Apple Expands App Store Age Assurance and 18+ Download Restrictions
Apple introduced expanded age assurance capabilities for the App Store to support compliance with new or emerging regulations in multiple jurisdictions, including Brazil, Australia, Singapore, Utah, and Louisiana. As of Feb. 24, 2026, Apple began blocking downloads of 18+ rated apps in Brazil, Australia, and Singapore unless the user is confirmed to be an adult, using what Apple describes as “reasonable methods” for age confirmation. Apple also expanded the Declared Age Range API (iOS/iPadOS/macOS) and related platform components (including PermissionKit’s Significant Change API, a new StoreKit age-rating property type, and App Store Server Notifications) to provide developers with an age category plus signals about the assurance method and whether regulatory requirements apply; in Brazil, certain disclosures (e.g., loot boxes) can drive an app’s rating to 18+.
Broader policy debate continues around online age assurance in the U.S. and internationally, with jurisdictions adopting or considering stricter mandates and platforms preparing new verification requirements. Public skepticism remains elevated due to backlash against age-gating (including reported VPN usage spikes in response to the UK’s requirements) and concerns about data security following breaches at age-verification providers (e.g., Sumsub disclosing a previously undetected 2024 compromise). The policy environment is also being shaped by U.S. state laws and litigation, including the Supreme Court’s decision in Free Speech Coalition v. Paxton upholding Texas’s age verification law, while proponents argue that privacy-preserving age assurance approaches are becoming more technically mature and scalable.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Louisiana rollout date set for age-category sharing on new Apple accounts
Apple said that for new Apple account holders in Louisiana, age categories can be shared with apps via its API starting July 1, 2026, when requested by developers.
Utah rollout date set for age-category sharing on new Apple accounts
Apple said that for new Apple account holders in Utah, age categories can be shared with apps via its API starting May 6, 2026, when requested by developers.
Apple begins age checks in the UK with latest iOS update
Apple started enforcing age checks in the UK through a new iOS update, extending its age-assurance measures to another market. This represents a new geographic rollout beyond the countries previously listed in Apple's February 2026 changes.
Apple expands beta age-assurance tools for developers
Apple introduced expanded age-assurance tooling in beta, including updates to the Declared Age Range API, StoreKit age-rating properties, PermissionKit, and App Store Server Notifications to help developers comply with new regulations.
Apple starts blocking some 18+ app downloads pending age assurance
Beginning February 24, 2026, Apple started blocking downloads of 18+ rated apps in Brazil, Australia, and Singapore unless the App Store can confirm the user is an adult using what it calls reasonable methods.
Federal court blocks Texas App Store Accountability Act
In December 2025, a federal court issued an injunction against Texas’s App Store Accountability Act, signaling that app-store-level parental-consent requirements may face distinct First Amendment challenges.
Sumsub discloses breach after a delay
Lawfare cites a delayed breach disclosure by age-verification vendor Sumsub as another example of the security and transparency problems surrounding age-assurance providers.
Discord exposes IDs in customer-service systems
The article references an incident in which Discord users’ identification documents were exposed in customer-service systems, underscoring privacy and data-handling risks tied to platform age verification.
AU10TIX suffers breach despite ISO 27001 certification
The Lawfare analysis cites a breach at age-verification vendor AU10TIX as an example of systemic security risk in the age-assurance industry, noting that the incident occurred despite the company holding ISO 27001 certification.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Millions of UK iPhone Users Will Need to Verify Their Age - Here’s Why
techrepublic.com
Open sourceApple begins age checks in the UK with latest iOS update - Ars Technica
arstechnica.com
Open sourceApple blocks 18+ app downloads in select markets - Help Net Security
helpnetsecurity.com
Open sourceToward a Federal Framework for Online Age Assurance | Lawfare
lawfaremedia.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Security and Compliance Updates for Government and Child-Safety Requirements
Apple announced new *age-assurance* capabilities aimed at complying with expanding child-safety regulations, centered on an updated **Declare Age Range API** that returns an age bracket (e.g., under 13, 16–17) rather than a precise birthdate. In certain jurisdictions (including Australia, Brazil, and Singapore), Apple also plans to **block downloads of 18+ apps** until the user confirms they are an adult via an App Store-managed flow, alongside OS-level family settings intended to enforce age-appropriate restrictions without pushing sensitive identity collection to individual apps and websites. Separately, Apple’s **iOS 26** and **iPadOS 26** (with specific hardware) were reported as receiving **NATO Restricted** approval, enabling use for classified information up to the Restricted level under an “Indigo” configuration listed in NATO’s Information Assurance Product Catalogue. The approval was attributed to platform security features such as encryption, **Face ID**, and **Memory Integrity Enforcement**, with additional emphasis on Secure Enclave capabilities in newer chips; the evaluation reportedly involved Germany’s BSI. A third item provides general guidance on **CUI enclaves** and **NIST SP 800-171** controls for protecting Controlled Unclassified Information on mobile/remote-access workflows, but it does not describe the Apple/NATO certification or Apple’s age-verification tooling as a specific event.
