Last weekend I gave a talk at FOSDEM 2025 in Brussels titled: “A Free Software App Store for iOS: the App Fair Project’s perspective on the DMA”. The full description can be found at the FOSDEM overview.

Here is the video and a transcript of the talk. I was overwhelmed by the support I received at FOSDEM, and would especially like to thank the Free Software Foundation Europe (https://fsfe.org) for inviting me and hosting the Legal and Policy track there.

Transcript

So, welcome everyone.

For our next talk we have here Marc Prud'hommeaux, who is, I would say, the expert on app stores on iOS.

So I'm very happy that we have him here with us.

Handing over to you, Marc.

Thank you.

Thank you very much.

Thank you everyone for coming.

This is a talk on free software app stores for iOS and how that works with the DMA and how things are going to be moving forward with that.

My name is Marc Prud'hommeaux.

I'm the founder of the project.

I'm a software developer, really.

I'm a programmer.

I've been programming software for 25 or more years.

I've been developing apps since 2008 for both Android and the iPhone.

And I've developed dozens of apps for large companies, for myself, for independent organizations, for startups, all apps, great and small, really.

So I've gone through the process of both designing and building applications, as well as going through the distribution process, actually how to get that through the stores to the end users.

So I really know sort of all the levels of the process.

I will disclaim, since this is a legal track, I'm not a legal expert.

I'm not a lawyer.

I do not have any formal training in law, either American or European or anywhere else.

I do seem to have evolved into somewhat of a policy expert, not necessarily as an aspiration of mine, but just through osmosis of working with some of the aspects of the Digital Markets Act and advising various organizations around that.

The App Fair Project is an app store for free and open source software.

It aspires to make the software available for the iPhone and for Android.

I really first came up with the idea, it's been gestating ever since I started building apps and encountering how difficult it was to get it into the hands of end users.

But I really started to put together the pieces in 2020, and I founded the organization in 2022.

It is a 501(c)(3) nonprofit based in Massachusetts in the United States.

And we also have a branch based in France, App Fair France.

And the mission is to facilitate the creation and distribution of mobile software applications for the public good for everyone.

And that's really a core component of it.

We want to get applications into everyone's hand.

So in general, the sorts of apps that the App Fair aims to distribute will be digital public goods, will be generally useful things that people in their everyday life can get utility from.

And they don't need to be exotic.

They can be weather apps, they can be transit apps, timetables, they could be apps that help you pay for parking.

But they can be social media apps.

But in general, the apps that a broad swath of humanity will find useful and are sometimes underserved by commercial app application creators.

They're to be 100% free and open source software.

So everything that goes into the application, both the top level user interface, as well as all the components that the application uses, needs to be open source.

And it needs to cost zero money.

There needs to be no fees that the user has to pay or subscriptions.

But it also must not have any end user monetization goal whatsoever.

And this leads into the trustworthiness aspect of the project.

So the apps need to be universally accessible.

So on all devices, iPhones and Android, that essentially makes up 100% of all the mobile devices people use.

All languages, one of the goals of the project is to make it so someone can write an app who only speaks English, but have it translated into 50 languages so that a grandmother in Cambodia can use it.

Everyone is able to get the benefit of this labor.

And all abilities.

Wants to reach out to all levels of accessibility needs that people have, built on top of the accessibility technologies that these mobile devices have.

And then they need to be trustworthy.

So there's not going to be any end user monetization.

There's not going to be any built in advertising.

There's not going to be any tracking surveillance.

And no analytics or telemetry.

Basically, they aim to respect the privacy of the end user and ensure that any time the application is collecting data, it's because they actually need to collect the data for the functionality of the application.

For example, a weather application might ask for your location simply so it can tell you what the forecast is in your area, not so it can then ship off your location information to a third party data broker who then packages it up and sells it to some third party.

And the technical outline of how the project works is fairly straightforward.

If you're familiar with, say, the F-Droid project for Android, for Debian, for how they manage their app software repository, or for Homebrew for Mac OS, the idea is generally that you have application developers.

And these might be individuals.

They could be students.

They could be hobbyists.

They could be organizations, non-profit organizations, governmental organizations, schools, universities, or it could be commercial entities, as long as they have a goal of creating something that is not going to be monetizing the end user.

Anyone can create these things.

They form their own organizations.

They build the apps independently of the project.

And then they submit the source code of the application to the App Fair project itself.

And the App Fair project will be made up of a combination of automated mechanisms where you actually take the source code and you build the application and scan it for bad actions, for malware, things like that, make sure that it's truly all open source.

