In the upcoming iOS 17.4 update, Apple is introducing significant changes to its App Store policies for apps distributed in the European Union. The new policy brings multiple changes, one of them being alternative app marketplaces (which are effectively third-party app stores). These changes have both technical and financial implications for developers, but do they bring news to the digital forensic crowd? Let’s have a look into what Apple’s new policy brings and how it may impact forensic experts.

Apple has announced updates to iOS, Safari, and the App Store, affecting the developers operating within the European Union (EU). The changes were required to adhere to the EU’s new Digital Markets Act (DMA). The new rules bring changes into the app distribution process on iOS, as well as opening the iOS ecosystem to third-party payment processing, third-party Web browser engines, and more. These changes only affect developers whose apps are available and distributed within the EU. Developers who wish to maintain the status quo do not need to take any action, and can continue distributing their apps exclusively on the App Store if they choose so.

While the forthcoming iOS update will allow distributing apps through alternative app marketplaces, it is unlikely that the changes will affect mobile forensics due to stringent requirements for third-party marketplace operators as well as Apple’s notarization requirements for apps distributed through such marketplaces.

Summary of technical changes

Third-party app stores (alternative app marketplaces): iOS 17.4 will allow users to install alternative app marketplaces, marking a departure from Apple’s previous closed ecosystem.

Verification of alternative app marketplace operators: Operators of alternative app marketplaces will undergo scrutiny from Apple to ensure compliance with guidelines and regulations. It is highly unlikely that any forensic vendor would be able to maintain an third-party app store for the purpose of installing extraction agents, and it is also unlikely that any authorized third-party marketplace would accept the extraction agent for distribution.

Notarization requirement for third-party distribution: Developers intending to distribute their apps through third-party marketplaces must still obtain notarization from Apple, which involves automated and manual checks for viruses and other security threats. Notably, the low-level extraction agent is precisely the app that would be rejected according to these rules as the agent implements undocumented exploits for escalating privilege level and escaping sandbox.

Encryption and signing of notarized apps: Notarized apps will be encrypted and signed by Apple to enable their distribution through alternative app marketplaces.

Binary compliance checks: For apps installed through alternative app marketplaces, iOS will conduct checks to ensure the downloaded binaries comply with security standards. If a threat is detected within a binary, it will be prevented from launching and its notarization will be revoked, preventing its execution and further distribution.

How these changes affect mobile forensics

Theoretically, an alternative app marketplace could be used to install the extraction agent onto the phone for the purpose of low-level extraction (currently, the extraction agent must be sideloaded, a process that can be described as cumbersome at best). The extraction agent is an iOS app that attempts to obtain extended (usually root) privileges and escape the device’s sandbox. This in turn enables access to the data in all the folders, and allows experts accessing all the files on the device, as well as the keychain.

There are multiple roadblocks barring the extraction agent from using this avenue. Privilege escalation is based on chains of exploits which Apple fairly views as a security threat. As a result, no alternative app store operator will likely accept such an app. Even if they would, Apple’s notarization requirements will never be met, and even if they would, the final iOS binary check would prevent the agent from launching, all while revoking its notarization.

Financial implications

While financial implications of the new Apple policy do not directly affect mobile forensics, it was still interesting to see how these changes affect revenues.

No commission for third-party distribution: Apple waives its commissions on sales of digital goods for apps distributed through third-party marketplaces. Commissions will only be charged for apps distributed through Apple’s own App Store.

Third-party payments: There is now an option for third-party payments that is structured in a similar way to the US (see Changes to U.S. iOS App Store Policies Allow External Purchase Links). While third-party payment options are introduced, Apple’s commissions still apply, but only if the app is distributed through the App Store. This marks an important departure from the U.S. policy.

Apple’s classic commission model: Currently, Apple’s taxes developers by charging commissions of up to 30%. Developers who don’t wish any changes may continue operating with this business model.

Reduced commission: For those developers opting to distribute their apps through App Store and/or third-party stores, Apple offers a new business model with reduced commissions of 10% or 17% for digital goods and services. According to the company, “iOS apps on the App Store will pay a reduced commission of either 10% (for the vast majority of developers, and for subscriptions after their first year) or 17% on transactions for digital goods and services, regardless of payment processing system selected”. Notably, even these reduced commissions only apply to sales through Apple’s own App Store, but keep reading…

Core Technology Fee (CTF): Developers opting for the new business model with reduced commissions and the ability to distribute through alternative marketplaces will have to pay if their apps exceed 1 million installs a year. For apps surpassing one million installations annually, Apple imposes a fee of 50 cents per first annual install per year over a 1 million threshold. Apparently, the Core Technology Fee only applies to developers who opt for lowered commission rates and the ability to distribute through alternative marketplaces. Developers have the option to bypass that fee by sticking with Apple’s current terms, though this would mean they lose the opportunity to distribute their iOS apps through alternative marketplaces and miss the lowered commission rates.

We’d like to quote Macrumors’ Juli Clover, who gives an excellent breakdown of the available options:

• Current App Store Agreement – Developers pay Apple a 15 to 30 percent commission. Under one million in revenue is a 15 percent commission through the ‌App Store‌ Small Business Program, over $1 million results in a 30 percent commission. Subscriptions require a 30 percent commission for the first year, and a 15 percent commission for the second year and beyond.
• New terms, App Store distribution – Commission drops to 17 percent from 30 percent, and 10 percent from 15 percent. There is an additional fee of 3 percent for using Apple’s payment system, so the commission would be between 13 and 20 percent for a developer that opts for the new rules and uses in-app purchases. The 3 percent fee does not apply for developers who use alternative payment systems. Developers must also pay €0.50 per app install per user each year after 1 million app installs.
• New terms, alternative app store distribution – No commission, but developers must pay €0.50 per app install per user annually after 1 million app installs.

Conclusion

With the introduction of changes announced for the upcoming iOS 17.4, Apple has taken a step towards opening up its ecosystem, albeit exclusively within the EU. While these changes hold the potential to greatly influence the industry, particularly in terms of app distribution and payment processing, their impact on mobile forensics is expected to be minimal. This is primarily due to stringent review policies, local iOS security checks, and notarization requirements, which serve to maintain the security of the platform while barring apps such as the extraction agent from using the new distribution avenue.