Despite being fewer than 25 years old, digital software marketplaces known as application stores, or app stores as they are commonly known, have become some of the largest software sales platforms in the world. In 2021, first-time app installs grew to 143.6 billion with consumer in-app spending growing to $133 billion. These figures are only expected to continue to grow.
App stores act like a filter for software products by setting security, privacy, financial, and performance standards. Developers must adhere to these standards if they want to sell their software through an app store. This ensures compatibility with devices and protects consumers from malware or other intrusive software. App store owners typically charge a commission to developers who offer paid apps or in-app purchases through the store.
Recent litigation and the introduction of a federal bill, the Open App Markets Act (OAMA), demonstrates public concern regarding the power of app store marketplaces. Georgia, Hawaii, Illinois, Minnesota, and New York have seen bills similar to OAMA introduced at the state level.
The regulations proposed by OAMA, which won’t pass in this Congress but may be taken up again by the next Congress, are intended to apply exclusively to platforms with more than 50 million U.S.-based users and would require access to all app stores from covered platforms, referred to as “interoperability.” Therefore, OAMA would require covered platforms to provide access to third-party app stores, essentially meaning that users should be able to access any app store from a covered device. The bill also requires covered platforms to allow for “sideloading,” the practice of installing apps from places other than an official app store.
Federal legislation like OAMA (or whatever comes out of the next Congress) seems to intend to create a more open market with greater competition among app store marketplaces. Unfortunately, it would likely fail to do so while creating additional problems. The following are four considerations and concerns about the requirements that would come with the potential passage of OAMA and similar legislative proposals.
For the purposes of this piece, terms will be simplified. Within Apple systems, iOS is the operating system and Apple App Store is the app marketplace. Within Google systems, Android is the operating system and Google Play Store is the app marketplace. To simplify, wherever possible, these unique systems will simply be referred to as “Apple” or “Android” to identify two unique operating systems and app stores.
App store legislation could create major changes to data security and privacy practices. Every day, app stores handle a tremendous amount of web traffic. Apple’s App Store had more than 143 billion app downloads and processed over $85 billion in revenue in 2021. Google’s Play Store had more than 111 billion app downloads in 2021 while processing some $12 billion in revenue.
Because these platforms process app purchases, sensitive financial and personal identification data must be protected. Even for free apps, each download is connected to an individual’s name, email address, device ID, and IP address. Firms have taken different approaches to data protection, which offers consumers choices between different app store data security practices.
For example, Apple differs from Android in that it has created an “ecosystem” in which Apple controls all aspects of the product from device manufacturing to the operating system. At most, there are five different hardware configurations for the iPhone and they all use the same iOS operating system (unless the user elects not to update to more recent versions). Apple then manually verifies each app using a three-layered security system to prevent malware from entering devices through the app store, the most common route for hackers.
Apple has deliberately chosen a closed approach because, among other reasons, they believe that it is more secure. While there are multiple ways to measure security, the Nokia Annual Threat Intelligence Report studies how often harmful malware targets different devices and software. The 2020 report shows that devices running Android were infected with malware at 15 times the rate of iPhones.
This is likely due to the fact that android is an open-source project, meaning that anyone can use and modify the system without any fees. As a result, there is greater diversity in both devices and software. There are at least 3,000 different hardware configurations and at least a dozen different versions of the Android OS. Android deploys a proprietary anti-malware system that reviews every app in its ecosystem to the tune of over 100 billion apps a day to prevent malware.
Consumers have choices between closed and open systems and can evaluate the strengths and weaknesses of each approach. Android has more hardware options at more prices and has over a million more apps in its store than Apple does. This suggests that an open-source approach provides greater choice in terms of price, devices, and the total number of apps. However, there appears to be a greater malware risk in running Android. Consumers can opt for Apple if they value more security but do not mind losing access to certain apps. But under OAMA, federal law would effectively make every device subject to the open-source nature of the Android project, thereby limiting consumer choice and perhaps increasing security risk.
OAMA would also require that covered platforms provide access to “OS interfaces, development information, and hardware and software features” to developers. App stores already provide necessary information for app development, often called a software development kit (SDK). Mandating developer access in this manner could be detrimental to certain business operations. Operating systems are extremely complex and disclosing major portions of code could give malicious actors the information they need to infect devices with malware. Technology companies are left with little regulatory clarity as to what information they can protect and what must be shared, thereby making app security more difficult to the detriment of consumers.
Another area of potential security and privacy violations involves payment systems. Current law maintains that platforms are entitled to set the publishing, purchasing, and payment processing terms of app access and in-app purchases. However, they must allow app developers to provide links to payment processing systems outside of the app store. App store legislation would force app stores to let publishers handle payment in the app with any payment system they desire.
Both Apple and Android allow users to add certain verified payment methods for secure checkout such as Apple Pay, Google Wallet, and PayPal. These services invest heavily in anti-malware software as part of their offering. Allowing developers to choose any payment method they like and integrate it into the app would introduce a security gap by adding software that has not been vetted.
