For years, mobile security has been built around a simple principle: tight control. The operating system decides what an app can do, what data it can access, and what parts of the hardware are entirely off-limits. While not perfect, this model has been essential to making your phone one of the most secure devices you use every day.
That balance is now shifting. The EU’s Digital Markets Act (DMA) aims to foster competition by forcing major mobile platform providers to open up essential functions to third-party developers. While the economic goal is understandable, the cybersecurity implications are significant and deeply concerning.
A recent report by the Cybersecurity Policy and Law Center echoes what we at TecnetOne have long warned: opening closed ecosystems without carefully engineered safeguards can undermine protections that users have come to rely on.
Your phone doesn’t behave like a traditional PC. iOS and Android both strictly limit access to:
This isolation isn’t accidental—it’s what stops rogue apps from spying on your conversations, capturing your passwords, or tampering with the OS without your knowledge.
The DMA changes this by mandating wide interoperability with internal system features. The problem? Many of these features were never meant to be exposed.
One of the report’s biggest concerns is the creation of new attack surfaces. Each time an internal function is exposed, it creates a new doorway that attackers may try to force open.
Cybersecurity history shows that the most damaging attacks often stem from minor design decisions—not massive coding failures. The report highlights cases where advanced spyware exploited undocumented system interfaces to gain nearly full device control.
If a single internal component flaw can be devastating today, expanding external access increases that risk exponentially.
Read more: DORA and NIS2: Differences and How to Comply with the New Regulations
Another key concern is data integrity. To achieve interoperability, third-party developers may request broad access that sounds reasonable on paper.
But "reasonable" doesn’t always mean secure.
The report references real cases—like the abuse of Android’s accessibility features—which enabled malicious apps to:
If DMA requirements weaken existing permission systems, we risk repeating these past mistakes at a much larger scale.
This isn’t just about data leaks—it’s also about system stability.
Modern phones depend on tightly controlled code paths. Allowing third parties deeper access to the system introduces:
The report cites a 2024 case where a faulty security update caused global crashes in computers. Phones were spared due to their closed architecture.
But will that still be true once the DMA forces deeper internal access?
The report also raises concerns about the digital supply chain. Mobile platforms have spent years protecting:
If DMA obligations introduce unverified third-party components into these layers, the risk becomes structural, not incidental.
To make matters more complex, Android and iOS implement security very differently. A one-size-fits-all rule could force changes that weaken tried-and-true protections on either platform.
Your phone relies on hardware-backed authentication to secure sensitive actions—like payments, corporate access, and digital identities.
The report asks a critical question:
What happens if third parties need tokens or credentials to interact with protected functions?
Any weakening at this level is catastrophic. Authentication underpins the entire trust model. If it fails, everything else collapses.
You might also be interested in: Massive Outage in Europe: Cyber Attack Suspected in Spain and France
From a technical standpoint, interoperability isn't free. Each new API or interface means:
The report notes that DMA deadlines often don’t align with technical reality. Rushing these changes can lead to unstable and insecure implementations—the opposite of what security demands.
Worse yet, DMA rules may conflict with other EU cybersecurity and privacy laws, creating a confusing landscape where companies must both open access and protect data, sometimes with contradictory requirements.
The report doesn’t just criticize—it suggests a more secure path forward:
Interoperability is no longer just a political issue—it’s a practical security challenge. It will reshape how mobile devices are designed, used, and protected.
If you handle sensitive data, manage corporate devices, or develop mobile apps, this affects you directly. Planning can’t wait for full DMA enforcement.
At TecnetOne, we believe the real challenge isn’t choosing between competition and security—it’s designing interoperability without sacrificing user protection.
The window to get this right is still open—but closing fast.
Because in cybersecurity, every new door needs a lock—and someone to make sure it actually works.