators. It's equally likely, even more likely, they were gathering information, posturing and probing to see how the EU would react, to gauge how best to craft their scheme to outwit them and what they could or could not easily get away with.
You can hold a negotiation and still screw the other side over afterwards - isn't that actually the best way to do it? Holding a meeting first to learn what cards your opponent has in their hand is just a better way to play any game.
Looks like they're happy to pay fines to maintain their monopoly.
/flagrant-speculation
That would be following the Microsoft playbook when it comes to corporate crime in the EEA/EU.
I am pretty sure that FB also has many lawyers, but they were repeatedly violating law. Sometimes clearly, blatantly and openly.
[1] https://www.enzuzo.com/blog/biggest-gdpr-fines
The EU might not be worth 10% of annual turnover.
[1] https://www.marketwatch.com/story/how-profitable-is-apples-a...
Dead Comment
2,000,000 installs acquires a minimum of $45,000 in fees, even if you don't make any money
That's up from $0 USD.
https://developer.apple.com/support/core-technology-fee/
So what are we left with? Apps where users are the product, like Facebook, and freemium apps where you end up paying to get anything useful done with it anyway. Apps where the parent company is making millions if not billions. Is anybody upset that those guys have to chip in for iOS development?
I personally think Apples approach is the lesser of two evils. We don’t pay for OS explicitly anymore. But look at Windows and Android… you end up paying somehow in the end anyway. I’d rather it be through fees on apps than more insidious approaches.
And no. Paying for the phone is not a viable way to pay for the OS. That incentives the phone maker to ditch OS updates for old phones. And we know that’s a real issue. As long as we pay through app fees the phone makers are incentivised to keep releasing OS updates for old phones.
The new EU stuff is opt-in.
If you want to continue to distribute your app for free in Apple's app store, literally nothing changes.
To comply with the regulation they've introduced even more egregious pricing.
1. Developers can continue to use the existing terms.
2. If a smaller developer elects to use the new terms, they pay less commission (10%) and a 3% transaction fee. That’s 2% less.
3. If they have more than 1 million users download their app, then there is an additional €0.50 Core Technology fee. If the developer is a commercial entity, then yes, they have to pay but in reality, it’s the end user that will have to pay.
3. If the app is free but offered by a commercial entity, they pay nothing in commission or payment fees (13% X $0 ) but they reach 1 million installs, then they do have to pay €500k. If the business has no revenue - that’s a weird business model.
4. If the app is offered by a not for profit, then they don’t pay the CTF.
So, the new terms seem better for developers and users in the EU.
Instead, many people seem to have had a head-in-the-sand view that many of the services Apple provided were no-cost, or done out of goodwill.
So, now there is the option for alternative marketplaces, the costs have been shifted to those marketplaces.
Makes complete sense.
It's almost like... those marketplaces will need to find a monetising model similar to how the Apple App Stores used to operate.
But if I distribute that exact same app on an M1 powered iPad outside of the App Store, I'll be subjected to a fee if my app goes viral, unless I agree not to profit from it and set up a non-profit organization?
As far as Apple is concerned, this is a huge oversight, and will be rectified in the coming years. The idea of computing devices as uncontrollable platforms is a mistake to them. It's only a matter of time.
Why? Because if you affect one aspect of Apple’s carefully crafted business model, you touch many more.
For instance, the fact that there’s no good free calculator on the iPad is bonkers. Why is it bonkers? Did Apple go “oopsie, we never got around to finishing the iPad calculator app.” for years? No. It’s a calculated decision.
Another example, why did Apple never have a weather app for the iPad UNTIL they bought out their best competition, which happened to be web-based?
Apple factors in everything. Will X push more sales of Y product or Z service? Will the fact that this feature is randomly not present in this set of devices help sell more mac/iPad/iPhone?
Apple loses more than the face-value (which is a lot) of their App store control. They lose a portion of control over their less-tangible business model.
If this wasn’t the case, they’d still be selling iPods.
I see what you did there.
Could you elaborate? I don't get this part -- are you saying they don't include a calc app on the iPad to push iPhone sales?
2,000,000 updates acquires a minimum of $45,000 in fees per month!
I hope the EU fines them for blatantly trying to circumvent the law, and makes it a reoccurring monthly fine until they properly comply with the DMA.
[0] "A first annual install may result from an app’s first-time install, a reinstall, or an update from any iOS app distribution option — including the App Store, an alternative app marketplace, ..." https://developer.apple.com/support/core-technology-fee/
How are they even justifying these fees if the app is being distributed entirely outside of the app store? So weird.
A real option, mind you, not one that's tilted so far in Apple's favor that any competition looks hopeless from day 1.
> Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.
source: https://www.apple.com/newsroom/2024/01/apple-announces-chang...
> will pay €0.50 for each first annual install per year over a 1 million threshold
EDIT: I misread, I thought they were arguing that the 50c was per month, not the total number at the end of the calculation.
Deleted Comment
Deleted Comment
Deleted Comment
Dead Comment
Can't imagine that flying with the EU...
The regulator will argue that the technology in the phone has already been paid for by the buyer of the hardware (which came with a license for iOS)
Charge developers at-cost for hosting/distribution. Want more compensation for producing the hardware/platform? Here's my $1,000 receipt. Now go away.
Edit: I should have been specific that I was referring to the Core Tech Fee that will apply even to free apps with more than a million users. Developers will still pay a value based royalty of 10% (small devs) or 17% (large devs) for paid apps.
The DMA is 66 pages of legalese, otherwise I would have read it to find out:
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
(Disclaimer: I'm no lawyer, armchair or otherwise)
Deleted Comment
[1] https://developer.apple.com/documentation/appdistribution/in...
I wonder if the alternate App Stores will have to be installed via the official App store?! That’s the way I would do it. Gives Apple a way to shut them down if they try to circumvent the reporting piece to bypass the 0.50 fees.
The user paid for the technology in the phone, but the dev didn't pay for use of Apple's IP to build their own product which they are offering to users.
I don't see regulators being able to challenge this (nor is it particularly unfair).
Hardware-platform SDKs generally cost tons of money. Visual Studio Professional Enterprise — essentially (if you think about it) the SDK for the Windows platform — costs $250 per month per seat!
(And that's cheap, compared to the SDK costs for proprietary platforms that people don't usually consider "computers." How much do you think Blackberry charges for a QNX SDK? There's a reason that maybe five companies in the whole world ever bothered to develop car infotainment "partner apps", before Apple CarPlay and Android Auto came along to make the platform moot.)
These SDK fees pay for "the platform" — but specifically, in IP terms, they give you a license to use the source code and libraries that come with the SDK, a license to redistribute the outputs of the compilers that come with the SDK — and so forth.
PC and smartphone platform vendors stopped charging so much for SDKs (or at least their non-enterprise-level SDKs) right around when they introduced App Stores. Because they changed the model, to one where the license you got with the SDK, said that your IP license to the stuff in the SDK, is paid for through royalties, by the revenue you make from publishing your app on their App Store.
And that's a perfectly valid arrangement. If you breach the contract, by not giving Apple royalties, then you don't have IP rights to redistribute the derivative works from their SDK any more!
And then on top of that, Apple already charges developers for tooling via their dev license program. Which at least makes some sense since it's a fixed fee. The notion that maker of the toolchain gets to claim a percentage of what the app written using it brings in is ridiculous by all industry standards.
Professional and Enterprise are two distinct editions. Professional is $45/user/month, and it's a capable IDE even if Enterprise has some extra features.
Or you can use GCC and compile “Hello world” for windows, no Microsoft IP involved? What am I missing
Rather than protecting the interests of users, they are more interested in obstructing the DMA and its attempt to promote competition and protect consumers from monopolistic practices.
Like leveraging other mandatory services provided by Apple to incur fees.
[0]: https://eur-lex.europa.eu/legal-content/EN/TXT/?toc=OJ%3AL%3...
I mean it's like saying that having a choice before being educated by one of the parties among the choices is a bad thing and it looks bad.
The serious issue is for apps having more than 1 million installs (YouTube, Zoom, Slack, Outlook, Amazon, etc.). Strong "coincidence": these are the companies you don't want to allow to create alternative stores to, because they have their own payments methods: how long would it take Amazon, Google or Microsoft (the only one without a payment service, AFAIK) to run their brand new "Google/Amazon Store for iOS"? Probably they have it already half baked there waiting to be released.
Now, they will have to either accept to use the App Store "way" (the current way, so all good) or pay huge fees for their own apps. Will they do it? Is it worth it? I am very curious!
Alternative, smaller stores for smaller apps, instead, will be there and should be OK, as long as the apps don't exceed 1 million installs in a year (which is a lot, I guess).
EDIT: I missed Meta Pay, apparently another payment method from one of the companies with the most downloaded apps. Yeah, it seems really that Apple doesn't want other stores from big companies.
The moment any app on "f-droid for iOS" does something that Apple disapproves of, they can revoke its notarization and banish its developer from their walled garden.
> In order to establish adequate financial means to guarantee support for developers and customers, marketplace developers must provide Apple a stand-by letter of credit from an A-rated (or equivalent by S&P, Fitch, or Moody’s) financial Institution of €1,000,000 prior to receiving the entitlement. It will need to be auto-renewed on a yearly basis.