Mar 21, 2026
California Digital Age Assurance Act Mandates OS-Level Age Signaling via API
California’s **Digital Age Assurance Act (AB 1043)** establishes a statewide requirement for *operating system providers* to collect a user’s age information during OS account setup and expose an age-range signal to application developers through a “reasonably consistent” real-time API when an app is downloaded or launched. The law’s definition of OS provider is broad enough to include major commercial platforms (**Windows, macOS, Android, iOS**) as well as **Linux distributions** and **Valve’s SteamOS**, and it specifies four age brackets: *under 13*, *13 to under 16*, *16 to under 18*, and *18+*. Developers who request and receive the signal are treated as having “actual knowledge” of the user’s age range, shifting compliance and content-suitability liability toward app providers; enforcement is assigned to the California Attorney General with penalties up to **$2,500 per affected child** for negligent violations and **$7,500** for intentional violations. Separate reporting highlights broader **age/identity verification** pressure across consumer platforms, including Discord’s planned move to require age verification in 2026, which has triggered privacy concerns about submitting government IDs or face scans and renewed scrutiny following a prior breach that exposed IDs for roughly **70,000 users**. Other items in the set are not about AB 1043 or OS-level age signaling and instead cover general security roundups, interviews, conference write-ups, exam prep material, and unrelated policy or industry commentary; they do not add substantiated details about the California OS age-verification mandate or its implementation requirements.
Mar 21, 2026
Widespread Privacy Risks from Mobile App Data Practices and Regulatory Age Verification Requirements
A recent large-scale analysis of 50,000 mobile applications has revealed that over 77% of these apps leak personally identifiable information due to insecure data handling and insufficient privacy controls. The study found that many iOS applications fail to include required privacy manifests, while Android apps often circumvent explicit data-safety disclosures, creating significant blind spots in user privacy protections. These vulnerabilities are particularly concerning given the central role mobile devices play in daily communications and financial transactions, making users susceptible to tracking, profiling, and data theft. The research underscores the systemic nature of privacy risks in the mobile app ecosystem, with both platforms exhibiting gaps in transparency and compliance. In parallel, regulatory efforts to protect minors online are introducing new privacy challenges, as exemplified by Texas's SB 2420 law, which mandates age assurance for app store users and developers. Apple has voiced strong concerns that such laws require the collection and storage of sensitive personal information, such as government IDs, even for benign app downloads, thereby increasing the risk of data breaches. Starting January 1, 2026, Apple will require new account holders to confirm they are over 18, and minors will need parental consent for app downloads and purchases, further expanding the amount of sensitive data collected. Apple argues that these requirements should be limited to apps where age verification is truly necessary, warning that blanket mandates could have unintended privacy consequences. The complexity is heightened by the patchwork of state-level laws, with similar regulations set to take effect in Utah and Louisiana, compelling developers to adapt to varying compliance standards. The risks of such data collection are not theoretical; a recent breach at a third-party provider for Discord, which handled age verification, resulted in the exposure of sensitive government ID images. This incident illustrates the tangible dangers of accumulating large repositories of personal data for regulatory compliance. The convergence of insecure app data practices and regulatory-driven data collection amplifies the threat landscape for mobile users. Both industry and regulators face the challenge of balancing user safety, especially for minors, with the imperative to minimize unnecessary data exposure. The findings highlight the urgent need for stronger privacy-by-design principles in app development and more nuanced regulatory approaches that do not inadvertently increase user risk. As mobile platforms continue to evolve, ongoing vigilance and collaboration between stakeholders will be essential to safeguard user privacy. The situation calls for immediate action from app developers, platform providers, and policymakers to address these multifaceted privacy threats. Users are advised to remain cautious about the permissions they grant and the information they share with mobile applications. The broader industry must prioritize transparency, user control, and robust security measures to restore trust in the mobile app ecosystem.
Mar 21, 2026