Since the article doesn't actually repeat what Apple has said, here's what Apple says:
== Begin quote ==
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.
== End quote ==
Source: https://developer.apple.com/support/dma-and-apps-in-the-eu/#...
Without this type of isolation and enforcement, malicious... camera, microphone or location ... Browsers ...
30 some million lines of code in chromium browsers.
Thats bigger than the linux kernel.
The HN crowed might not LIKE apples response but they have a very defensible position.
Edit: Its not like we haven't seen this play out on the desktop recently: https://www.theverge.com/24054329/microsoft-edge-automatic-c...
Why should we trust Apple for security in that context? Apple also provides all those functionalities via their proprietary API, which is not even audit-able. If Apple really believes in that argument, they should disable their own API as well.
You have to trust someone if you're using a computing device connected to the Internet. The point of being in Apple ecosystem is that you trust Apple, and then (supposedly) you can not trust anyone else. To many that's a very strong proposition.
This seems to be over-generalization? Users are using Apple devices because those are good products, not because they want to delegate every single trust problem to the Apple ecosystem. That might be a great proposition for people like you, but there is a significant number of people who consider it a compromise rather than a value.
I suspect that from Apple's perspective, it is definitively not a significant number.
For Apple, ownership of the "trust problem" is an intrinsic part of "making good products".
Yes, this might be true. And the majority of elected officials in EU fundamentally disagrees with that statement.
Well, EU can and will force, fine, or ban US companies as they see fit but there is not some fundamental correctness to their viewpoint
Any fundamental correctness of their viewpoint is by virtue of them representing more people (EU citizens) than Apple's CEO represents (himself and, I guess, the Apple corporation, if you count that). On moral issues, the fundamentally "correct" viewpoint (if there is one) is, by definition, the one that more people say is the fundamentally "correct" viewpoint.
What you should be comparing is the percentage of the market the EU represents in the total market available to Apple. EU politicians are accountable to their population. Apple’s CEO is accountable to every Apple customer. The EU does not now, nor has it ever, constituted a majority of Apple revenue.
I don't believe the concept of a market has any fundamental place in morality, and my morality isn't limited to any particular "market".
Indeed, who apple is or isn't able to sell to, doesn't affect what people think is moral or immoral.
As for Apple's CEO representing Apple's customers: Are you sure? We didn't elect him. We just bought stuff made by an organization he currently runs.
So you think government can prove morality, but markets cannot? If you don't think government is a marketplace where the currency is political capital, then you have a naive view of how governments work. Also, I don't believe the EU is a direct democracy, so the representative morality is lossy. Have you never disagreed with a decision made by a politician you voted for?
I'm saying that customers decide whether or not to buy from Apple based on whether they resonate with them from a moral standpoint, at least as part of their decision to purchase their products. And I said Apple's CEO is accountable to their customers, not that they represent them. Yes, they're also accountable to shareholders, as your sibling comment points out. But if the company screws up enough to elicit a popular boycott, you can bet the reason shareholders will be exercising that accountability is due to the actions of the customer base.
Yes, a democratic government represents the people, and thus their moral stance. A market sells stuff. There's really no relationship between the two nouns. No reason to compare them. You might as well ask, "So the people can decide what's moral, but a jar of pickles can't?" Yes, that's correct. A jar of pickles is technically a market, so this analogy applies particularly well.
> I'm saying that customers decide whether or not to buy from Apple based on whether they resonate with them from a moral standpoint
I fully believe that you might do that yourself. There's no evidence everyone else does, or even that a majority do. Especially since most people aren't informed of working conditions involved in manufacturing Apple products (or indeed, many others' products).
It's just not believable that everyone thinks that buying a product = agreeing with every single moral stance made by the person currently running the company. And what if he changed his mind tomorrow? Would he offer a full refund to everybody who asked for one?
> And I said Apple's CEO is accountable to their customers, not that they represent them.
He's not accountable to them, only to the board*, but we're discussing representation - that is, speaking on behalf of a people, according to those people, not you or I or the speaker individually. If you mentioned accountability while we were on the topic of representation, and I returned us to the topic of representation, you're welcome :)
[*]: Your example illustrates this: a complex chain of accountability from CEO to Corporation and BoD to Corporation and Corporation to shareholders is required for any action to happen. Being accountable to customers means customers can decide to fire him _directly_.
I'd argue that's not the case. CEO's are accountable to share holders, not its customers. And before you say its the same thing, there are a lot of pubically traded companies who get away with unlawful actions that direct effect its customer's for a long, long time without their bottom line being effected.
China represents twice as many people as the EU. This is not an enticing argument. Can you at least qualify this with democratic representation?
Which free and democratic election did Xi win?
none, which is what the comment was complaining about.
Thank you for your comment. In the spirit of interpreting it in the most charitable way possible, I assume that when you say "China", you mean the Chinese government. The answer is that Chinese government doesn't necessarily represent people living in China. As you say, it is not democratic. That leaves us with few indicators of representation.
It has control over the people living in China, true, but I do not think controlling a person, being able to put them in jail if they don't obey you, is the same thing as representing them.
Governments in other countries have come to a different view, and it's for Apple to determine how worth it is for them to conform to the view come to by the representatives of the EU citizens versus catering to markets with other regulatory regimes.
Yeah, as I’ve said before: the root problem here is that the EU wants to outlaw apples business model.
People don’t think of it that way, they tell themselves all the reasons why that’s a good thing, but that’s ultimately what it is - a legislative solution to end the “android vs iOS” debate for all time.
The argument is walled gardens shouldn’t exist, so the solution is to either legislate requirements that apple destroy the walls, or that they exit the market. That is a statement that most android advocates would agree with.
And the EU will largely just keep ratcheting up the legislation until that happens. Driving apple out is the point - walled gardens are (in the EU sense) unacceptable and the option for a walled-garden business model needs to be removed from the market.
Apple is (correctly) perceiving this and pulling out of the market, first by dropping the affected features, and I’m sure there will be a “next compliance requirement” before many years too.
I feel like this is a win for consumers - I'd much rather there remain more OS competition on mobile devices[1] but if Apple wants to pursue a business model that excludes large portions of the world from their customer base that's their decision. I don't believe there exists any maliciousness from the EU towards Apple - they do, after all, benefit greatly from corporation tax revenues from Apple and iPhones are still quite popular in the EU. I think at the end of the day there's just a difference in the social expectation of privacy and freedom between the EU and NA. Apple, being primarily steeped in NA's expectations for freedom, hasn't built an ecosystem that is compatible with the EU's higher expectations.
1. Still hoping to see something amazing RIM!
I don't see how you can call EU having any expectation of freedom when commenting about a law which forces a company to comply to regulation.
This actively reduces freedom, the freedom of running your business. You just don't care about it.
If you don't like walled gardens you can just not use them (I certainly never bought anything Apple for this very reason), there's no need to infringe on the freedom of everyone else who wants to use walled gardens.
The EU is in general becoming increasingly less free, thanks to barely elected bureaucrats who line up their pockets with sponsors money.
I think this is a great example of what I had mentioned as social differences of freedom between the EU and NA - in NA the freedom of businesses is often well protected up until it causes actual harm to human beings[1] - in the EU the freedom of human beings tend to be given priority of those of companies. It's important to remember that there are a lot of freedoms in this world and they often conflict in major ways. A quote that I love is "Your right to swing your arms ends just where the other man's nose begins". Freedoms are extremely easy to guarantee if they're non-conflicting but that's rarely the case. In this case the EU is siding with the freedoms of the customers rather than the freedom of the corporation - whether that makes the society less or more free overall is a matter of opinion.