And then it'll have a human component.

There'll be people who will review the applications.

Is this really the kind of application that we want?

There'll be maintainers who help provide feedback to the app creators when there needs to be changes to be made to work on, say, updated versions of the operating systems.

And translators.

And that's a big component.

The App Fair will contribute people who are experts in localizing the applications, each individual language that we support.

And then the App Fair packages, distributes it.

And then the App Fair client application will then be the sort of front-facing mechanism for both iPhone users and Android users to be able to browse, search, review, download, install, and update applications.

So that's more or less an outline of the process.

One of the advantages of using the App Fair project is that you don't need to sign up for anything.

There's no fees.

There's no registration.

You don't need to accept terms and conditions like you do to distribute an application on, say, the Play Store or the App Store.

You don't need a special account.

The App Fair project aims to provide automated distribution for you so that you don't need to go through the manual process for distributing on multiple app stores.

And we will help with translations, accessibility, compliance.

And the big thing is a trustworthiness seal of approval.

One of the problems with free software, or software that is ostensibly free, zero cost on mobile devices, is that you never really know what the motivation of the person who developed the software.

So there's a lot of distrust for, say, free weather applications, for any free application that might be looking at your contacts books and things like that.

There's a saying that if it's free, then you are the product.

That's not true with free and open source software, but the end users don't know about that.

And through the App Fair project, we'll have this seal of approval, this sort of guarantor of trustworthiness that there's no sinister, nefarious money gathering operations going on behind the scenes.

So how do you build an app store?

An app store is really just an app that installs and manages other applications.

It's not really conceptually all that complicated.

It's an app that installs apps.

How do you do it on Android?

On Android, it's very well established.

There's a lot of different app stores on Android.

I mentioned the F-Droid project.

There's Actoid, there's Obtanium.

A lot of companies have their own app stores.

There's Amazon, Samsung Galaxy Apps, T-Mobile.

And in China, every app store is a third-party app store.

It's a non-first-party Google Play app store, because Google Play services is not available in China.

And essentially, the technology behind it is well established.

It's been around since the beginning of Android.

You set a permission in your application's metadata, install packages.

You sign in and distribute your app store application.

They have a published API that you call that says, "Download this application package, validate it, install it, update it." And you don't really need to go through Google at all to do this.

You can just go home today, you can write an app store app, have it start distributing apps.

It's pretty straightforward.

But the iPhone side is an important side.

This is a talk about iOS, and one of the central components of providing universal access is providing access to all devices.

So that's really an essential part of the App Fair project's mission.

And you basically can't build an app store for the iPhone.

Historically, there was something called Cydia.

It's actually from 2008.

It predates the Apple App Store.

They used the ability to access private APIs if you jailbreak your iPhone, which is essentially hacking into your iPhone, bypassing some of the restrictions that are set in place, and then you can talk to private internal APIs.

They've been using that to build and distribute applications for a very long time.

But it's widely considered to be a fairly extreme measure to jailbreak your iPhone, and Apple is always closing the loopholes that enable people to do it every year.

So it's an ongoing cat and mouse game between the development community that brings these jailbreaks to the surface, and Apple is plugging the holes all the time.

It's not really a sustainable way to get a widespread adoption.

And then there are these tethered workarounds in order to do it.

If you sign up as a developer for the iPhone, then you have the ability to launch and run your own applications.

You need that in order to be able to develop and debug your own apps.

And so there are these various tethered workarounds like AltStore until recently, SideStore, TrollStore, that basically take advantage of that.

They say, OK, you can download an application from somewhere else.

You can sign it with your own developer certificate, and then you can install it.

But there are no published APIs like there are on Android for installing or updating applications.

And that's pretty much the roadblock to a project like this.

You can't really get past it.

That is, until the DMA, which is the topic of this conversation.

So in case people haven't heard of it, I imagine most of you have, the Digital Markets Act aims to create a level playing field.

It wants to make the digital market fairer and more responsible, more contestable.

And its history is that it was in 2020, it was proposed.

It got signed into law in 2022.

2023 was when their designation of gatekeepers took place.

And there are five gatekeepers.

The ones that are relevant to this topic are Google and Apple.

And then last year, a little under a year ago, was the deadline for compliance for the various rules that were laid out by the Digital Markets Act.

So the Digital Markets Act is a big act.

A lot of components.

Has eight major sectors.

The one that affects us, my project and this talk, is the last one here, the online intermediation services.