If app stores are unable to review, approve, and deny app submissions based on payment system compliance, consumers could be subject to fraud and information theft. Even if an application developer acted in good faith in accepting these forms of alternative payment, malicious hackers could still steal consumer information by encouraging payment systems that are insecure.
Any changes to app store ecosystems should continue to allow companies to protect consumers from non-secure software. Platforms must be able to review apps that developers submit before publishing them, choose which specifications to release, and vertically integrate to offer in-house solutions.
App store legislation looking to protect consumer security and privacy should:
- Allow for both open and closed approaches to App Store operations
- Allow platforms to review apps before publishing them and set the terms of publication
- Give platforms control over what hardware and software specifications they choose to publicly release
- Protect a platform’s ability to require secure payment methods for app purchases
App store legislation aims to promote competition by requiring access to all apps in covered app stores so that no apps can be blocked from customers, but it fails to account for existing competition to app stores that already offer consumers these choices. Rather than promote competition, app store legislation would burden app store operators relative to their competitors.
Progressive web apps (PWAs) have emerged as major competitors to native apps sold through app stores. Native apps take up hard drive storage on devices and need to be custom designed to work on the operating system for which they are intended. PWAs function like traditional websites in that they use their web-based structure to store necessary data, meaning that they are not downloaded to your phone. PWAs have surged in popularity because they are mostly device- and OS-agnostic, making them popular with developers who want to build a single app and make it available for any device.
PWAs, like any application on the internet, should only be used from trusted sources because of the greater security risks they carry. However, there has been no shortage of trusted software developers and companies bringing PWAs to the market. Popular services such as Tinder, Lyft, Facebook, and many more have invested in PWAs as an alternative to conventional apps. Even Epic Games’ popular game Fortnite, which was pulled from the iOS store while a legal dispute with Apple ensued, is playable on iOS through several cloud options. PWAs may never match native apps in terms of performance, but provide a solid alternative to users seeking to use apps not found in specific app stores.
Apple and Google app stores also face more direct competition from other popular app stores like the popular gaming marketplace Steam, Microsoft Store, and the Amazon App Store. These competitors seek to offer a functional device connected to the internet with a marketplace for applications, just like iOS and Android.
OAMA would also arbitrarily distinguish “general purpose computing devices” (GPCDs), such as computers, laptops, and smartphones, from apparent non-GPCDs, such as gaming consoles and smartwatches. Non-GPCDs would be exempt from app store legislation regulations, yet the bill provides no reasoning as to why such similar devices should be regulated so differently. Microsoft boasts that the graphics processing unit in the new Xbox Series X is equivalent in power while being faster than many desktop PCs. Usage statistics reflect these capabilities. Only 55% of the total time spent on the Xbox is spent gaming. Roughly 30% of all time spent on Xbox is on Netflix and YouTube while another 15% is spent on other non-gaming activities. Even though nearly half of all activities on the Xbox are spent using the device as a computer more than a gaming console, it would not be subject to app store legislation regulations.
In the smartwatch market, OAMA could favor hardware makers such as Garmin over the Apple Watch and Samsung Galaxy Watch. While Garmin offers apps such as Spotify through a third-party app store, OAMA would not classify it as a GPCD because it may lack an operating system sufficient to conduct general computing operations. Apple Watch, Galaxy Watch, and other GPCD smartwatches would be subject to more regulation only because they have a larger reach and more capabilities. Devices such as gaming consoles and smartwatches share enough capabilities with GPCDs that it makes little sense to create this distinction. The GPCD determination would not be able to keep up with the complex and rapid pace of technological innovation, and it may discourage future innovation and the development of more powerful smartwatches that could be subject to OAMA regulations as a GPCD.
While OAMA would seek to provide consumers with alternatives to Apple and Android, it fails to consider that consumers can already choose between app stores, PWAs, and other alternative software sources. These options may be gaining in popularity. In 2021, Apple saw downloads decrease year-over-year for the first time. In the long run, competition and negotiations between app stores and app developers will serve customers better than federal micromanagement of app store operations.
- Innovations like PWAs make “blocking” an app from a device difficult, providing consumers with options no matter their operating system or device
- App stores come in a variety of forms. Regulations should not target by size but instead focus on consumer harm, no matter how large the store
- Most modern devices share basic computing capabilities. Arbitrary distinctions codified in statute will serve neither consumers nor innovation
Self-Preferencing and Verification
OAMA would aim to prevent app store operators from “self-preferencing” their apps over competitors’ apps. To do so, it would prohibit ranking algorithms from considering ownership as a factor in where the app appears in search results. As a result, if a consumer searches for “maps” on an Android, Google Maps cannot be at the top of the list simply because the user is on Android’s Google Play Store. But the bill also states that application preferencing via advertising is allowed as long as the platforms disclose advertisements. Thus, it is unclear whether from potential OAMA language as to whether app store operators can place their products at the top so long as they disclose that it is advertised.