1. I'd point to a great example from one of our current justices in this regard: https://www.theguardian.com/law/2017/mar/23/neil-gorsuch-sup...
That dissent sent him to the top of the Heritage Foundation SC shortlist for being a corporate kowtowing stooge.
Companies don't have freedom. People do. Companies are a collection of people that have a responsibility to the people who allow them to operating by charters. In our current age, I'd say that justice in this regard isn't operating as it should, because our governments are allowing selfish individuals within companies to do illegal stuff that go against the original intent of charters. Individuals that would normally be held accountable for their actions are now being protected from being prosecuted for harms they commit while being part business.
Companies are designed and allowed, by characters, to operate within the scope of whats good for society. If it harms the public good then it needs to be reigned in. I have no illusions that companies have the same standing and rights as living beings do. They are lifeless entities meant to be subject to the will of people.
That's not just an EU problem though. It seems to be well established (and perhaps worse?) in many places.
In the same way Right to Repair, Minimum Wage, and Disciminatory hiring affects the freedom of running a business, sure. Unfortunately, rules are written in blood and this is happening because other businesses at this point abused the point of labor or customer satisfaction and needed to get dinged for it.
In this case, Blame Microsoft, I guess. Heck, even Google. we already know the result of a closed system abusing its platform and large share to make its product worse. I'm glad we're actually jumping into this before it's too late (like we usually do).
No-one's forcing Apple customers to go outside the walled garden. They can still source their apps from only the Apple App Store.
That'd be "corporate freedom" rather than "end user freedom" yeah?
That's my impression of what the NA model of freedom seems to mean these days.
Apple is free to switch to a less fascistic business model.
Because of course elected officials without any expertise, representing a very small minority of humanity, are the best arbiters of reality.
Non experts have to rule on expert subjects all the time - sometimes this goes hilariously wrong (like the internet being a series of tubes) but usually what happens is that the non-expert relies on the testimony of experts to make their judgement.
Politicians aren't expected to be experts due to the immense breadth of subjects they need to consider - they're expected to consult experts. Whether an individual politician is an expert[1] is pretty irrelevant.
All of these statements are about our general expectations of politicians - whether you think politicians adhere to that point or have comments on specific politicians is beside the scope of my comment. As a less controversial example it might be good to instead consider how judges operate who are expected to provide well reasoned judgements on subjects they know nothing about.
1. Sometimes those former expert politicians are the worst of all since they _think_ they know the way things are and won't listen to actual experts but they've been out of the industry so long that they've lost their familiarity with the subject.
That didn't go hilariously wrong, though - the internet is a series of tubes. Not physically (copper cables aren't tubes) but he obviously wasn't talking about specific stuff but broad-strokes analogy (his exact line was "It's not a big truck. It's a series of tubes."), and his description was basically accurate.
Unlike trillion-dollar corporations?
Users trust Apple because Apple is ultimately accountable for security breaches on iOS devices. If a 3rd party app causes a data breach it does not matter if the breach was made possible by compliance with regulations like the DMA, Apple will still take the blame.
As a long time user of Windows which historically had an incomparably large amount of security incidents, I can assure you that Apple won't get blamed that much for 3rd party data breach unless it involves Apple's own service and user data.
Since you’re a commenter on HN I’m going to assume you’re a tech person. I’m not talking about tech people, who through their discussions try to find the correct person/company to blame for issues.
I’m talking about the general public. If a story about a data breach in a 3rd party app — affecting iOS users — hits the news cycle, Apple will take the blame and their brand reputation and sales will be impacted. It doesn’t matter whose fault it really is, Apple is the face of the iPhone and through their walled garden they have accepted final responsibility for everything that occurs on iOS.
I don't see how this matters to the GP's argument. Windows was a virus hotbed for decades and that does not appear to have affected its reputation in a meaningful way.
That’s because Windows’ reputation was already mud. Microsoft made their business on corporate users anyway. Apple is a consumer brand. A data breach on iOS is like nudity in a Disney movie: utterly brand-destroying.
Windows was both. If you were buying a computer in the early 2000s, it was almost certainly a Windows PC.
That was because Microsoft abused their monopoly in operating systems at the time to force OEMs to use their OS on all their computers in order to maintain the industry discounts on OEM licensing.
Also because there weren’t really any credible alternatives
Right, but Apple built their brand on being the alternative to Windows for people who didn’t want to deal with security issues, viruses, crashes, bundled junkware, etc.
You can draw a direct line between Apple’s original marketing pitch (easy to use, simple, secure, appliance-style computing) and the iOS walled garden. Just as you can with Disney and their family-oriented brand. It’s not a compelling argument to say that other film studios have nudity in their films when Disney is the brand at issue.
Windows doesn’t have a reputation. It’s the default. Nobody actually likes using windows you just have to. Do you really think there are people out there asking for advertisements in their start menu?
To this day, I prefer windows, and I have to switch between Mac and windows all day every day.
What was the last 3rd party breach Apple took the blame for?
Fappening. Apple took all of the blame and then we got mandatory MFA. The logjc works even if it’s the own users fault for getting scammed.
I as an Apple user will blame Apple for design choices that lead to 3rd party breaches of my data and privacy.
For general populace good also include secure by default.
"every single trust problem to the Apple ecosystem." is rather technical point that very few people would even understand meaning of it.
How significant compare to iPhone user base?
I'd rather trust a public (not-for-profit) institution that actually had a real incentive to protect user security. Instead we get for-profit companies that have a vested interest (conflict of interest) to do security the way it thinks it should be done. In my experience, that usually is bad for the people that are using the platform because there is no real surety that security is being done for the sake of the users.
Apple has no interest in working with public institutions that have a close relationship with the people they serve. That's a big red flag in my book. You cant trust a company that serves content and hardware and at the same time trust them with security. It's too many eggs in one basket, to easy of a target for rogue entities (NSA) even if they have good motives .
Which public institutions do you find have real concern for their users? In which country?
https://eff.org, https://fsfe.org, https://edri.org.
And to a degree, that’s why developers tend to hate Apple. They paint us as a pack of crims trying to steal from unsuspecting Apple users.
Have you seen the world around you for the past 20 years or so? I'd say this characterises developers (well, companies they work for at least) quite well, don't you think?
I think you are conflating the relationship between consumers/developers and the corporation (that you work for?).
I don't hate Apple, but rather realise that it's bottom line and fiduciary duty to its shareholders is stronger than what is best for us (consumers/developers).
I do not trust the corporate marketing one bit (and honestly, why should I?).
This behaviour of Apple just further supports that view. As a company, it seems to believe that it is somehow above following the rules meant to benefit consumers/developers, which goes against what the company has been marketing its self with since the 80's.
So lets stop the 'Leave Apple alone (and us that work there)' crying, and just acknowledge what the whole thing revolves around.
Why can’t I choose to trust Apple for iOS and another developer for other functionality that runs on iOS?
We do this all the time. I don’t uniquely depend on Microsoft for stuff that runs on Windows. Same for stuff that runs on macOS. And on Linux I’m not even sure who I’m trusting from the ground up other than a huge and disparate collection of people.
So what makes iOS so unique that it can’t run PWAs, which is little more than adding some chrome and a handful of APIs to already pre-existing browser capabilities.
What an F’ing joke. And the bigger joke are the Apple fans who are going out of their way to defend Apple sticking it up their nether parts.
It’s not unique to Apple. It’s an inherent problem to securing Turing machines.
If you are not an Apple user not an Apple fan why do you care so much about Apple and its users?
