Mobile devices serve as wallets, medical portals, and workplace IDs. A single vulnerability in the operating system can expose financial information, health data, or corporate credentials. When rules that aim to promote competition inadvertently weaken these defenses, the effects are felt not only by platform providers but by every user. 

This paper focuses on the implications of DMA provisions around interoperability of hardware and software on mobile operating systems, identifies the key risks, and makes recommendations to avoid weakening the mobile ecosystem. Article 6(7) of the DMA requires designated “gatekeepers” to provide developers and businesses with free and effective interoperability with mobile hardware and software, including those features controlled by the operating system (OS). While intended to promote competition, the mandate requires operating systems to open internal functions in ways that disrupt security protections. They open a wide attack surface, threaten data integrity and confidentiality, increase system instability, create vulnerabilities in authentication and authorization, and erode user privacy. 

User trust has been a cornerstone of mobile adoption. The security and privacy assurances provided by integrated mobile operating systems have enabled widespread adoption of sensitive services such as mobile payments, health applications, and enterprise productivity tools. If interoperability mandates erode that trust, consumers may become reluctant to adopt new services or may disable interoperability features altogether. Instead of promoting competition and innovation, poorly implemented interoperability could stifle uptake of alternative services. Preserving user trust should be seen as an integral part of achieving the DMA’s pro-competition objectives. 

Secure mobile operating systems already have sophisticated interoperability capabilities – openness and interoperability are not necessarily in tension. But measures to achieve a level playing field and competition in the digital market must not trample security by compromising existing system design. And if users distrust their mobile devices, it will negatively impact the mobile market. 

DMA interoperability is difficult to implement. Modern mobile operating systems are designed to control and limit access to the core functions of the operating system. 

A central objective of the DMA is to enhance competition and contestability — the ability of rivals to challenge dominant firms by lowering switching costs and reducing lock-in. The Commission designates gatekeepers as platforms that function as important gateways to end users and hold entrenched or durable positions. To date, the European Commission has named 23 core platform services from seven companies: Alphabet, Amazon, Apple, Booking, ByteDance, Meta, and Microsoft. 

The DMA does include a security clause allowing gatekeepers to adopt “strictly necessary and proportionate” measures to preserve the integrity of their services. But this qualifier offers limited practical protection. Policymakers can deem security safeguards to be excessive or unjustified. 

Device manufacturers or operating system developers can claim security risks that are unlikely to manifest. Firms requesting interoperability can dismiss real security risks. Admittedly, gatekeepers also can use the security opt-out to resist safe changes. 

The result is a potential erosion of the trust that users place in mobile platforms. 

Competition concerns are valid and should be addressed — but surely competition and contestability can be improved while maintaining the advances that mobile devices have brought to our collective cybersecurity. 

The mobile integrated model stands in deliberate contrast to traditional desktop systems such as Microsoft Windows or Linux, where early architectural decisions toward open interoperability with third-party hardware and software fostered innovation. This same openness created persistent vulnerabilities, resulting in malware proliferation, driver conflicts, and fragmented updates. 

Mobile operating systems were designed and refined to avoid those weaknesses by emphasizing integration and restricting access to core functions. Modern mobile operating systems rely on layered or ‘tiered’ security, similar to airport checkpoints. Both Apple’s iOS and Google’s Android use tiered access permissions. Apps and services must pass through multiple verification gates — such as sandboxing, permission prompts, and OS-level authentication — before they can interact with sensitive hardware or data. Each layer catches what another might miss, creating predictable and controlled pathways. Mobile operating systems retain privileged control over core functions such as software updates and hardware interactions, while third-party apps require permission to be installed. 

This permission system limits opportunities for hacking, but also limits, by design, access for untrusted applications or developers. The Apple App Store and Google Play Store vet apps for malware or risky functionality.

Similar limitations and controls are in place throughout the device and operating system, though less visible to the user. This provides defense-in-depth — multiple layers of protection, such as hardware-based security, encryption, permission controls, and secure boot processes. Even if one control fails, others remain in place to prevent compromise. 

Unavoidably, interoperability mandates to disrupt this integration — including Article 6(7) — present significant tensions with the design of mobile operating systems. The history of computing is full of examples where efforts to make systems more open or compatible also made them more vulnerable. Key risks and technical challenges, discussed in part two of this series, illustrate these tensions. 

This report originally appeared as a short series of articles on CEPA.org.