The Open Markets Act’s Troubling New Provision

On June 24, members of Congress reintroduced an updated version of the Open Markets Act, a bill first introduced in 2021 with the aim of promoting competition and consumer choice in the mobile app economy. A provision in the latest version of the bill creates significant privacy and security risks that warrant careful consideration alongside the legislation’s broader policy objectives.

The provision, under Section 3 (a) of the revised bill, restricts the ability of app stores and mobile operating system makers to limit apps from sharing potentially sensitive user data with third-party apps. This data sharing opens the door to the unauthorized sharing of users’ data, as well as the more dangerous prospect of a third-party app leveraging another app’s permissions to execute an attack on the user’s device. The security vulnerabilities that this provision unintentionally enables could create new opportunities for bad actors to bypass data and privacy protections currently in place in iOS and Android, while creating a new attack vector that could allow for the compromise of targeted mobile devices.

While the draft provision could have a significant impact, lawmakers can help ensure that device makers and app store operators can limit the ability of insecure apps to misuse user data or share device permissions without user consent.

Section 3 (a) of the Open Markets Act

The provision in question falls under Section 3 (a) of the Open Markets Act. This section of the bill is generally targeted at minimizing exclusivity-related provisions that might force an app to use an app store’s payment platform or require that the developer give the app store its most favorable terms and pricing. While much of the section is focused on prohibiting app stores and mobile operating system makers from compelling developers to use a store or operating system’s preferred payment system or limit distribution of an app on other platforms, Subsection (a) (3) (B) effectively reads:

(a) covered company shall not … take punitive action or otherwise impose less favorable terms and conditions against a developer … on the basis that an app provides access to other third-party apps or games through remote electronic services rather than through download from an app store.

The origins of this provision are unclear, and its wording is ambiguous given that the bill doesn’t define the terms “remote electronic services” or explain what constitutes punitive action. It is possible that this provision envisions enabling “super apps” that are comprehensive platforms such as Alipay, WeChat, or Tata Neu that provide multiple services within a single application.

In the U.S., companies such as Meta have expanded the functionality of their apps to include social media, messaging, and marketplace features, while Elon Musk has signaled that he plans to transform X into a super app, offering video content, financial services, and other capabilities. While supporting innovation in app functionality is a worthy goal, the current language leaves some important terms undefined and thus creates potential security vulnerabilities that warrant careful consideration.

Potential Risks

The provision appears to effectively prohibit covered app stores and mobile operating systems from taking any type of “punitive action” against apps that choose to use its permissive language to share user data with third-party apps or allow third-party apps to effectively operate within their own app. The provision would allow a third-party app to share user data with a third party without express user consent and would also allow a third-party app to operate on a user’s device without them having explicitly installed the app or given it permission or to install unvetted applications to a user’s device.

To illustrate the significant privacy and security threats this code poses, contemplate the following examples of how a malicious actor could choose to exploit this provision.

Consider the theoretical example of App Z, ostensibly a messaging app. The developer of App Z has user permission for their app to access the device’s microphone, camera, data, and pictures, as well as the user’s current location and location history, as part of the app’s base messaging functionality. The developer of App Z then chooses to “provide access” to a third-party app via “remote electronic services,” effectively sharing the user permissions it has already obtained to afford the third-party app with access to the user’s location and data. In this scenario, the end user has never given permission to the third-party app to obtain access to that information.

Next, consider how this access could be misused to execute a dangerous attack on a user. Say you are the user, and you’ve downloaded and granted App Z permissions to access all of this information. Now imagine a third-party app running via remote electronic services within App Z, actively tracking your location, accessing your camera and microphone, and hoovering up all your documents and photos. The app’s use of your microphone and camera, which is generally indicated on the screen of the device via small, color-coded icons, may not be suspicious, since you know App Z is a chat app that frequently accesses the camera and microphone as part of your standard use of the application.