But that's what the EU is willing to reform. Apple isnt a EU company, hell it may even not contribute much to the tax base, there's less reason to trust them in exchange for gatekeeping against EU companies trying to generate tax revenue on their plarform.
Trusting Apple is nice in the US where it's probably a net contributor to the country's development. Elsewhere, not so.
There are two kinds of trust, I may trust Apple to not intentionally steal data. But I may trust Signal to create a more inherently secure messenger, or I may trust Google to create technically a more secure browser.
What Apple and some users here are saying that users don't have intelligence to judge it and so will have to trust only Apple.
Well, while the argument is entirely bogus as "PWAs are unsafe" implies that loading web pages in that browser itself is unsafe and thus stopping PWAs but not loading pages is pointless, you do have to have full trust in Apple for security of your device as they are the sole provider for the core platform providing most of the security primitives used.
That just doesn't exclude trusting others as well.
Except that's exactly what Apple is saying. Their engine -- and their brand depends on it -- offers users assurances arbitrary engines do not offer. Apple says PWAs are safe because Safari is safe, while not-Safari PWAs are not-safe.
And, if not safe, Apple is at least accountable.
Google's brand, for instance, does not depend on it: https://www.engadget.com/the-morning-after-google-will-settl...
Well, that link definitely plays in Apple's favour :)
You misunderstand. If a foreign browser engine was to be made available for PWAs, it would be because the user installed the browser and browsed the web with it. In other words, if loading a web page in this browser was unsafe - which is what a PWA is - the user would already be compromised. PWA or bookmark does not matter.
PWAs do not change the risk profile. PWAs only get a few extra APIs, but nothing major. Location, microphone, webcam, bluetooth, usb, etc. are all standard web APIs available to web pages, not PWA specific.
The argument that PWA specifically has a special risk profile is null and void. The only sensible reasoning is that Apple is strongly against opening their platform at all (their way of implementing compliance is borderline malicious), and maybe want to weasel their way out of any effort they can avoid (allowing users to install new types of apps is zero work, changing which app opens a link by default is near-zero, while allowing users to replace the engine for PWAs require a bit more integration).
It doesn’t matter - they are going to support third party browsers anyway.
They are just afraid the browsers will host PWAs better than Safari does, making them a more viable alternative to the App Store.
Apple’s inability to protect its “brand” while doing what nearly every other platform owner in the world does routinely does not justify monopolistic and anti competitive behavior.
Since when was loading web pages ever considered safe, at least by those who actually breathe computer?
It's frankly alarming how much trust we (must) give to Arbitrary, Remotely Executed Code(tm), especially given how many attack vectors are remote code executions.
Never, but the world wide web is the one force of nature even Jobs couldn't fight back against. I'm sure he tried, too. So like most "too popular" stuff, it was given an exception that no other type of app would ever dream of.
Well, that's a different argument altogether. Whether you consider browsing the web in any browser safe or not, the fact that PWAs do not change the risk profile of loading such pages remain true.
We don't entirely trust Apple. We just trust them more than other vendors.
This is a false dichotomy. Completely trusting any single entity who doesn't really care about you (and only cares about extracting money from you) is riskier than trusting FLOSS, which is being constantly verified by independent actors.
That is not really how it works though. Look at the amount of limping, poorly implemented FLOSS software there is out there where the maintainers show no interest at all or there is no funding to support it. Look at the whole OpenSSL mess a while back.
I honestly prefer to pay a vendor who will (a) complete a product until it's usable (b) be motivated to maintain it because they are paid and (c) be motivated to maintain it because they are scared of the bad PR of not maintaining it.
Apple OSes are insecure by design to aid surveillance (sneak.berlin)
43 points by vitplister 4 months ago | 32 comments
https://news.ycombinator.com/item?id=37875370
Apple fined $8.5M for illegally collecting iPhone owners' data for ads (gizmodo.com)
334 points by nixcraft on Jan 8, 2023 | 134 comments
https://news.ycombinator.com/item?id=34299433
Apple's Cooperation with Authoritarian Governments (jessesquires.com)
468 points by ig0r0 on March 31, 2021 | 291 comments
https://news.ycombinator.com/item?id=26644216
Apple reportedly dropped plan for encrypting backups after FBI complained (2020) (theverge.com)
425 points by samename on Jan 14, 2021 | 137 comments
https://news.ycombinator.com/item?id=25777207
Who is "we"?
Probably the folk upvoting my comment.
Apple’s business model excludes Clickjacking, stealing personal Information, stealing passwords, commissions from redirects, commissions from gambling sites redirects. Those in that business use browser plugins to get inside your security boundary so your argument maybe over my head or baby bath water thing
Using an Apple device requires trust in Apple even if you run a 3rd party operating system let alone a 3rd party application on their OS.
I don't trust anyone, but historically they seem on par with the big guys like Microsoft and Google. At some point you accept someone's security model or you roll your own system I guess and hope you're better than the security teams at these companies?
It really doesn't make sense. By that logic, I shouldn't be allowed to load web pages because it's impossible to secure a browser. PWA's only need a few extra integration privileges like badge- and window control, rest is just a web as usual.
What you link is a case of one app (edge) reading the data of another app (chrome), which is entirely unrelated to PWAs.
Indeeed, and 'whatever browser engine you picked here' is responsible for correctly implementing these additional security features.
That's the argument; if you write an app that lets you run other apps inside it how do we make sure your app does security correctly?
When you look at it from that perspective, you can see that unless at an OS level you provide additional 'meta-security' features that allow apps that run in other apps to have fine grains access control that is managed by the OS, it's pretty much "security? Well, whatever...".
Right? I mean, whether you agree or not, it's a pretty reasonable position to take and it entirely makes sense.
so, Apple? Since Apple has also required browsers for years to use their own safari backend, this isn't even an issue of "oh well it doesn't work on Firefox".
Sounds like they cornered themselves there.
Apple’s hand has been forced to implement changes that didn’t fit their vision and roadmap.
I imagine that if you’re on HN you are close to developers or are a developer yourself.
And if so, I imagine that you have already had an important customer (to who you cannot say “no”), completely change your plans and architecture with a new feature request while setting an aggressive deadline (ie, you don’t have time to implement everything and must make choices)
Now replace you with “Apple” and “important customer” with EU.
Sure. I sure do wish the demands were actually consumer centric, and not "force all these advertising tracking into your site, tank performance, and grab a bunch of unneeded user data".
And of course, if I maliciously complied and "oops the tracking only gets 1% of user data", I would simply be fired instead of get another strongly worded letter leading to meetings re-defining what "grab a bunch if unneeded user data" is.
You are confusing the “important customer” with “other customers”.
EU is the “important customer”, the users of PWA are “other customers”.
Using your example, you would implement tracking for that important customer (and comply 100% to the requirements as Apple did) but because of this additional bloat, the website would load 2 times slower.
After a discussion with your colleagues, you would realize that:
- Most users won’t care about the slow loading (including the important customer)
- Re-architecturing the website to keep the same level of performance while adding the necessary tracking required by the important customer would delay shipping the tracking by 1 year, past the 2 months deadline required by the important customer.
Back to your desk, you start implementing the tracking that will incur a 2x slower load time.
I'd love to one day work for a place where I can dismiss monetization as "the other customer". But alas, my career hasn't been that friendly.
Given how the topic is:
I fail to see how the EU is the "important customer" here. And not the powers that be in Apple telling me to maliciously comply.
The EU said "allow other app stores to exist" and my theoretical manager at Apple is saying "okay, PWAs can exist but they don't have to run well. Add in unnecessary security (because the NA version doesn't have it) that disables functionality". I don't even see how it has to do with complying with the EU, unless it's soke long term OS lock down for future app stores.