Another scenario is that the app organically rises to the top of search but without full algorithmic transparency, it may be impossible to avoid self-preferencing charges. In response, firms may choose to intentionally lower their placement in search. But doing so could lead to artificially suppressed application downloads, which could cause consumer deception and unrealized economic gains. A similar law banning self-referencing in Europe has shown that this has degraded consumers’ experience. A 2013 report from the Federal Trade Commission concluded that rather than using self-preferencing for excluding competitors, the changes Google made to its search engine were to “improve the quality of its search results and that any negative impact on actual or potential competitors was incidental.”
Since self-preferencing is so common, it suggests that consumers find some kind of value in it. When customers search Google, they may expect to see Google Maps first because they are searching using Google. If they search Amazon, they may expect to see Amazon’s white-label products in the same way that Walmart promotes its private-label brands. However, this practice does not prevent customers from simply scrolling another inch or two to another mapping service or walking past the private label rack to choose another product. Self-preferencing is not a method for excluding competition, but rather a way for companies to provide cheaper and customer-friendly solutions for common adjacent products, something that consumers often value.
App store legislation would also require app store platforms to provide end users with “the technical means to verify the authenticity and origin of third-party apps or app stores.” Ironically, this is what app store operators already do for consumers when an app is submitted to the store, which is often a technically difficult undertaking. For certain apps that intentionally obscure personal or identifiable information, such as Web3 and cryptographic technologies, it may be impossible for firms to verify the origin or authenticity.
This could stifle innovation and discourage more innovative privacy app developers to forgo submissions to app stores. Under OAMA, firms could be forced to spend a large amount of time trying to track down a developer’s location or identity, diverting resources to a task that may be impossible. It is ultimately unclear what is meant by providing the “technical means” and this could open up platforms to litigation if they do not provide enough technical information and capabilities to consumers.
- Banning “self-preferencing” will likely create regulatory confusion and result in negative outcomes for consumers
- Self-preferencing is widely practiced in the rest of the economy, from grocery stores to car dealerships, and is recognized by consumers
- Most consumers cannot technically verify apps. This is a service that app stores already provide to consumers as part of the normal business operations
Future passage of OAMA would signal a view of the app distribution models of Apple and Android as terms dictated by smartphone behemoths to leverage power in vertical markets and extract the profits of third-party app developers. But decades of competition by smartphones (alongside competition from laptop and desktop computers) suggest the native app distribution channels observed today emerged as value propositions offered by Apple and Android to consumers.
Before the 2008 origins of the app store, there were no formal software filtering services for mobile or desktop and consumers were forced to rely on third parties or word of mouth to determine if websites were safe. This resulted in major viruses taking down nearly 10% of the internet and causing billions of dollars in damage. Cyberthreats have evolved into malware, phishing, and other techniques in order to get around the tight security of app stores, but such security still provides a valuable bulwark against malware.
Over the years since app stores debuted, there have evolved a variety of approaches to app store operations which give consumers choices in terms of price and security. The closed nature of Apple is part of an overall strategy and value proposition for consumers that is fundamental to the Apple brand. Apple consumers often cite the ease, security, and user-friendliness of this closed approach as reasons for selecting the products, and these features are central to Apple’s iconic brand.
But, relative to Apple, Android is a more open ecosystem that still exercises some central control over versions of the operating system licensed to multiple hardware manufacturers. The result is more flexibility in cost, usage, and software–often cited by Android users as a superior balance in features and flexibility than that offered by Apple. Once again, this model mirrors long-standing and ongoing competition in the market for laptop and desktop consumers.
Web apps provide users with ease of use, security, and flexibility on both iOS and Android. Unofficial but widely available products such as “jailbroken” phones are also available. Continued innovation and consumers’ ability to switch or use multiple devices and channels for apps provide a degree of competitive pressure and market discipline on both Apple and Android devices, including their channels for distributing native apps.
Neither ecosystem is static, and continued innovation and competition between the two ecosystems shape the way they distribute native apps. Both Apple and Android ecosystems have adapted to, and sometimes fueled, further changes such as in-app purchases, whose central role in gaming was likely not foreseen in the early years of touchscreen smartphones.
It would be incorrect to assume that app store legislation would result in greater third-party native app competition while leaving Apple and Android’s security features and user experiences unchanged. Apple and Android’s ecosystems would likely find other ways to maintain their market-tested approaches, albeit less efficiently, at higher costs, and possibly with higher prices to end-consumers. These unintended consequences would reduce, and potentially eclipse, any potential benefits from increased openness in the market for native third-party smartphone apps.
- App stores are an innovation that protects consumers from malicious software
- Consumers have a choice in the market between open systems and closed systems, each with accompanying strengths and weaknesses.
App stores serve a valuable function to consumers by vetting software applications before they gain access to consumer devices and information. Before this, users were at much greater risk of contracting viruses on their computers and phones. While the service has been mostly offered by a handful of firms, there is nothing inherent about the app store service itself which would preclude other competitors from entering the market. Each app store has a unique approach to its offerings which gives consumers choice about what kind of app store they want to use, typically involving a tradeoff between openness and security.
Using policy to force all major app stores onto devices could reduce consumer choice while creating major issues for security. Until there is significant and demonstrable consumer harm, not just a perceived lack of consumer choice, policymakers should continue to let app stores innovate and evolve without policy intended to force them into certain practices.