However, interoperability request form, located at https://developer.apple.com/support/ios-interoperability/ requires requester to comply with this term:

Your Apple Developer Program membership must be in good standing and have entered into the current terms of the Apple Developer Program License Agreement.

It directly violates article 6(7) of EU DMA, as participation in this program requires payments from $100 to $300 per year.

This is why this interoperability request is being sent to Apple via a known email address and to the EU DMA commission as well, so all parties will have full information on file. We do not intend to enter the Apple Developer Program or sign the Apple Developer Program License Agreement, as we are not Apple developers (we are just developers like anyone else) and Apple Services are not required for our marketplace to be functional.

We are an EU-based IT company, that develops an app store for devices that are running Apple-branded operating systems, requesting device and operating system manufacturer, Apple Inc, to provide an interoperability on operating system and hardware level for our app marketplace platform.

Our app marketplace platform located at https://appdb.to works completely independently from Apple Inc for over 10 years, and is not using Apple App Store services or Apple proprietary software.

Considering the nature of our marketplace, we treat ourselves as an independent competitor for Apple’s App Store on operating system level, as we provide a set of APIs https://rtfm.dbservices.to/#/services-and-features/overview and services that should be interoperable on the same level as Apple’s own app store.

As well as Apple, our top priorities are customer security and safety, so our platform is designed to keep our platform data, app data, customer data separate from any Apple’s platform or services data.

With all the difficulties which we dealt with, we would like to shed some light on the current situation, on existing vendor and platform lock-ins, limitations of a market, unfair competition and unprecedented surveillance that is used by Apple Inc in their operating system, so EU Digital Market Act commission (and the rest of the world) may take appropriate measures.

Theses

Apple Inc, while implementing EU Digital Market act, used the worst practices, in fact, technically changing nothing in the app distribution system. Apple Inc, with their published implementation, still is the origin of every app that will ever be distributed on Apple operating systems, still in control of the whole market and setting monetary and other requirements for independent businesses, e.g. section 2.1.A of Alternative Terms Addendum for Apps in the EU.

You must either:

o Provide Apple with a standby letter of credit from an A-rated (or equivalent by S&P, Fitch

or Moody’s) financial institution in the amount of EUR 1,000,000 according to the

instructions specified in the Apple Materials, and maintain that standby letter of credit as

long as Your Alternative App Marketplace (EU) is in operation; or

o Be a member of good standing in the Apple Developer Program for two (2) continuous

years or more, and have an Application that had more than one (1) million First Annual

Installs on iOS in the EU in the prior calendar year.

Apple Inc defines an alternative marketplace as (https://developer.apple.com/documentation/appdistribution/creating-an-alternative-app-marketplace/ ):

An alternative app marketplace is an iOS app from which someone can install other third-party apps. To create a marketplace, fill out a webform that outlines the qualifications. If approved, Apple enables a code-signing entitlement on your account to distribute your marketplace app on the web. Apple also provides you with a framework that facilitates the secure installation of apps that your marketplace distributes.

However, their own AppStore is not an App - it is a set of services, including accounts, backups, sync, purchases, subscriptions and much more. And it is not a store - it is an app renting platform, as, according to App Store EULA:

Apps made available through the App Store are licensed, not sold, to you…

Scope of License: Licensor grants to you a nontransferable license to use the Licensed Application on any Apple-branded products that you own or control and as permitted by the Usage Rules.

Which means that customers do not own the content that they purchased. Such content can be removed at any time by Apple’s sole decision, which puts customers in a disadvantageous position. There are lots of examples of not available software, e.g. game Infinity Blade, that is not available for people that purchased it a long time ago.

It also violates EU laws: https://ec.europa.eu/commission/presscorner/detail/en/CJE_12_94

Apple forces every new player of a market to use the same sales model, which is not fair.

Currently Apple perverts the definition of alternative marketplaces and forces its developers to use their set of APIs and services, breaking the chain of trust between independent marketplace owner, their customers, acting as man-in-the-middle. However, it is not necessary or required to use Apple-provided service APIs to build an alternative marketplace with its own set of services. Furthermore, by being man-in-the-middle and forcing “alternative marketplaces” to use Apple’s APIs and services, they also force independent businesses to pay so-called “Core Technology Fee” (4.1. Core Technology Fee section of Alternative Terms Addendum for Apps in the EU) and additional fees from every purchase that were made inside apps that weren’t developed by apple and should be distributed outside an app store.