Tell me how the EU here is the one telling me to slow down my OS/browser?
That is simply just nonsense.
They had 1,5 years from the time of being identified as gatekeepers to work on this.
The DMA was voted on by the EU parliament and then the council in july 2022, Apple was identified as a gatekeeper in september 2022, the law became legally implemented in november 2022, with gatekeepers required to comply with it by march 6th 2024.
I do not buy for a second that the richest tech company on the planet, that owns, designs and manufactures the whole tech stack their product uses was unable to respond in due time to the legally required changes and so 'just had to go this route due to time constraints'.
The simple answer is that it’s not worth it to them.
They don’t see money with PWA at this point in time and therefore decided that breaking support was not a big deal.
It obviously outrages everyone on HN, but HN is not your average customer of Apple.
Oh I don't care one iota about PWA's on iOS.
However the parent argument was a weak one, and so had to be answered with facts.
But browsers already have this security features that isolates websites from each other? How come PWA, which essentially just placing a website shortcut in the home screen and hiding browser ui, affect browser's existing security features?
It doesn’t, of course. Apple’s real concern is that if Chrome is allowed to host standalone PWAs, it can also remove some of the unnecessary pain points that Apple’s Safari maliciously injected to kneecap PWAs in the first place. For example, Chrome could make it easy for users to install a PWA. Chrome could support more web standards. Etc. This would create a true alternative to the App Store, with no Apple tax, and of course Apple isn’t going to let that happen without kicking and screaming.
Yes because PWAs are so popular on Android
They’re not as necessary on Android because Android has alternative App distribution methods.
Right. Because downloading from alternate app stores or from the web is really easier than creating a PWA and is easier for discoverability.
But that is a new retort when I ask that same question most of the time. Often it’s because of mean old Apple that PWAs aren’t more popular on Android.
But since now that there will be alternate means of distribution in the EU, you should be okay with no PWAs in the EU?
I thought the whole point of PWAs was that they could access user files directly, which they wouldn't be able to as a webpage inside a browser's sandbox? If that's not the case it's just a bookmark.
I don't think that's the only solution. A simple alternative is to declare that "apps that run in other apps don't get to do anything at all."
I.e. in this case, in response to a EU requirement to support alternative browser engines, Apple could — rather than disabling PWA integration altogether — drop all additional privileges that PWAs have that regular webpages don't.
Make installed PWAs in the EU market into just "webpages, but with a home-screen icon, a separate task-manager card, and no address bar." Which is 99% of the reason anyone installs a PWA anyway. No camera/microphone, no extra storage, etc. Not for Chrome PWAs, not for Safari PWAs; not for any PWAs (on these devices.) They're just webpages presented differently. No "meta-security" required!
Then everyone will just bitch PWAs can't do anything.
But only in the EU, and only on iOS. They'd still get enhanced capabilities elsewhere. (On iOS on any other continent; on Android anywhere; on ChromiumOS anywhere, or just Chrome on desktop anywhere; etc.)
And the nice thing about PWAs, is that there's no way for a PWA to know or care that it's being run "installed", and change its expectations/requirements — as there's just no web API for that. Instead, a PWA must just attempt to talk to each of these permission-gated APIs it wants to use, and find that it's now being [prompted for and] given access to them, rather than silently refused them.
So, unlike tightening the security model around regular native apps, tightening the security sandbox around PWAs shouldn't actually fundamentally break them — they should be designed to gracefully degrade when refused these capabilities. Presuming these PWAs were already ordinary fully-functional web-apps, which have just been progressively enhanced with these features when and where available, they'll just act like they do "on the web" — which should still deliver on the app's use-case. That's what the "Progressive" in "Progressive Web Apps" is supposed to mean!
Of course, some PWAs 1. will have been designed from the ground up as PWAs, and 2. will have a purpose/use-case that's very specific to the use of these high-integrity web APIs, such that they're completely useless without these PWA-only permissions. A video-chat PWA, for example, won't do much without access to your camera + microphone. There's no point to using these webapps as webapps — and often they don't even let you do so (i.e. they attempt to access the specific API they need on launch; if they succeed, they render the app UI; if they fail, they render a prompt to install the PWA.)
I don't know if you'd really call these PWAs, since there's nothing progressive about them — there almost needs to be a different term for these apps that need the high-trust APIs to do anything-at-all. For the sake of discussion, I'll refer to these as "Elevated Web Apps" (EWAs), since they require elevated permissions to be useful.
It's only these Elevated Web Apps that would benefit from having what the GP called "meta-security": the ability to interact with the OS security on a per-webapp basis, through e.g. an Android-like install-time gate where the app presents a capabilities manifest (displayed to the user as a set of permissions it wants) and the user makes a decision of whether to accept that.
And, if Apple simply neutered PWAs rather than removing them, it's only these Elevated Web Apps that people would "miss out on."
As cool as PWAs are as a technology, these Elevated Web Apps are a true minority or them — maybe 1% or so.
And — at least as far as I know — almost all Elevated Web apps only exist for one of two reasons:
1. to serve use-cases that users with access to native apps from an app store, just have no reason to care about. (Specifically, they were developed to allow users to accomplish native-app-equivalent things on OSes that don't support any kind of native apps — like FirefoxOS nee KaiOS, or early ChromiumOS.)
2. to benefit the developer at the user's expense, by forcing the user to give the developer permissions that allow the developer to spy on the user more effectively, before the app will work — but where the app doesn't actually do anything with these permissions to serve the use-case. (I've seen a few scammy Chinese dating sites demand to be installed as a PWA for this reason.)
In other words: on iOS, at least, you probably won't miss them! (Especially with the third-party App Store ruling also in place in the EU! Things like emulators don't need to be relegated to "WASM running in a PWA" any more; in the EU, they can just be third-party-store apps!)
The Peapod grocery delivery app was already just single webview to their website. Worked fine.
This would run foul against the DMA, unless they make safari PWA also less capable.
That’s what I meant/said — they’d neuter the PWA framework itself, which would mean that any PWA (including Safari PWAs) would just become “regular webpages but standalone.”
I don't see how this refutes GP's point. Yes, it's a big challenge but when they are allowing other browsers, the challenge is met already. The "install to home screen" feature adds but very minute extra features.
I guess the issue is that PWA is more deeply integrated… so instead of having this integration within the OS using their WKWebView component, they need to make it a user choice which browser component is used. This component then has to be installable through the App Store. This then also means an ‘app’ is hosted by another ‘app’, and to do this properly that host app needs to many permissions
My understanding is that Apple can provide security guarantees only for their own browser, because it's tightly integrated with the rest of their stack.
Nah, it's secure because the OS is secure. No difference between an app itself and an app running "other apps".
It's all just code sandboxed by the OS. Apple is just being pathetic because they couldn't force legislators to do their bidding.
Yes, and Apple now (against their will) allow me to select this browser myself to browser the web with.
Whether I use this to load a webpage normally or as a PWA does not change the risk I was exposed to. PWAs just let a web application ask the browser to run "fullscreen" without browser chrome, to set its badge and colors, to register as a handler for certain URL types, and to open the share panel. All actions already taken regularly by said browser.
Even if we assume Apple's statement that other browsers are insecure is correct, there is no value in blocking PWAs and requiring me to instead use bookmarks: I am still loading said application in said browser that implements and uses all this functionality itself. To the OS, a PWA is nothing more than a type of bookmark for a browser.
