Apple cannot simply invoke DMA (50) as a free pass. For its arguments to align with the intent of the legislation, here's a roadmap of what they need to do to justify their security-based restrictions on iOS:
Apple must be transparent about the exact security issues posed by alternative browser engines with concrete instances (not merely speculative risks). They need to prove that these are unique to iOS, given the successful use of unrestricted browser engines on macOS (and every other OS).
Before opting for the extreme step of removing functionality, Apple needs to offer documentation of all the methods for managing and mitigating specific threats that were considered and subsequently ruled out as infeasible (sandboxing, enhanced APIs, etc.). This emphasizes that their actions are indeed the last resort and not merely a way to suppress competition.
The company needs to demonstrate how they would proactively work with browser engine developers to establish strong security controls and threat monitoring on par with or exceeding their current practices for native-only experiences. This shifts the focus to building a safe environment rather than merely limiting the scope of capabilities.
Apple must guarantee that if and when these security challenges are met, it will progressively expand support for unrestricted use of web standards for third-party browser engines. This creates the long-term perspective the DMA is designed to protect and gives confidence to developers investing in advanced web app solutions.
Without taking action in these key areas, Apple's reliance on this DMA portion won't hold up to regulatory scrutiny. They cannot cite generic security dangers then fall back on "practicality" arguments without robust, evidence-backed reasoning.
Apple cannot simply invoke DMA (50) as a free pass. For its arguments to align with the intent of the legislation, here's a roadmap of what they need to do to justify their security-based restrictions on iOS:
Apple must be transparent about the exact security issues posed by alternative browser engines with concrete instances (not merely speculative risks). They need to prove that these are unique to iOS, given the successful use of unrestricted browser engines on macOS (and every other OS).
Before opting for the extreme step of removing functionality, Apple needs to offer documentation of all the methods for managing and mitigating specific threats that were considered and subsequently ruled out as infeasible (sandboxing, enhanced APIs, etc.). This emphasizes that their actions are indeed the last resort and not merely a way to suppress competition.
The company needs to demonstrate how they would proactively work with browser engine developers to establish strong security controls and threat monitoring on par with or exceeding their current practices for native-only experiences. This shifts the focus to building a safe environment rather than merely limiting the scope of capabilities.
Apple must guarantee that if and when these security challenges are met, it will progressively expand support for unrestricted use of web standards for third-party browser engines. This creates the long-term perspective the DMA is designed to protect and gives confidence to developers investing in advanced web app solutions.
Without taking action in these key areas, Apple's reliance on this DMA portion won't hold up to regulatory scrutiny. They cannot cite generic security dangers then fall back on "practicality" arguments without robust, evidence-backed reasoning.