Source: https://developer.apple.com/support/alternative-app-marketpl...
It doesn't seem like the fee waiver removes this requirement.
And it seems like the cost for a standby letter of credit is roughly 1-10% of its value per year? So effectively it costs €10,000 to €100,000 per year just to have an alternate marketplace, separate from the core technology fee....
This is just a farce at this point.
The centre of that Venn diagram is developers for apps on iOS's F-Droid-like, and I think that's a very small subset indeed - especially considering the paperwork required to become a non-profit.
Maybe the store itself will put in the work, but do you honestly believe every dev with an app on F-Droid will put up with the requirement to register as a non-profit?
What about the payment methods? Are these also exempted?
This is just my very preliminary reading of the terms though, I might be wrong and the two might actually be coupled!
However, this is due to the fact that no average company typically has the time/money/interest to run an app store as their side project, except for the big players, which in many cases happen to be the same people producing high volume apps and having payment methods capabilities. You could claim that Telegram or Zoom have no app store and they would never plan to do so, and you'd probably be right, but the BIG or very BIG ones are MS, Google, Amazon and Meta one way or another have already their own app stores. They even mention that "less than 1% of the developers would be affected by the Core Technology Fee". You want to really keep these guys on your app store, because imagine if you didn't find office, zoom, gmail, youtube on the official App Store. That'd be really weird - it reminds me of the microsoft store (on some old windows phone I had the pleasure to setup...) that didn't have some important apps.
To answer the other question - they could be running an app store...:
Why would Google or Valve run a store for lower-volume apps?
Please note that they mention "less than 1% of the developers", not "less than 1% of the apps hosted". It means: google, facebook, ms, epic games, etc. Those are the guys that you will probably never have on the alternative app store (because of the huge fees that they might have to pay).
EDIT: In 2022 there were about 34 million registered developers [0]. 1% is 340'000. This is where the big money is.
[0]: https://appleinsider.com/articles/22/06/06/apple-now-has-ove...
Epic has had an Android store in the roadmap since the beginning of the EGS. They still seem years out but I imagine this news will accellerate development for that.
They definitely want to "demotivate" big players from running the show. If they do, they'll have to pay huge fees, so it's a big win for Apple.
I don't think any company with a huge market share should be able to do so, so I hope Apple will have to open up at least to the degree Android has done.
Also, what is this Core Technology Fee for all apps? Maybe Apple has been losing money on the App Store infrastructure so they want to make it up? Or is this just a bid to try and keep as much control as possible? Seems that Apple wants to go into this kicking and screaming...
As someone in cybersecurity, I understand the need for secure apps, but I think Apple has been going about it in the wrong way.
You know how every few weeks there’s an article about something dodgy in an alternate Android store which the scammer never even bothered to submit on iOS? There’s a real problem here and these seem generally like solid technical moves but paired with heavy handed language which reminds me of the way so many websites put up those “look at all the cookies the mean old EU is making us tell you about!” warnings. Notarization in particular seems like a good move for avoiding the common problems around impersonation or silent alteration of binaries, and I think the browser engine requirements are justifiable solely by looking at how many popular Electron apps take months to patch critical vulnerabilities.
"so many" shady websites
Every few weeks there is an article about that!? That doesn't happen. It's a non-issue. Likewise on MacOS or Windows. I suspect these scenarios in the comments here are just made up by Apple fans to create FUD.
If a user wants to specifically avoid this 'ecosystem' and have a direct relationship with the app developer, such user should be allowed to run the app without Apple's consent, permission or even knowing.
Does anyone know if notarization is something you could turn off? If you can't, then I'm pretty sure the EU won't like this; obviously "malicious compliance."
That sounds an awful lot like an app store.
I agree, the EU will not like this. Too bad it'll take another 3-5 years to fix.
Sounds like we’re getting a fat paycheck from Apple via the EU in the meanwhile then.
> The gatekeeper shall not be prevented from taking, to the extent that they are strictly necessary and proportionate, measures to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by the gatekeeper, provided that such measures are duly justified by the gatekeeper. Furthermore, the gatekeeper shall not be prevented from applying, to the extent that they are strictly necessary and proportionate, measures and settings other than default settings, enabling end users to effectively protect security in relation to third-party software applications or software application stores, provided that such measures and settings other than default settings are duly justified by the gatekeeper.
In that sense, the old system is OK as well, no?
But those would be the requirements of those platforms.
I can make and publish games for the Pico-8 console without any requirements. Could you imagine if Microsoft had the ability to veto any Pico-8 game I wanted to make?