In cases in which you are on a Wi-Fi network, the app could also use its Wi-Fi access to scan or laterally move into your home or work network, allowing an attacker to bypass some externally facing cybersecurity defenses.

In short, this could serve as a cybercriminal or nation-state actor’s dream platform for launching a variety of cyberattack or intelligence gathering operations, giving an attacker direct access to sensitive device data and functions in addition to bypassing cybersecurity defenses.

These potential scenarios could have severe impacts on the privacy of individual users while posing threats to national security. Using the techniques described above, a threat actor could utilize the data they collect to engage in relatively standard scam activities, such as opening a credit card in their victim’s name or using the information for a variety of financial scams. The information could also be used for blackmail, particularly if the threat actors were able to obtain sensitive photos or videos.

Alternatively, a threat actor could add the data they collect to a larger dataset that can be used for scam activity, advertising, or the creation of a large-scale database to support espionage activities against the United States. In another set of scenarios, a threat actor could use their access to a device on a Wi-Fi network to bypass external defenses to then launch a larger cyber or ransomware attack.

These scenarios become more worrisome when one considers the possibility of a threat actor specifically targeting key corporate leaders or national security officials. Hostile nation-state actors, such as Russia and China, have leveraged a variety of software supply chain cyberattack methods to steal sensitive intellectual property, such as research on quantum technology, robotics, biotechnology, and artificial intelligence, as well as national security secrets contained on the devices used by senior government officials.

Software Supply Chain Security

Congress has considered versions of the Open Markets Act for the past several years. During that time, a variety of commentators—including our chairman, Michael Chertoff—have offered suggestions on how to address potential unintended impacts on cybersecurity. One of these suggestions is how the act should address sideloading—which is the installation of an app on your device via a third-party source, often the open internet, rather than an official app store. Sideloading reduces mobile device security, particularly in the hands of the average, less security conscious user. In that piece, Chertoff argued in favor of baseline security standards for apps and app stores, including controls on sideloading as well as enhanced mobile device hygiene—that is, having built-in device security capabilities turned on, only installing applications from trusted publishers, using two-factor authentication for your accounts when it is available, etc. These, he argued, could help to secure the “app store supply chain,” a part of the broader software supply chain that has become an important part of preventing cyberattacks.

Indeed, software supply chain security is a vital part of broader efforts to protect consumers, businesses, and the federal government from increasingly sophisticated cyberattacks. The software supply chain has been an important focus of the U.S. government over the past decade. The first Trump administration, for example, issued Executive Order 13873 in 2019, which addresses potential threats from procuring information technology and services from foreign adversaries. Similarly, the Biden administration issued Executive Orders 14034 and 14028, which were designed to protect U.S. citizen data from foreign adversaries and enhance the country’s software supply chain security posture, respectively.

However, even with the efforts spurred by executive action over the past decade, continuing challenges exist in understanding the provenance of code operating on many systems used in both public and private sectors. For example, in July, a ProPublica report revealed that Microsoft was using Chinese engineers to maintain Department of Defense computer systems, a practice the company almost immediately discontinued.

Larger American companies, including companies across the Fortune 500 that we have worked with, have also been focused on the issue and increasingly require transparency from their software vendors on the provenance of their code. Some require mitigations when key code is developed in countries subject to specific regulatory oversight, such as those identified in Executive Orders 13873 and 14034. However, smaller companies, state governments, and nonprofit organizations face an even more daunting software security challenge as they lack visibility into the origins of the software code they rely on and have far fewer resources. For example, they may lack the buying power needed to compel software vendors to provide additional information on code provenance, dedicated information technology security staff for specific departments to oversee such efforts, or the internal expertise to review vendor-provided provenance data.

