App fairness, security, and a healthier mobile ecosystem

At Approov, we spend every day thinking hard about mobile app security. Security in terms of how you’ve built your app, and what happens when your app is running in the real world, on real devices, on real networks, under real attack.

That’s also why we’ve been involved for a long time in the broader movement for app fairness and real competition, including our ongoing work with the Coalition for App Fairness. For years, developers have been building extraordinary products while navigating a mobile ecosystem where a small number of gatekeepers can control distribution, discoverability, and commercial terms.

We believe apps, and the people building them, deserve better.

The UK CMA: What’s on the Table?

This month, the UK Competition and Markets Authority (CMA) published proposed commitments from Apple and Google intended to improve fairness and transparency in app store processes, and to formalise how developers can request greater iOS interoperability. The CMA is consulting on these proposals until 3 March 2026, with an intended start date of 1 April 2026.

Broadly, the CMA’s package is aimed at four areas:

• App review: clearer reasons for decisions, more predictability, and stronger routes for appeal.
• App ranking/discoverability: commitments to fairer handling of search and ranking.
• Developer data: limits on unfair use of data collected during review or operations.
• iOS interoperability: a clearer request process for access to OS features and capabilities.

The CMA also intends to monitor implementation and report publicly using measurable indicators (e.g., review times, rejection/appeal rates, complaints outcomes, and interoperability request outcomes). We welcome greater transparency and due process for the App stores. The call for measurement is a positive step, as what is measured, has an opportunity to be acted upon.

But paperwork isn’t enough

But there’s something bigger and more challenging in the app economy than the process of bringing a new app to market. We’re talking about power. And Apple and Google’s app stores hold a disproportionate amount of it. One of the reasons why the app stores remain dominant is because “security” is often touted as a rationale for safe distribution.

A “fairer” gate is still a gate if it remains the only practical route to users. And even a more transparent system can fail developers if the platform can still deny access, especially by invoking broad “security” language, without providing meaningful evidence, actionable remediation paths, or proportionate alternatives.

The false sense of security

It’s easy to equate app store control with safety. This is something the app stores bring up continually themselves. But unsafe apps are found on these stores with regularity, and a store review process is not a complete security model.

Many of the risks that harm users and businesses happen after installation and at runtime:

• tampering and repackaging,
• credential theft and account takeover,
• automated abuse and bot-driven fraud,
• API exploitation and data scraping,
• manipulation of business logic and transactions.

These threats exist regardless of where an app is distributed. Treating “store-only” distribution as a security requirement creates a false sense of security and can discourage the kinds of technical protections that actually stop real attacks.

Developers should be free to distribute and market apps anywhere

We also believe something fundamental: app builders should be able to reach users through legitimate channels beyond a single app store.

A healthy ecosystem means developers can:

• communicate directly with their customers,
• offer their app through the channels that make sense for their product and audience,
• choose business models that fit their economics,
• and compete without being structurally forced into one gatekeeper’s commercial terms.

This matters across all industries and categories, from banking and marketplaces to mobility and connected cars, because the real world doesn’t come in one shape, and neither do the risks, regulations, and user needs.

What we’re focused on in this consultation

The CMA consultation has a limited scope. As it runs, our goal is to be constructive and clear about some of the limitations:

• Security must not be a black-box veto. If security or privacy is used to block apps, features, or interoperability requests, decisions should be transparent, specific, and paired with a workable remediation path.
• Reporting must be detailed enough to detect discrimination. Aggregate statistics can hide patterns. Metrics should be broken down in a way that reveals whether smaller developers, or apps competing with first-party services, face systematically different outcomes.
• Interoperability needs outcomes, not just process. A request pathway only matters if it results in timely, reasoned decisions and doesn’t become a loop with no delivery.

We’ll continue to contribute to these discussions through CAF and alongside developers who are building the next generation of apps, because the choice between safety and competition is a false one.

Building a better mobile future

The app economy thrives when developers can innovate, users can choose, and security is real rather than assumed. App stores can provide a false sense of security, and gatekeeping app distribution through stores does not necessarily protect users. It is important to create the conditions for apps to be distributed and secured responsibly wherever they’re launched.