Impact of DMA and Epic Games v. Apple Ruling on iOS Security

More than two years ago, we anticipated that the Digital Markets Act (DMA) would be a game-changer for iOS mobile development. With the goal of leveling the digital playing field, the DMA promised iOS developers more freedom to reach their target customers. However, maintaining mobile app security in a more open environment brought new challenges.

Fast forward to today, and the journey toward openness is still unfolding. The European Commission has formally found Apple in breach of key DMA provisions, and the Apple vs. Epic Games ruling in the U.S. further accelerates the shift toward a more open iOS ecosystem.

With these developments, one takeaway is clear: additional mobile app security on iOS is no longer optional; it’s essential.

Digital Market Act: With freedom comes more responsibility

The DMA’s key requirement is straightforward: developers must be allowed to inform users about alternative options outside of Apple’s App Store and guide them toward those offers, free of charge. This mandate has already catalyzed the launch of third-party app stores. For example, Epic Games now has its own alternative store focused on its titles. Aptoide manages a generalist app store supporting broader app categories, and more are available.

These platforms promise greater distribution opportunities; however, this expanded reach also increases the attack surface. Apple’s long-standing argument has always been that its walled garden is a safe and secure environment for its users. In the new, more open environment, the burden to defend iOS application security shifts even more to developers and publishers.

Apple vs. Epic Games: A legal landmark for app monetization

In a decisive moment, Judge Yvonne Gonzalez Rogers ruled that Apple willfully violated a 2021 court order by continuing to restrict developers from directing users to external payment options.

This ruling not only paves the way for developers to integrate external payment providers like Stripe and PayPal, but it also aligns with the DMA’s spirit of a more level playing field. Companies like Spotify and Epic Games have praised the decision as a victory for transparency and innovation, and the latter is planning to restore its flagship game, Fortnite, to the Apple App Store. While Apple has already appealed the decision, app developers aren’t standing by passively. Many are already updating their apps to enable 3rd-party payments. For example, a recent update of the Kindle app on iOS now allows customers to purchase books directly within the app. Similarly, Patreon is planning an app update to allow its content creators to accept payments outside Apple’s app store. By offering that, Patreon’s content creators will avoid the Apple fee typically associated with the in-app payment transaction.

Allowing external payments and third-party app stores introduces new challenges to iOS app security that developers must be prepared to address.

What’s at stake: Emerging iOS mobile app security risks

As the ecosystem decentralizes, these mobile app security threats are becoming more prominent:

1. Weaker app store vetting

Unlike Apple’s App Store, alternative platforms may not enforce rigorous security or quality assurance checks. This creates a greater chance for undetected iOS mobile app vulnerabilities, such as hardcoded credentials, misconfigured permissions, or exposed APIs. If a known vulnerability is publicly disclosed, the fallout can result in negative media coverage, customer churn, and revenue loss. Worse still, users will often blame the app itself, regardless of the store it was downloaded from, eroding brand trust and loyalty.

2. Proliferation of cloned or tampered Apps

Open ecosystems are more susceptible to app cloning, where attackers create modified versions like "Instagram++", "WhatsApp++", “Spotify premium free”, which may offer unauthorized features to the users. This would:

• Violate app publishers’ IP
• Undermine app UX
• Generate revenue losses

Malicious clones can be weaponized to steal personally identifiable information (PII), commit fraud, or damage brand reputation.

3. API exploitation via third-party payment flows

With Apple being required to allow developers to direct users to external payment platforms, backend APIs tied to transactions have become high-value targets. Threat actors can intercept or spoof requests if proper authentication and app attestation mechanisms aren’t in place, putting mobile app payment flows and customer data at risk.

How to strengthen iOS app security

To stay secure and competitive in this evolving landscape, iOS app developers need to embrace multi-layered mobile app security strategies to achieve the highest level of protection. Here’s how:

1.Code obfuscation and anti-tampering

Even though iOS apps are compiled in binary code, they can still be reverse-engineered. Reverse engineering is often the first step attackers take to understand the app they intend to target. By using code obfuscation, app developers make analysis more difficult, slowing down potential attacks or making them too complex to carry out.

2. Continuous security testing

Security isn’t a one-time activity. iOS developers should adopt a DevSecOps mindset, which involves integrating security practices into every stage of the development pipeline, from design and development to testing, deployment, and maintenance. It means incorporating automated security tools like static application security testing (SAST) and dynamic application security testing (DAST) into the mobile app CI/CD pipeline. These tools help flag insecure coding practices, outdated third-party libraries, or misconfigurations before they become exploitable. In conjunction with conducting pentesting before major releases, together, these tools can surface complex vulnerabilities and provide additional insights to harden the app against real-world attack techniques.

3. API protection & app attestation

APIs are among the most frequently targeted components in mobile app architectures. Poorly secured or exposed APIs can be exploited by attackers to impersonate legitimate apps, intercept sensitive user data, or manipulate backend business logic, often without needing to compromise the iOS app itself.

To mitigate these risks, it is critical to implement iOS app attestation. App attestation helps confirm that requests to your backend originate from genuine, unmodified instances of your app running on authentic iOS devices. This prevents rogue clients, repackaged apps, or automated scripts from impersonating the app and abusing your APIs.

A call to action for iOS developers

The global direction is clear: courts in the US and regulators in the EU are pushing Apple toward a more open iOS ecosystem. As we have seen with GDPR, what starts in the EU often sets the stage for global change, and the same may hold true for the DMA.

To succeed in this new era, iOS app developers should partner with security teams to ensure the full security of their code.. That means adopting multi-layered defenses to secure iOS app protection and safeguard APIs.

The opportunity is greater than ever, but so is the risk. With strong mobile app security, developers can embrace the new openness of the iOS app ecosystem driven by DMA and the Epic Games vs Apple ruling without compromising on mobile app protection.

Want to learn more? Connect with an expert today.