End consumers have even less understanding of the potential software supply chain threats they face on their devices. For example, the average consumer most likely doesn’t know when an app was developed in a foreign country, and might have difficulty understanding what permissions they are giving to an app or what the implications of sharing their data may be. When they go to use an app, many will simply click through any disclosures and warnings that are generated without reading them. This means that, for most users, the only real software supply chain security protections they have are those put in place by app store providers and mobile operating system makers.

Potential Solutions

As lawmakers consider legislation impacting mobile app security, they should consider several actions they can take to protect end users from potential cybersecurity and privacy threats like those outlined above.

Protect Essential Device and App Security Controls

Of course, versions of the attack scenarios outlined above already exist in some form in today’s app store environments, particularly in China. Both Apple and Google have policies and controls that minimize, if not eliminate, the possibility that a user installs malicious apps on their device that then steals their data, tracks their movements, or serves as a base of attack on their workplace’s network. Both app stores and mobile operating systems, for example, require users to give explicit permission for an app to access varying device permissions (such as access to location data or photos) and conduct code reviews. Apple already has controls in place to prevent sideloading (with exceptions in the European Union due to the implementation of the Digital Markets Act) while Google plans to put in place further restrictions on the sideloading of unverified Android apps by early next year. While these controls are not always perfect and the occasional malicious app manages to make it into these app stores, they protect users from some of the most egregious app-based threats. Similarly, both have controls in place that suspend or force the uninstallation of an app that is sharing data without permission or found to contain malware.

At present, these constitute the bulk of mobile device and app security protections available to many end users. The average end user generally lacks the resources needed to make informed decisions about what apps are safe to install on their devices. One of the greatest security advantages of modern app stores is the additional level of security assurance they offer relative to simply installing an application from the open web. While not perfect, the protections offered by these app stores are what end users depend on to protect themselves from the types of software supply chain attacks described in the above two scenarios.

As such, lawmakers should consider the following points:

First, companies should receive explicit protection for these types of critical security measures. This includes actions taken by operating system makers and app stores to suspend or restrict apps found to have disclosed user data without appropriate permissions, the permissions structures used to help ensure users understand what data they are allowing an app to access, and security warning screens that educate users about what risks may be posed by installing certain apps.

Second, lawmakers should institute transparency requirements for apps engaged in third-party sharing and mandate clear user notification and consent. At present, these requirements can vary from state to state and can be extremely limited in what they require apps to disclose. Often the app store or operating system transparency and consent requirements are stronger than those imposed by state and U.S. lawmakers.

And third, app stores should be required to have a base level of security review and monitoring of apps, including human review. While automated review processes have improved over time, app reviews conducted by humans can help to ensure that the permissions used by an app reflect the claims it makes in their advertising and in app stores. This can help to ensure that apps are doing what they say they are doing and are not doing things they are not supposed to do. 

Device Security Collaboration

Lawmakers should also consider how Congress and the executive branch can better collaborate with mobile device and app security experts, industry, and other stakeholders to ensure that app and device security guidelines are appropriately developed and implemented. As discussed, commentators have already identified measures that would help prevent unintended cybersecurity and privacy impacts. They could also collaborate on educating users about the security dangers associated with installing an application that has not been independently reviewed for potential malware or on the potential risks associated with allowing an app to share sensitive data with third parties.

Congress should also consider examining the impacts that similar pieces of legislation have on mobile device and app security in other jurisdictions, most notably the European Union, where the Digital Markets Act has already altered how some users obtain applications and secure their devices. Should Congress choose to pursue legislation in the mobile device and app space, it could establish regular reviews to better understand the impact legislation has on the security and privacy of end users.

While it is important to foster innovation and competition in the mobile device and app space, the current version of the Open Markets Act has unintended security consequences for everyday users. Congress should work collaboratively with cybersecurity experts, app store operators, mobile operating system makers, and app developers to ensure that this bill and others addressing mobile device security do not have unintended privacy and cybersecurity impacts. By addressing these concerns proactively, Congress can achieve its competition goals while maintaining the trust and security that consumers need in an increasingly digital world.