Apple did threaten to cut off Epic's ability to notarize Unreal Engine[0], until ordered not to by the court[1].
[0]: https://www.macrumors.com/2020/08/17/apple-terminate-epic-de...
[1]: https://www.theverge.com/2020/10/9/21492334/epic-fortnite-ap...
You can also right click an individual unnotarization .app bundle and select `open`, then affirm your intention in the scary warning prompt.
P.S. The Mac also lets you disable SIP, install unsigned kernel extensions, and rewrite kernel memory to your heart's content. This is admittedly a bit more involved.
Do you think they would notarize a PornHub app?
It's a protection racket - pay us and we won't flag your app as malware.
And Apple only allows certain kinds of apps through their notarization process. They can't have pornogrpahy, they can't allow things that could break copyright etc.
Not defending Apple per se (they sure don’t need help) but going with the public statements of both Apple and the EU leading up to this.
“Officials from the European Commission, the EU’s executive body, have been holding meetings in recent months with Apple and other tech companies to discuss the new rules. Apple hasn’t provided a final package describing its solution to the commission or tested its plans with market participants.
Once it does, the commission will review the full package to look at whether it will make the market more open and contestable, and whether the company’s plans meet all the individual provisions of the law, according to a person familiar with its plans.”
We’ll see how that goes.
[0] https://archive.is/Hk39s
And then you'd run the app, and it wouldn't blow up your phone, but just be a bit disappointing and something you'd delete — but meanwhile, the app would have used some 0day exploit to get a foothold outside the app sandbox, and so now your phone would be a silent node in a botnet, able to be C&Ced to DDoS targets or act as a VPN for nefarious account registrations or so forth.
(Did you know that there are many such botnets made of Android devices? But none so far for iOS devices. There's a reason for that!)
---
If it's not clear, by the way, Apple's "notarization" is, under the covers, just plain-old code signing. Just like every modern consumer OS has for apps, regardless of whether you get them from an app store or from the web. So that the platform can protect users from obvious viruses by just revoking the code cert.
Mind you, notarization is code-signing that requires you to submit your binary to Apple... but it's my understanding that this notarization still operates in two phases — a quick, synchronous phase, and a slower, asynchronous phase — and that the synchronous checks in the notarization process, before you get your cert signed, are only checks against the known signatures of various exploit techniques. (Again, just like every other consumer OS comes up with some way to get done — whether that be through required submission at signing time, or by submission of novel software by virus scanners that find the software on your disk, or even by web browsers as they download the software. Just try to develop Windows software, on Windows, without implicitly submitting binary "samples" to Microsoft through some route or another. It's very hard!)
Apple is somewhat unique among platforms, in having certain other virus-signature like patterns that their notarization backend takes note of, that won't trigger synchronous rejection, but rather will trigger Apple employees to do an async review of the application. (AFAIK, when this happens, you still get your app's cert signed right away; the cert might just get blacklisted some time later, if it turns out under closer human scrutiny that you were in fact doing something malicious.)
It is my understanding that the things Apple flags for human investigation, consist of use of certain system framework calls, that only very powerful and low-level system software should be doing — think, the sorts of calls unique to Virtual Machine hypervisor software, or to third-party file-system driver software. Rootkit code-smells, in other words.
Note that none of this is about what your app does for the user. Apple's notarization system — as Gatekeeper on macOS, or as part of Enterprise MDM iOS app deployment — has never suppressed or censored any app due to its nature. It's only about what it's doing that it's not supposed to be doing "according to what's on the tin." Apple is doing the same thing through notarization that the FDA does to foods and drugs: holding companies to their claims of their products being fit-for-purpose and non-adulterated.
(And although this is currently entirely a thing Apple is simply trusted to do in good faith, there's nothing stopping the EU from mandating that Apple's notarization going forward, consist of exactly these kind of technical checks and no more. I think that'd be a great idea, personally.)
Deleted Comment
kicking and screaming. i mean, yes, that is "complying". but it is ridiculous. and, am i getting this right, just gonna create a bunch of "[browser name] EU Edition" apps, which is just gonna be wonderful. users can look forward to having something like Chrome (International) and Chrome EU (limited EU edition) be installed side by side, i guess. can we look forward to "[browser name] [country name] edition" per each country that'd fancy to have itself some regulation similar to that? that'd be so many browsers! dozens, hundreds! what an optimal solution.
Beautiful.
You can have 100 million installs in the US and it wouldn’t affect what you owe Apple.
You can have a 100 million installs in the EU on iPad, again, doesn’t affect what you owe Apple.
This they would see APP and APP (EU Edition).