So, no - this is not reasonable and their argument makes no sense. If it was true that Safari was actually safer, then Apple should instead spend energy sharing how so that other apps can be equally safe - it would be incredibly irresponsible for the platform owner to keep security as secret sauce - rather than handicapping other apps.
In one sense, sure.
But in another sense Edge taking Chrome's tabs means Microsoft is getting insight into Google's data. A lot of Apple's defenses seem really targeted at reducing the ability of Microsoft, Google, and Meta to extract value from Apple's users. Apple sees the union of all the app data, but their competitors can't put together that picture. So in that sense, Edge eating Chrome data may be the sort of thing they're looking to prevent.
After all, Apple users are the product. They even pay for the privilege!
They are a cash flow generating financial product, like a bond ETF. Apple packages users, resell them to the highest bidder, and interest is collected as return on investment from the payments users make.
Ofc, like a bond, a user pays for a reason: he gets something out of the facility provided by Apple, in kind.
Apple users are not products. That would be Google/chrome/android users
In my experience even "a few extras privileges" can take many months to implement, especially for a company as large as Apple.
The EU gave them six months after being designated as a gatekeeper. The regulation already entered into force an additional ten months earlier, so Apple arguably could have already prepared for their likely designation.
The real issue, however, is that Apple is not saying “we need more time to implement the APIs”, which the EU would very likely concede, but “we don’t think it’s worth it for us”.
But the plain browser already can request camera permissions, in a bad security situation a site that didn't request it still receives it from the browser's system level request.
This is just Apple wanting to avoid people being able to develop a platform on top of their platform without paying a tax.
That’s not the point though because WebKit is already secured by Apple but if you have multiple blink related apps like Microsoft edge or brave or Firefox apple will have to audit those too and be on the hook if something breaks and then Apple will have to take the blame over a security oversight they aren’t responsible for.
That assumes that Apple would be blamed for Edge/Brave/Firefox's security oversight.
If you add a PWA (with Safari) a year ago to your Home Screen and then change your browser to Firefox, and that PWA breaks out and steals some other application data...
Will you blame the software maker that you used to install the icon on the screen? or the one that is seemingly unrelated to the icon on your Home Screen?
Why silently change the underlying browser engine of an existing PWA without the user's knowledge?
That sounds like a bad UX. At least make the existing PWA stay with Safari and provide the ability to switch the underlying engine for each PWA afterwards if migrating is possible.
As I understand the legislation, Apple has three choices for how to comply with the law.
They can either allow third party browsers the elevated system access that Safari currently has in order to be able to access the data for multiple PWAs ... which compromises Apple's security standards, but puts Safari and other browser engines on the same footing.
Or, Apple can remove the additional security permissions that Safari uses in order to access the data of multiple PWAs so that Safari and other web browsers are on the same footing again.
Or, Apple can invest significant time and resources into creating a new sandbox for browser engines (including Safari) such that a PWA running in the browser engine will not be able to escape and access the elevated permissions of the browser engine or the data of other PWAs through a flaw in the browser engine.
Given the amount of effort that the third option would take, the low adoption of PWAs from most users within the European market, and the not going to compromise on the first option - the second option of removing security permissions from Safari (and other browser engines) to run PWAs is the only option to comply with the law in Europe.
That’s a fable. Apple have a good history in security design. There is absolutely no way Safari have some "system access" that another app can’t have. Safari is probably just as sandboxed by the OS than every other app or else that would be an incredibly stupid decision.
If Apple wanted to implement PWAs correctly, they’d just run whatever engine + the web page in the same solid OS sandbox and there wouldn’t be any more security issue than with any App Store App.
Any iOS dev knows that it’s impossible for any app to gain any useful access without being granted the permission by the OS. The point is Apple is stuck being forced to hide that the security model of iOS is based on this (working well) sandboxing because it goes against their narrative that all the security comes from App Store policies (which they technically can’t enforce because all they’ve got to review is binary code).
It's not the Sandbox between Safari and Bank of America app - its the sandbox within Safari between the Bank of America PWA and Some Game PWA at issue.
Does Safari, as the browser engine running PWAs have access to the data of multiple PWAs?
If so, and Apple has good security - that's not a problem.
However, if Safari does have that access to multiple PWAs local data, and a different browser engine is used and also needs access to multiple PWAs data stores in order to be able to run them, what can Apple do to ensure that one PWA can't break out of its sandbox within the (as an example) Firefox PWA runner and access the data for another PWA?
If Apple cannot ensure that all browser engines have the rigorous design and/or history of security design and promptness of rolling out fixes when 0 days are discovered ... should Apple grant the additional security access for a 3rd party browser engine to be able to access the data of multiple PWAs?
If Apple should not grant that access because the other browser engines may not be as secure, then Apple (according to the law) must not grant its browser engine any favored position within the system.
The way to fill that requirement is to either figure out how to create additional sandboxes within 3rd party code so that PWAs running within FireFox cannot break out of their sandbox to access other PWAs ... or remove the ability for Safari to run PWAs all together.
And you pointed out yourself ... "If Apple wanted to implement PWAs correctly," - they apparently didn't implement PWAs correctly and are using sandboxing within Safari rather than sandboxing the PWAs and Safari combination at the OS level.
Should Apple invest the time to fix Safari and PWAs and 3rd party browser engines? Or given the low adoption of PWAs, is it less work and better security, and only a marginal loss of functionality to remove PWAs from Safari?
I would probably blame the "the software maker" for silently switching the engine used by previously installed PWAs. Why do that?
You think this uneducated me would know that this was a PWA and no app and also remember that it was installed by Safari, an app I apparently don't own anymore at this stage...?
Why wouldn't Safari remove all its PWA icons when I uninstall it, considering that it anyway cannot transfer the data to another browser...?
They would absolutely be blamed by users for it.
Like when it happens on MacOS ? Oh wait…
Yes, people blame Apple for it when it happens on a macOS.
Have you ever worked an IT support desk?
Why wouldn't they be? Especially considering their existing reputation in consumers minds for security and reliabilty?
Because they own and maintain the operating system, not the vulnerable software?
I understand that they've built this image of being a grand infinite protector for all their users within the walls of their garden, but they've had plenty of security issues within their own software, and plenty of cases where application developers have sidestepped their rules.
This relationship of trust with Apple is cultish at best. To say that I can trust Apple but not Mozilla? What are we smoking here?
Because it never ever happened on any other platform including MacOS.
So extending this logic to other platforms: if Chrome has a security bug on Windows... you believe people will blame Microsoft? And you think that would be valid justification for Microsoft pushing a "security update" that uninstalls all competing browsers and replaces them with Edge?
If you made a "Microsoft Windows Desktop Citibank App" from Edge, and then in stall Chrome, and the Uber app now uses Chrome, and a bug in Chrome lets someone steal your Citibank info, yes, the user probably would blame Microsoft as it was Windows software which made the Desktop app for Citibank.
And yes, if Windows had this feature and then Europe demanded it work like I described, Microsoft would be acting reasonably if it disabled the Desktop App feature in Europe.
Apple doesn't disable competing browsers, it just doesn't allow different web engines to underly the browsers. You can argue with that but it isn't the same as "uninstalling all competing browsers".
Browsers can still do that. It's more that PWAs look like entirely separate apps which the user would expect to be sandboxed. While a tab in a browser is clearly part of the browser app.
This is not a meaningful distinction. Users ALSO expect ordinary websites’ data to be sandboxed. Users trust that pornhub.com won’t be allowed to read data entered into irs.gov.
Likely, most are worried about the other direction.