Appdb does not use Apple any Apple platform services of their App Store or App distribution. Our customers currently are being forced by Apple to use Apple Development membership in order to install apps to their own devices.

Appdb and apps that are distributed via appdb are designed to be separated from Apple Services and apps that are distributed via Apple AppStore and user data of such apps.

Each app that is installed via appdb has its own storage for data, and appdb can manage only apps that are installed via it.

Appdb works via publicly available Mobile Device Management APIs since their foundation in OS X in the early 2010s. However, sometime between 2010 and 2024 Apple Inc has locked these APIs usage (but not protocol or APIs itself) via their “MDM vendor approval process”, forcing companies to pass Apple-defined criteria (like having more than 50 employees), limiting competition and controlling the market in this area.

Following our commitment to build a secure, safe and truly independent app store, we are making these interoperability requests on operating system level (iOS, iPadOS), as Apple is considered as a gatekeeper by EU DMA Commission; describing the current Apple model, how it is implemented, how Apple controls it, how it violates EU DMA and a suggestion for real implementation of such interoperability.

It is mandatory to separate operating system APIs and primitives (e.g. URLRequest in iOS SDK) and Services APIs (e.g. SKPayment) that are bundled together inside the iOS SDK.

Currently Apple ensures everyone that it is one unbreakable package, but this is not fair, as Operating System APIs can work without any Apple Service involved, while Services APIs require communication with Apple servers and can not work without them.

Interoperability requests

Software signing

Current design

Apple is a gatekeeper for software distribution on iOS (even with current EU DMA “compliance” - origin of any installable app is still Apple). Developers themselves can not create installable applications without being forced by Apple to use their Services and pay $100-$300 for it.

Current Apple-designed software distribution is breaking the trust chain between developer and end customer. It requires the user and the developer to create an account in Apple systems. Apple takes over an app and signs every app with just one certificate, that is used for All apps that are available on Apple App store. This approach reduces actual security, as every malware that has passed Apple human review will stay on the device forever once installed, as they can not revoke one certificate that is used for all the apps. There were various precedents of malware inside the Apple app store, so relying only on human verification and lock-in is actually “security through obscurity” which is designed to force users and developers to register Apple IDs and use Apple services, as no alternatives are provided. We believe that every person should be able to install and build applications without usage of Apple services. It is not required when using appdb, so technically it is possible, but at the moment Apple is a gatekeeper for this.

In every other operating system, software can be installed without creating additional online service accounts or logging in to vendor-supplied services. Software trust chain is visible and trusted from end customer to a developer, e.g. windows installation dialog, where developer is being displayed:

In Ubuntu, signing is done via GPG keys,

On Android it is done via certificates as well:

All of these digital signatures are coming from developers and operating systems are installing unmodified versions of applications, establishing a trust chain between developer and end customer. Updates of an app can only be installed if signed with the same certificate or/and key.

We believe that the model of software signing that is used in Windows is the best, as it allows developers to use hardware keys and HSMs (even FIPS-compatible) to securely sign their software, plus each certificate can be easily revoked by the developer itself or certificate authority.

Verification (additionally, extended verification) of developers is done independently by trusted CAs.

We have released software that allows developers to sign applications for Apple-branded operating systems with usage of FIPS-compatible HSMs, ensuring best-in-industry security and safety: https://github.com/appdb-official/appdb-build-tools

If developer wants to distribute an app without Apple in the middle and any modifications and resigning it’s own work, Apple issues such certificates to developers or user, but they can be used to sign apps and deployed only on a limited number of devices, forcing developers to use Apple app store to distribute an app; and providing no alternatives, using their control over iOS to limit independent competition and lock developers inside their service platform.

Additionally, Apple can (Paragraph 10 of Apple Developer Agreement)

Apple may terminate or suspend you as a registered Apple Developer at any

time in Apple’s sole discretion.

And there were multiple blatant agreement terminations for developers like us (just for unpleasant questions), or Epic Games (for 3rd party payments inside an app), Kaskpersky (for developing a parental control app that was replaced by Apple’s own implementation). After termination, there is no alternative provided by Apple, so their monopoly power is used to restrict access of an independent developer to a market.

Request

We request Apple to allow apps that were signed with code-signing certificates from globally recognised trusted CAs to be installed on iOS and do not force users to create or use apple ids to install apps.

Proposed solution

Modify trust verification algorithm of Apple-branded operating systems in order to allow software that is signed with code-signing certificate from globally recognised trust authority to run.