We're Hiring!

Japan’s New Smartphone Act - Why It Matters For Mobile Security

AI gen image of Godzilla like character in a city

The Japanese Regulation in Context

On June 12 2024 the Japanese Government passed into law the Act on Promotion of Competition for Specified Smartphone Software (SSCPA) or simply the Smartphone Act.

This new law will require Apple, Google and other companies to open “application sideloading” and “third-party payment” in the Japanese market.” At the moment, Google already allows sideloading of apps on its Android system, so the company may only have to deal with the third-party payment requirement in Japan. Of course Apple does not permit sideloaded applications. 

Those of you who are paying attention will have a certain feeling of deja vu, since this was one of the intentions of the EU Digital Media Act (DMA) which came into force this year. Apple responded to the requirements with a convoluted set of changes which kept fees for developers in place, and triggered the EU to initiate action against Apple for breach of the DMA. Apple maintains that allowing users to sideload apps means putting iPhones at risk because Apple built-in security no longer works.  

This wont settle down anytime soon! It is part of a larger trend - there have been court cases by Spotify and Epic Games, the US DOJ action against Apple, and new legislation in process in a number of different countries. 

History of Japanese Mobile Regulation

Japan has been actively developing its approach to regulating digital markets, with several key initiatives and laws in place or in development.

The Japan Fair Trade Commission (JFTC) amended its Merger Review Guidelines in 2019 to better address digital market concerns, including considerations of network effects in mergers.

The Act on Improving Transparency and Fairness of Digital Platforms (TFDPA) entered into force in February 2021. This law imposes a code of conduct on certain platform operators, initially applying to app stores and online marketplaces, and later expanded to include digital advertising services in July 2022

The new law, the Act on Promotion of Competition for Specified Smartphone Software (SSCPA), also known as the Smartphone Act, was passed in June 2024. This law focuses specifically on mobile operating systems, targeting major players like Google and Apple.

Japan is also developing a broader "Digital Antitrust Law" inspired by the EU DMA. This new regulatory framework is expected to be presented during 2024, and likely to be similar in style to the EU's Digital Markets Act (DMA).

Comparing Japan's SSCPA and the EU DMA

The Japan SSCPA shares some similarities with the EU's DMA but also has notable differences.

Like the DMA, the SSCPA aims to promote fair and free competition in digital markets.

However, the SSCPA is more focused on specific issues related to smartphone software and mobile ecosystems, rather than being a broad regulation for all digital platforms. As we mentioned, broader regulation is in the pipeline in Japan.

In fact the SSCPA duplicates some of the items in Article 6 of the DMA, which is the part which covers mobile ecosystems. Specifically, the SSCPA :

  • prohibits limitations relating to third-party app stores and default settings ingrained into the operating system.
  • prohibits unfair treatment of individual app providers .
  • mandates interoperability with functions on the operating system.
  • Prohibits the tying of payment processing services or preventing end users from accessing alternative providers.
  • Prohibits tying of a browser engine to the operating system.
  • Requires the disclosure of conditions for data acquisition

The SSCPA does allow for more flexibility in enforcement compared to the DMA. For example, it includes provisions for "justifiable reasons'' that may exempt certain behaviors, whereas the DMA takes a more rigid approach. 

Enforcement of the SSCPA will be handled by the JFTC, Japan's competition authority.

How Will This Evolve?

In terms of status, Japan's digital antitrust framework is still evolving. While the TFDPA and SSCPA are already in place, additional regulations are being developed. The Japanese government, through the Digital Market Competition Headquarters (DMCH), is conducting ongoing consultations and studies to refine its approach to digital market regulation. Overall, Japan's approach to digital antitrust regulation shares some common goals with the EU's DMA, such as promoting fairness and competition in digital markets. However, Japan has opted for a more targeted and flexible approach, focusing on specific sectors like mobile ecosystems and allowing for more nuanced enforcement.

Similar regulation is being enacted in the United Kingdom (The Digital Markets, Competition and Consumers Act became law on May 24, 2024). Countries as diverse as South Korea, Brazil,  India, Mexico and Australia are all pursuing similar legislation. This is part of a larger trend to hold tech giants accountable. Court cases by Spotify and Epic Games have been pursued, as well as the US DOJ antitrust action against Apple which was initiated this year. 

Rather than precipitating a security crisis, the DMA’s encouragement of sideloading might actually start a revolution in mobile app security. With increasing concern over AI-enabled threats, there is a pressing need for more advanced, versatile security solutions that transcend platform boundaries and aren’t shackled by Apple or Google’s approval processes. But with more developer freedom comes more developer responsibility. 

Security Aspects

The SSCPA (Smartphone Software Competition Promotion Act) does not include any provisions focused on security and seems to be more focused on addressing competitive issues and fairness in mobile ecosystems rather than security concerns. 

There are serious security implications however. A key element of Apple's argument against allowing the use of alternative app stores is that security will be reduced. The Apple proprietary security mechanisms will not work and alternative mechanisms must be used. 

The fact is, even with Apple and Google’s formal review processes, malicious apps still get through. Users are exploited through insecure apps, malware and spyware, including apps that bypass privacy policies by collecting and transmitting user data without proper consent. Fraudulent apps, mimicking legitimate ones can also get approved, misleading users into downloading apps that may compromise security and or privacy. In addition, many apps have improperly secured APIs that can expose sensitive data, allowing unauthorized access or data breaches.

Conclusion

A better approach is required in this evolving landscape: mobile app developers must consider alternative solutions outside the confines of the official App Store's walled garden and stop relying on platform manufacturers' security solutions (ones that are tied to Apple, Google and Huawei).  So it's actually time to “think different” in order to secure your apps!

Approov Mobile App Protection protects all apps and their APIs, no matter how they end up on your device: it works consistently for apps which come from an official store such as Apple App Store, Google Play or Huawei Gallery, or if they are sideloaded. 

Approov ensures that all mobile API traffic does indeed come from a genuine and untampered mobile app, running in a safe environment. Doing this blocks all emulators, scripts, bots and modified or repackaged mobile apps from abusing an API. Approov supports all apps running on Android, iOS, WatchOS and HarmonyOS, providing comprehensive and powerful security with easy and consistent management across all supported platforms.

Schedule a demo with Approov - we are the experts in mobile app and API Security.

 

George McGregor

- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.