There is also a brand rep issue. If there is a Chrome bug that leaks data, it will be seen as a Google issue. If PWAs have the same problem, it will be seen as an Apple security issue. One that they have no ability to fix.
If I gave camera permissions to the zoom website on my browser, it is way worse if a random malicious email link gets them too on a different domain than if a permission spreads across PWAs I hand installed. This is Apple shaking people down.
Android handles this just fine. These are the world's largest corporations we're talking about, not some mom and pop shop that will be crushed under the heel of overzealous regulation.
So Android allows alternative rendering engines besides Chrome for PWA? If you install Firefox it uses Gecko but still has native app look feel? I honestly don't know but would be surprised if they did.
Installing a PWA on Firefox for Android adds the icon to the homescreen with a tiny Firefox icon at the bottom. The look and feel is Android, there's no obvious bits that would look either Firefox or Chrome.
https://web.dev/learn/pwa/tools-and-debug#using_physical_dev... at "Firefox Remote Debugging" says there's a way to debug Firefox for Android PWAs.
So I'm fairly sure the PWA is running using Firefox for Android.
I also never accepted the terms and conditions for Chrome on this phone.
The look and feel of the app itself is a CSS issue. There are web app frameworks that specifically offer themes matching style guides provided by Apple and Google. Framework7 is an example: the demo app on the home page is styled using iOS UI elements, and there is an option for more Android style designs as well.
https://framework7.io/
I wouldn’t say that demo is very convincing…
Yes: https://developer.mozilla.org/en-US/docs/Web/Progressive_web...
I tested just now in Firefox with an app from https://appsco.pe and it does indeed work!
I can do the same with the Android version of Brave.
That depends on your definition. Making an app _feel_ native is a matter of implementation. But the opposite is also true: A native app is free to feel non-native if the app creator makes it that way.
The app does show as a distinct entry in the app switcher, but still has a Firefox icon when I tested it just now.
I tested just now in firefox with an app from https://appsco.pe and it just...opened a browser tab with the website.
So I understand a PWA is just a website but isn't the whole point to have a dedicated window/card for it?
I don't know what your setup is, but it did work for me, creating an app that shows as its own icon on the homescreen, without FF chrome, with a separate app-switcher entry. Using a S24 Ultra with whatever the current OneUI is.
I think Android already allowed that 7+ years ago: https://hacks.mozilla.org/2017/10/progressive-web-apps-firef...
Ok so I guess Android has some sort of API for allowing an app to install additional icons on the desktop with specific parameters like a shortcut and it shows the icon with a little icon representing the parent app, makes sense.
So if you install a PWA from Firefox it runs in Firefox and from Chrome it runs in Chrome similar to desktops. Looking at it this way I could see Apple doing something similar with less effort than trying to standardize a web view API and have PWA use the "system default browser".
"On Android, Firefox, Chrome, Edge, Opera, and Samsung Internet Browser all support installing PWAs."
https://developer.mozilla.org/en-US/docs/Web/Progressive_web...
Android "handles it" if you want to call shrugging it off "handling it," by making different security tradeoffs that do not emphasize security as much as Apple does.
Android zero days are worth as much as iPhone ones.
First, we should not be content to crush mom and pop shops with regulations.
Second, it’s entirely dependent on the regulation whether it crushes (or even just hurts) a behemoth.
Suddenly the user respecting innovators are all out of ideas!
As an end user who has been fucked over by the other side (MS/Google/crappy app vendors), I am behind their decision.
If I was not I can choose to leave.
I know this is a divisive comment. Please see my further extrapolation in a child comment.
How does removing web apps help anything? To me it seems like part of a ploy to create backlash against this law by removing features
It's a move against the third party browser engines which have been the bane of my existence from a security perspective on other platforms. For example, the about box in an Android app bundled a whole different browser engine which circumvented device policy entirely and allowed data to be exfiltrated. This app change was delivered in an update by clueless or lazy developers. This is not possible on iOS due to the platform restrictions.
In this case they have to change the integration and sandbox model to allow the security policy to remain intact for people who want and need it. That breaks a few things but it stops the integration from being used for exfiltration among other things.
Note that they're not completely breaking it, just ensuring that the security model stays intact when browser engines have to coexist on the same device. That means sacrificing some convenience for security.
If this prevention is by OS security, then your complaint is about the OS.
If it us by store guards, then yiu complaint is about the store.
So sorry, but I don't see how your complaint is properly about the browser engines.
I know it is not en vogue to be charitable towards tech companies, but it seems fair to assume that some teams are making a good faith effort to follow the law, and may be forced to accept imperfect design tradeoffs. Like they say, it affects a relatively small number of users, there is a sufficient workaround, and the technical fix would require major investment.
Not everything is a conspiracy.
Equally fair to conclude that one team here is not.
If chrome is really the problem, then chrome is already the problem and nothing about PWAs can change that.
And if PWAs from chrome are the problem, then it would also be possible to not allow chrome PWA's but still allow webkit PWA's.
I don’t buy it. Apple build iOS and I’m sure they will sandbox alt browsers as they do with every other 3rd party app on the phone.
It makes absolutely no sense. Apple could have pointed out to the EU that there are major and not - in the given time - fixable security issues with allowing other browsers on the home screen. PWA runtime platform could be seen as imho. other market than general web browsers. PWA serve niche markets (and corporate in-house) and this move may hurt the long tail in the EU but also globally.
Lol, no. They were fine for years but are not throwing a hissy fit. It's all utter nonsense. Third party apps are subject to the same security guarantees the system has been operating on for years.
But a legislator forced their hand so now they gotta cry about it.
You and Apple both are ignoring the fact that these permission APIs exist even if the website isn’t being displayed in standalone/full screen mode. The modern web is built on them, and third-party browser engines WILL provide access to these APIs in Europe.
Why can the camera be accessed through third-party browser engines so long as it's in a browser window?
If the browser engine can't be trusted to segregate camera access through a PWA then why is it trusted to segregate it in-app?
The “low usage” comment is going to be more ammo against Apple unfortunately. The whole reason they are low usage on PWAs is because of a lack of investment from Apple and a lack of parity, yet for the longest time Apple has played both sides by saying PWAs are a viable alternative to the App Store, all while channeling people to App Store for actual app downloads and not providing similar marketing or anything for PWAs
Are you sure this isn't a tech industry viewpoint? I don't know anyone who knows what the difference between an app and a PWA is. I don't think I've seen anyone outside of the tech industry with a PWA active.
In context 99% of the users I meet don't even know what USB-C is.
I think PWAs are an outright failure and a technical solution looking for a problem. I don’t even know where to find one.
For one thing, if Apple is complying with the EU’s alternative App Store and browser engine mandate, they’re even less useful than before. Why do I as a user want a PWA when I could have a native app?
I mean, the problem is the same one introduced since the two big mobile platforms were established: "I want to publish to IOS/Android as a native app without needing to have two separate builds to manage". PWAs make that pitch to those who already have websites to triple dip. It never has to promise to be as good as a native app, just "good enough".
Does it live up to that? YMMV. It's probably fine for very simple apps, probably comes apart at the seams for anything trying to look modern or have fancier functionality.
I've built large, complex and beautiful healthcare apps as a PWA.
The only two things I've ever missed from native functionality are:
- background geolocation
- push notifications on ios
The second one was fixed recently.
In contrast, from what I've seen 90+ percent of apps I see in the app stores would be better as a web page / PWA.
But the real question is where most of your users live.
I’d take a decent wager that most of your users are most familiar with apps and would prefer installing full apps.
