As far as I can tell this basically means that all apps must be approved by Apple to follow their “platform policies for security and privacy” even if publishing on a third party app store. They will also disable updating apps from third party app stores if you stay outside the EU for too long (even if you are a citizen of an EU country, with an Apple account set to the EU region).
The idea that preventing app updates is in line with their claims of protecting security is utterly absurd. “Never attibute to malice what can be explained with stupidity,” but Apple isn’t stupid.
I’m generally ok with them requiring basic security and privacy protections through the notarization.
yes but I want the option to judge software myself. If I want software that has been looked over by Apple I can go to the Apple Appstore. If I want something that doesn’t fit their requirements I want the option to go somewhere else.
They can ask users if they want that, I’m sure many of their users do. What they shouldn’t do is force people to accept their version of “security and privacy”.
They don’t force anyone; plenty of non-Apple devices out there to choose from.
It gets a bit more complicated than that when it comes to antitrust law.
Apple has less than 30% mobile maket share in the EU, antitrust laws usually kick in above 66%, and very rarely above 50%.
There are other laws being worked on to combat shrinkflation, and others to curb all the tricks of removing features after the sale, but they’re not here yet, and it remains to be seen whether they’d apply.
I don’t think that’s how to look at it. There’s clearly something less than optimal about having these huge gatekeepers (as I believe is the term used) and the EU is trying to limit their power.
Signing doesn’t provide security of privacy protections. It just means you paid apple a fee.
As long as the signatures exist purely for security reasons and do not require following any other requirements, like payments or ethical guidelines (i.e. “no porn”, “no emulators”), maybe.
However, Apple seems to use notarization to enforce their rules regarding apps sold on third party stores (charging 50 cents per first install). I can’t really recall notarization stopping any malware in the past. Even their own App Store has hosted malware and fake crypto apps for ages without being taken down.
It’s hard to take Apple’s word for any of this because of how they’re behaving. If they had just complied with EU laws instead of trying to find workarounds and loopholes every step along the way, I could probably trust the concept of notarization. In this case, I don’t trust them at all.
I would prefer a system like Android, but with a better implementation. On Android, every app is signed the same way apps are signed, with a certificate that can belong to a certificate chain. Apps can only be updated if they’re signed by the same developer, but that’s about it in terms of validation these days. I theory, Google could make it so that you can trust specific certificates (say, Google Play’s certificate, or F-Droid’s certificate, or the certificate of a specific developer) or show a security prompt in all other cases. Any developer can generate certificates for free, and apps can theoretically be signed by multiple certificates (though I’m not sure about the practical implementation here). If certificate authorities would set up their signature in the form of store->dev account->dev, stores could retract trust in case of malware automatically.
This approach would add the option to notarize with Apple to avoid annoying security warnings, or for someone else to set up an alternative notarization service. Unfortunately, Google abandoned all practical decentralisation of their certificate system and I don’t think Apple’s notarization will ever be independent of Apple’s servers. Apple does have certificates (“profiles”) but they’re a “0 trust or maximum trust” kind of deal that also affects other security systems, like browser traffic.