In other words, the Google Play Store and the Apple App Store.

All of these are important.

This is the one that is relevant to us.

And so the online intermediation services has a bunch of requirements.

And generally reading through the articles, the important ones are that they need to allow third-party app stores and side loading.

Side loading is the term that has evolved to mean direct installation of applications straight to your device.

Fair and non-discriminatory access to these services.

No preferential treatment.

They basically can't favor their own services over the services of third parties.

You need to have a lot of interoperability requirements.

Terms and conditions need to be transparent.

And they can't have any anti-steering.

They can't force you to steer people towards their own gatekeeper services and away from competitive services that might be available.

So here's what I thought would happen when the designation was made before the compliance plan came out.

Is essentially that they would do what Android does.

Add the ability to self-sign your own applications.

And the technology exists for this already.

It is a popular misconception that you can't side load on the iPhone.

That's not true.

You just need to have a special enterprise certificate, which Apple only hands out to a select few large corporations that pay a lot of money.

But once you have this certificate, you can develop your application and you can sign it with the certificate and you can email it to your staff.

Or you can put it on a website to upload.

You can distribute it however you want.

And for all intents and purposes, it is side loading.

However, you need the certificate.

If someone gets their hands on a certificate and starts signing apps and just giving them away for free to anyone, which happens actually quite a lot, Apple closes that loophole and they put the kibosh in your certificate, they rescind it, and then all the applications are not allowed.

So it's possible and it's very straightforward.

And then the second thing they'd need to do is actually publish apps to our APIs.

Because the first step allows you to side load things directly.

The second step is what you need to actually build an App Store app, an app that distributes and maintains other applications.

And there are published APIs in Android.

There's something called Package Installer that lets you call functions like install package, uninstall package.

And there exists on Apple as well in this mobile installation framework.

It's what Cydia winds up using.

And they've got functions, mobile application, install, uninstall.

You can figure out what these functions do.

But these are currently private.

So basically, make this so anyone can get it.

Make this so you can make an App Store app.

And that's all you need to do.

That would be fully compliant, make everyone happy, make my life easier.

So here's what actually did happen.

So in order to go through this, you basically have to do all of these things.

The non-fancy stars are the ones that are pre-existing requirements to build and ship an application for the Apple App Store.

The fancy stars are the new things, the new steps you need to do.

So you always need to sign up with Apple, accept their terms and conditions, which are frequently changing.

And you get zero notice when they're about to change.

And if you don't immediately adhere to them, you can no longer issue updates to your applications.

And then await approval.

Hope that they approve your account.

You need to pay an annual fee, $99 US.

You can get an exemption from that if you're a nonprofit or educational institution.

New step is you need to agree to an alternative EU terms addendum, which is quite long and involved and has a lot to say about how you can monetize your apps differently.

Then again, you need to build and upload it to their portal, the App Store Connect portal.

And once you've done that, you need to request a distribution token from an alternative app marketplace.

So say the App Fair is an alternative app marketplace.

You want to distribute an app through me.

What you do is I give you a token, passcode basically.

You build your app, upload it to Apple, and then upload that token to Apple.

And they take those two things and say, OK, this app, if we approve it, is going to wind up being able to be distributed through the App Fair, through me.

You go through app review.

It's what they call notarization, but it's really just a subset of app review.

It's a combination of automated scans and human involvement.

That could take an hour, could take a month.

Once it passes, you get a token for the particular version of the application that was approved.

You hand that back to the alternative app marketplace.

They're able to download your signed and approved application, and then finally they can distribute it.

And then lastly, you have to pay their somewhat notorious core technology fee, which is $0.50 for every download of your application, beyond the first million in a year.

And that's only for monetized applications.

But it is definitely a hindrance to anyone who thinks I'm going to make this hit app that billions of people use.

You're going to be hit with a massive bill.

So this is the process that they consider compliance that is the facts on the ground right now.

The actual app review subset, the notarization guidelines, contain a lot of guidelines around the sort of content that you can have in your application.

It's not just around security.

I won't go through all of these, but there are some fairly ones that should give pause to someone who thinks that this is a sort of clear and objective standard for third parties.

One of them being something like this, where they say if you market your app in a misleading way, your app will be removed, it will be blocked from being installed, and you might have your developer account terminated, meaning you can never make an app again.

What is the definition of misleading?

Is there any adjudication mechanism for this?

Is there any appeal?

No, there's not.

It's just whatever they consider to be misleading.