Doesn’t matter that most apps would be better suited to being a web page or PWA if that’s not where the users are. That’s kind of like saying that PCs are better at gaming than consoles. Yes, that’s true, but that’s not where the majority of users are.
I mean, PWAs aren't made with the goal to maximize User UX. It's a cost saving measure like any other solution that isn't making 2 dedicated native apps for IOS/Android.it won't get as much traffic as a native app, but it's almost "free" to deploy.
To use the gaming console example, it's not unlike using an emulator to launch your game on PC (if you could somehow monetize an emulated rom). It's not the ideal experience, but it requires very little extra work.
I find PWAs to have a vastly superior UX. I can trust that they are running in the strongest sandbox my device has to offer. I don’t have to download anything, and I don’t have to update anything. I don’t have to remember any account passwords to install anything, and my ad blockers and password managers just work inside them. I don’t have to worry about arbitrary content policies of Apple or Google, the app can just show me whatever it wants.
Well, they "live" on their phone. I would just put a button on my website to install the app, users would find that easily.
The "two big mobile platforms" were not established by an irreversible act of God. Before the current time of two platforms, there was a time of (mostly-)one platform i.e. the Web, and that platform had quite a few nice features.
One of the small conveniences is indeed that you didn't need to develop the same thing twice, which made the barrier to entry much lower. The functionality that you were exposing to users did not need to pass a review at one of two US tech giant companies, which could reject publishing it for any or no sensible reason at all. You were not forced to pay 30% of your revenue to the gatekeepers of the platform. You were not banned to invite users to buy your product in any way that works for them, even if it meant sending you checks over carrier pigeons. There was no _chokepoints_ that a single company could squeeze to further its own interests (after the collapse of IE).
PWA’s on Android can be installed directly from a website…it’s awesome, less friction and less scammy than the Play Store.
On iOS you need to use the Share > Add to Home Screen which normies have no clue about. You’ll find out if the site supports PWA features AFTER you add it to your Home Screen. This of course is done entirely on purpose to make them harder to find and less appealing than the revenue generating App Store.
For me, I use iPhone entirely because pixel doesn’t support cardav and caldav out of the box…if I can’t use PWA’s on my phone then I’m going back to android cause I can solve the email problem easier than I can solve the productivity tools not being available via PWA’s.
Google should in theory have the same play store revenue motivation to hide PWAs, right? Granted, they also want people to stay on the web to continue using Google.com, so I guess those are two competing priorities.
That to me is a bit of an indicator that Apple just doesn’t believe in the merits of the technology. I think they might be asking the same question in asking: what problem is this solving?
Every platform with a web browser has a better way to run applications, which is to just run an application. A web site that is masquerading as an installed application is basically just a less capable application.
As a side note, I’m also not really sure how an app store can be considered scammier than the entire web. The web is a Wild West with far fewer “rules” than the Play Store.
Google have an interest in moving people away from desktop applications because they don’t have a desktop OS (not counting Chromebook).
We run 3 SaaS apps. One is strictly native, and the other two are strictly web. Writing for 4 platforms on the native app is an extremely expensive exercise and then we are also subject to the insanity that is the App Store. Long story here, everything from App Store review times on mission critical software to the fact that their billing mechanism simply doesn’t work for B2B SaaS…and by the way, we get zero traffic from the App Store as that’s simply not where our customers are looking for the solution we provide. Fortunately, bulk of our customers start on desktop where we self distribute (code signing on windows and notarization on mac) with ev ssl on marketing sites. Why is the App Store scammy over the open web…search for any number of popular apps and look at how many have been cloned. Sure, you can do this on the web with paid ads and enough SEO effort but it’s much harder.
To this day, Apple continue to allow keyword stuffing, advertising on trademarked names, and blatant copyright infringement in app descriptions and even I (fairly tech savvy) accidentally purchased a clone of poly bridge for my kid cause they’ll list the clone above the real one on an exact term search. What was apples response when I said I purchased the wrong app? Tough cookies!
This is the same reason I hate shopping on Amazon. I simply prefer to have a direct relationship with the companies I buy things from, and from what I can tell, our customers prefer have a direct relationship with us.
But back to why PWA’s are awesome…simply put, iteration time. We can publish dozens of improvements every day and roll back instantly when an issue arises. We simply can’t do that with native as long as the Apple / Google act as a gate keepers. When we allow proper sideloading without the scare tactics and dirty tricks, we’ll take the time to build native again.
You've described some advantages to you as a developer. For the average user, apps that change all the time and effectively make them a tester aren't such a no brainer!
Kind of, it's just that the approach Google takes is a lot more palatable than Apple's. As someone who has written a PWA (albeit one that almost entirely relies on SSR), Google's PWA approach is definitely better than Apple, but there's some marked issues.
For one, the actual PWA packaging process gets shunted off to a Google server; I think you can make a "thin client" APK from a manifest using a tool they wrote some time ago[0] (Twitter Lite is one of these), but I've not really looked into it. It's not quite the extension to Chrome you'd really want it to be; if you use a non-Chrome browser on Android, it means you can't really ditch the Chrome dependency if you want to use a PWA. (Further not really helped by the fact that Google is basically the only PWA implementer on Android, since Firefox does not consider PWAs a priority whatsoever.) Similarly, Google's servers need to be able to read out the manifest declaration, which makes them unfeasible for intranet software unless you want to punch a temporary hole and expose it to the internet for a bit.
The other kinda annoying thing Google does is really aggressive degradation between PWA and homescreen shortcut. If the manifest isn't entirely up to snuff in terms of what's listed, there's no attempt at trying to resolve the issue, it just instantly degrades to a homescreen shortcut. A basic example of this is the requirement to use a service worker (even if the service workers entire job is to do nothing); it's not really stated in the manifest spec that it's required, but if you don't have one, the PWA straight up refuses to install as a PWA.
Google's strength with the play store really mostly comes from their bundling advantage; Play Services and the attached Store and Google Apps are required for OEMs to add to their devices (might change with the DMA?). That's the kinda odd reality that makes Apples desire for control seem so extreme - we know what an open platform looks like on Android. It works pretty well for the most part and the incumbents advantage for a store is large enough that almost every app developer submits to the Play Store regardless.
[0]: It's called Bubblewrap - https://github.com/GoogleChromeLabs/bubblewrap
Google in theory has a financial motivation to make their competitor Apple look like the bad actor.
In some regards yes. In practical regards they're a threat to app store margins (on all app stores, not just Apple), so there's no incentive to truly support them other than developers being loud about it.
Because Apple has crippled the ability for you to use them, so developers can't really spend time working on them. Chicken and egg problem.
They're not really, they're twisting and turning as much as possible to look like complying but make the desired outcomes even more difficult to achieve.
Isn’t all regulation about activities, not outcomes?
If a regulator enforces a ban on dihydrogen monoxide in a misguided attempt to reduce global warming, should companies comply with the regulation or the presumed intent?
The EU is demonstrating the folly of legislation tech product design at this level of detail.
Heh! Also known as hydroxyl acid. It’s the major component of acid rain.
;)
It came out in the Epic trial that 90% of App Store revenue comes from in app purchases of pay to win games. They are not going to all of the sudden move to PWAs and on top of that, they already use cross platform engines.
You think that a technology that allows mobile apps to be developed and distributed in a way that’s secure, free and open, and platform-independent is a solution in search of a problem? Honestly?
Yes, just like every other cross platform GUI has been a dumpster fire since Java Swing all the way up to Electron.
It allows us from our webapp to easily allow a user to i.e. PIN a section of the app onto the homescreen (e.g import photos into this folder).. really nice.
