The Chertoff Group’s Alan Wehler and Jon Tran write in Lawfare about the need to balance privacy and security. App store and mobile OS security reviews and protections are the only software supply chain security offerings available to the average end user. An obscure provision of the latest version of the Open Markets Act could undermine those protections.
Their article examines Section 3(a) of the revised Open Markets Act, highlighting its potential unintended consequences for user privacy and mobile device security. The provision restricts app stores and mobile operating system makers from limiting apps that share sensitive user data with third-party apps.
While the intention is to minimize exclusivity and prevent app stores from compelling developers to use preferred payment systems or restrict app distribution, the language contained in the draft bill opens the door to unauthorized data sharing and new security vulnerabilities. Specifically, it enables third-party apps to leverage permissions from other apps, potentially allowing malicious actors to execute attacks and bypass existing privacy protections on platforms like iOS and Android.
Wehler and Tran note that legislators can mitigate these risks by allowing device makers and app store operators to limit apps’ ability to misuse data or share device permissions without user consent. However, Section 3(a) remains ambiguous, failing to define critical terms such as “remote electronic services” and “punitive action.”
Our authors warn that the provision may effectively prevent app stores and mobile operating systems from taking punitive action against apps that exploit permissive data-sharing practices. This could result in apps sharing user data with third parties without consent, operating on devices without explicit installation or permission, and installing unvetted applications.
These loopholes present significant privacy and security threats, making it crucial for lawmakers to clarify the bill’s language and ensure robust safeguards are in place. While supporting innovation is important, the bill in its current form risks exposing users to new vulnerabilities unless these concerns are addressed.
Read the full article in Lawfare.
The Open App Markets Act (S.B. 2153) was introduced in the U.S. Senate in June 2025. It has not yet progressed to a committee markup or a full vote. This is a modified version of a bill that failed to pass in a previous session of Congress.
Alan Wehler is a director in Geopolitical & Regulatory Risk and Jon Tran is a senior associate in Cybersecurity at The Chertoff Group.