So these are the sorts of things that we find really deeply problematic with the app review subset that you have to go through.

You can look at all of these guidelines, both the full app review guidelines and the notarization subset app store review guidelines.

There's a nice little picker where you can toggle between the two modes.

So that's in order to create an app.

What does our alternative app marketplace distributor need to do?

In other words, what does the app fair need to do?

They have to, again, register with Apple, agree to terms and conditions.

You need to request a marketplace entitlement, and that has various rules, one of which is that you need to have a base in the European Union, which is why we started the App Fair France.

You need to provide a one million euro annually renewable business letter of credit.

And then you need to actually build the app store app, and then submit that through app review.

In order to actually process the applications that you receive and distribute, you basically need to set up a server that accepts the handoff of the application that Apple passes off to you after the developer signs and uploads it.

And then once you do that, you host the application, and then you can have your application talk to the server and redistribute these things.

So what are the barriers to having a free software app marketplace?

Obviously I mentioned the one million euro letter of credit for marketplace entitlement.

That's a big ask.

The inability to inspect the encrypted app delivery.

So Apple applies DRM to every application.

You can't opt out of it.

And there's a few issues with this.

You can't obviously scan it for malware.

You can't really use reproducible builds in order to verify that the actual source code matches the app that was installed.

The DRM itself, that really runs afoul of free software licenses like the GPL.

So if you want to be able to use the GPL, it would need to have exceptions added to it, which introduce problems with compatibility with other GPL software.

And then Apple themselves have a requirement that you need to have scanning in place in order to be allowed to distribute these apps.

What is completely impossible to do, or at least illegal to do, because they themselves are encrypting the app and you can't decrypt it.

There's analytics that they do.

They track whether you install or uninstall apps.

And it's partly so that they can build up the numbers to know whether you qualify for the core technology fee that you owe.

App review.

As I mentioned, these can take an hour.

They can take a month.

There's really no telling.

There's no service level agreement.

And so if you need an urgent patch to one of your applications for, say, security, you're out of luck.

And the last one is they have a remote kill switch.

They can actually delete your app from your device if you want.

So our view is that the only way forward, really, to comply with both the spirit and the letter of the Digital Markets Act is that you really need to throw all this away.

You need to be able to have direct side loading.

Developers need to, without going through Apple at all, be able to generate their sign-in certificates.

They need to be able to build and distribute these things without any special entitlements.

Marketplaces need to be able to grant entitlements to developers for security-sensitive permissions.

And the app installations need to just be opened up and documented so that you can just do these things directly.

In other words, it needs to become just like Android is right now.

A quick note on security.

There's a lot of outs in the DMA about security, a lot of exemptions that are applied.

And for this reason, Apple is really-- their arguments are heavily hinging on security.

They have an interesting paper, "Building a Trusted Ecosystem for Millions of Apps with Threat Analysis." You can read it on their website.

But there's a lot of discussion in there about why side loading is considered dangerous, why you should never be allowed to do it.

I've always found those fairly hollow because if you go to the page for Apple Music on Android, they have an Android Apple Music APK that you can just download and install.

And they guide you step by step through all the steps that you need to do, including one that says, "Note that you may need to change your Android security settings to complete this installation." So, I've always found those very hollow, but that's really the angle that they're pushing in order to be able to skirt around some of the limitations or requirements that they have.

And I'll note a broader point about security is that security is not just about individual devices.

It's about the insecurity of a monoculture.

If you have one single centralized source, no matter who they are, no matter where they are, you have these issues where you can't understand their decision-making process.

It invites pressure.

A few notorious examples are the removal of the HK Maps Live from Hong Kong in 2019, the removal of Alexei Navalny's smart voting application in 2021 by the behest of the Russian authorities.

And then just last year, WhatsApp, Telegram, Signal, and Threads all just got yanked from the App Store in China.

These were unreviewable, these were unappealable, these were decisions that were made by central authority.

And Apple themselves should be concerned by this because they have invited themselves to be a center of pressure for these things.

If they opened up these App Store APIs and made it so I can just download these things directly, then that would eliminate a lot of the pressure on them.

So the next steps for the App Fair, we're working towards building up a community of volunteers and contributors.

We're looking to raise funds for the standard business level of credit requirement.

And then for the time being, we're probably going to continue to distribute applications through existing channels.

So apologies for going over time, but I want to thank you all for coming.

I'm afraid I don't have time for questions.

I'll be around though in case you have any questions.

And here is my contact information.

[applause]