People use their mobile devices - phones, tablets, and everything else - all day, every day (at least if you’re like me). I’m sending messages, looking at that cute picture of a friend’s kid, and old-school surfing the internet all day. 

My employer trusts my phone too, so I’m also checking email, reviewing documents, and setting meetings on the go. All of this is enabled by an ecosystem that encourages trust, bolstered by the security features that all the major platforms have built into their operating systems and app stores.

Of late, there have been lots of examples of well-intentioned proposals with security consequences - the latest is a bill in the U.S. Senate that would open the App Store ecosystems enabling consumers to download apps from third-party app stores. That’s great - right up until my employer starts asking questions about how they can secure our information on the device, and whether they can restrict the kinds of apps and apps stores that I use.

The bill is designed to “set fair, clear, and enforceable rules to promote competition and strengthen consumer protections within the app market.” The measure was first introduced in 2021 and passed out of the Senate Judiciary Committee 20 to 2 the following year. To be clear, we’re all for promoting competition and strengthening consumer protections - but it’s not clear that unfettered access to unvetted apps and app stores would promote competition. Instead, it might decimate the trust that enables the competitive mobile market we have today - and roll back BYOD policies from companies. 

The Open App Market Act (OAMA) would:

• Protect sideloading, which enables consumers to download applications without having to use an official app store. Apple does not allow sideloading on its iPhones, whereas Google does for its Android devices - based on the different technical and policy architectures in place to secure their devices.
• Open the market to third-party app stores and alternative payment systems.
• Prevent app stores from disenfranchising certain developers, in addition to other provisions.

The mirrors provisions in the European Union’s Digital Markets Act (DMA). This law requires companies defined as “gatekeepers” be subject to provisions around their app stores and mobile OS interactions with third-party app stores and apps. The intention of the DMA is to make it easier for smaller European companies to compete with those that may have a more embedded position in the market. But, similarly, it doesn’t have provisions to protect the security measures that companies put in place around these kinds of interactions.

In the U.S. the idea is to open markets to smaller companies and developers. The App Stores are concerned about security and privacy. Platforms have lots of different kinds of vetting in place, but much of it is within their own app stores - where they have the most ability to impose consumer protection rules and evaluate the security characteristics of apps.

For corporation and enterprise systems this trend toward unvetted apps should be a major concern. Many in both the public and private sectors choose to use Mobile Device Management (MDM) to ensure that only approved apps are installed on devices that also have access to sensitive data or apps, and these tools may in the future allow administrators to determine which app stores are allowed. These policies are critical to allow companies to trust these devices - without them, apps might steal your data, open up security vulnerabilities, or open a myriad of other concerns. 

Given the extent and complexity of the potential risks with third-party app stores, it’s challenging to expect end users to suddenly have the requisite awareness and understanding of mobile security and privacy, including how to protect themselves via layered security, configuring an optimal combination of settings for their accepted risk, and other methods simply aren’t viable at scale.

End users are likely to assume that universally available app stores are safe. There are other approaches – but they will require protections like the ones that gatekeepers have already put in place in their own app stores.

In 2024 The Center for Cybersecurity Policy and Law took an in-depth look at the DMA and its potential consequences for mobile devices and app stores in the EU. That report can be found here. 

‍