Fair call on your first point about PWA knowledge level in users. Regarding your users knowledge of what USB-C is: are you sure your user group are not potato's? Most people I know, including the teenage daughters and their friends, all know what USB-C is these days.
One of them was going to buy a new phone because it took a long time to charge. This was because she had a crap charger and crap cable. I am unsure if they are potatoes or not but I suspect they might be :)
I don't necessarily think it applies in your example, but I've heard some very silly reasons given by people as their reason for upgrading.
I think a lot of the time people give an excuse, or perhaps even a justification to themselves, when they really just want the excitement of new phone. I often catch myself inventing reasons why I should replace my perfectly fine phone.
No it was 6 months old and she doesn't care about it or phones. She thought it was broken. I charged it with my powerbank, an anker PD one and she ordered a proper charger off amazon. I gave her my spare USB-C cable. It was seen as a potential financial inconvenience having to do anything about it as well.
Literally many people do not care enough to understand it. It's just a modern necessity, a tool.
This is my wife. She purchased a bunch of USB-A to USB-c cables off Amazon and wonders why her laptop runs out of power while plugged in - it's because the laptop needs 25-30 watts and those cables can only put out 5 watts because they're limited by the USB-A port.
USB-c PD is such a dumpster fire of a standard. Even with supposedly high end cables like Anker you often can't charge a Macbook Pro faster than it can drain it's own battery under load. We can't expect normal people to understand why there are a dozen different cable types that all have the same tip but charge at vastly different rates...
The charging speed of USB-C cables (C on both ends) is pretty much just the slow ones and the fast ones, and "slow" is 60 watts.
No.
Yes.
Every conforming cable supports 3 amps and 20 volts.
If you think something's incorrect with that, be specific. But the spec is pretty clear.
The exact details of the faster cables are murky because there's old and new versions of that section of the spec, but very few devices use enough power to care about that.
The problem is all the non-conforming cables that people have, that look exactly the same as conforming cables.
Except they were responding to a comment criticizing USB-C PD as a standard. Non-standard cables are irrelevant to that discussion.
Is the part of the GP comment I was responding to. The connectors form part of the standard. There’s no way to identify a standards-conforming cable from a non-standards-conforming cable by looking at it. They all look the same.
This applies to any kind of cable. How can you tell that a HDMI cable isn't empty inside, missing all its wires? It looks the same!
In this particular context, a "non-conforming" cable would cause troubles by starting fire or dropping voltage below usable range, not by limiting charging current. The only sane thing to do with such cables is to throw them away.
Really, we're talking about physically broken cables here. As long as there's electrical connection, there's no other way for a cable to not work at 3A/60W with USB PD. Its cable requirements only start when you want to go higher than that - and 60W is plenty of power already.
No. PD is optional in standard.
No, all compliant USB-C cables support 60W minimum (3A @ 20V). That is the minimum baseline for all USB-C cables.
Higher power levels beyond 60W are optional. The newest PD spec goes up to 240W (5A @ 48V).
Optional in what way?
Having power wires isn't optional. The ohm limits aren't optional. And they can handle 20 volts by virtue of using normal insulation.
The 60 watt limit is for completely passive cables that don't implement anything PD-specific.
There are no USB cables that are limited to 5W, and standard non-PD USB-A ports can give you up to 15W.
The only case where you may need a different (non-passive, "e-marked") cable is when going above 60W (3A).
That's true of all things that don't respect standards, not a PD issue. If you buy a wheel and it's not up to spec it'll crack. If you buy a power cable and it has a type-c on one end and a 110/220v plug on the other, that's not going to work well either.
Buy stuff that's up to spec, and it'll be fine.
It is a bit curious that you immediately jump to PD being a dumpster fire instead of the much more immediate "apple is a dumpster fire and incompatible just to be obnoxious".
I recently discovered that I can use my iPad and MacBook charging brick to test PD of a usb cable. If it’s low wattage, the charging brick will not provide any power to the iPad. High wattage and it will.
It can be only the charger or the cable. It usually happens when using the charger of an old phone for a new one or when buying a new cable, maybe because the one coming with the phone is too short and doesn't go from the plug to the table. Both chargers and cables usually list their compatible phones.
The more important context is the legal one, not what laypeople think.
Apple is presenting PWAs as viable alternatives to the app store in a legal context: https://www.accc.gov.au/system/files/Apple%20Pty%20Limited%2...
But now they’ve allowed alternative app stores so why are PWAs still required?
Because they have already been heavily invested in and are cross platform. Sure, Apple has already been fucking over PWAs by refusing to implement certain web standards, but they still promoted them and they are heavily used in certain industries.
Companies can quite happily hold two opposing viewpoints when it suits them. Apple's products usually have some kind of pleasing consistency but that doesn't mean their corporate dealings have to be.
In a similar vein, a startup will be very happy to talk about how valuable it is, except when it comes to talking to tax authorities, whereupon suddenly their shares are borderline worthless.
No. It is not! The law is for the people, for the „laymen“, not for lawers.
The only PWA that I think gets any use on i(Pad)OS is that for the Financial Times.
It’s just iOS and macOS.
I thought that was gone but you’re right, app.ft.com still works and can be installed as a full screen PWA. But the main site, ft.com, isn’t a PWA (or at least, it doesn’t install as a full screen web app). I had assumed they had shut down the PWA, because I haven’t seen any promotion/mention of it for years (and I use ft.com a lot) so I don’t know how regular people would find out about it these days.
You’re right but a lot of that has to do with discoverability and the lack thereof on iOS. On Android you can show an install prompt via the browser or even package your PWA to be distributed via the Play Store. On iOS you have to do a strange incantation of “sharing” a web page to your Home Screen via a submenu. Its utterly unituitive so it’s not too surprising that most don’t.
I think it's pretty feasible for a web app (assuming the user trusts it) to prompt a user and explain how to add it to homescreen from iOS Safari. I can imagine, and think I've seen in the past, a nice-enough UI flow to get people to install a PWA. After explaining the benefits, you have an "Add to Home Screen" CTA button. When the user taps that, if it's iOS Safari, you pop up a modal that visually explains the two steps required, which are (1) tapping the button at the bottom of the screen, and (2) tapping the "Add to Home Screen" menu item. (OK they need to do one final tap on 'Add' to confirm the title, but most users who've got this far would manage that on their own.)
I agree that's not as good as a native install prompt but I don't think it's a strange incantation/utterly unintuitive. I know that icon originally meant 'share' but these days it means a wider range of things - basically "take this thing somewhere else".
It’s definitely possible, I’ve done it myself in the past (it’s still very annoying owing to the different position of button on iPhone vs iPad) and the analytics show some users get it. But as compared to “find us in the App Store” it’s night and day.
It’s also a very inconsistent experience: some sites have set themselves up as fully featured PWAs, others have made no efforts at all. Both get the same button.
OH (frequently):
- hey I need to to up, do you have a phone charger?
- yup, which kind?
- not "an Apple"
- oh, so USB?
- yeah the "standard" one, not the "new usb"
That said, I'm surprised many do know about the literal "usb-c" term. Micro USB A though flies over their head, it's "small usb" or "standard usb" every time.
Of note: EU here, and while they by and large don't know about the EU standardising stuff they did notice the effect. I've seen a few refer to USB-C as "universal one" (largely coz it works the same for both phones and laptops)
With my friends it's either "USB-C" or the "round USB". Maybe it's already too old to be referred to as the "new USB". The old one is definitely the "old USB" or the "not round USB".
So what's a Home Screen Web App in this context? Is it adding a bookmark to the home screen (you open it, and it opens in the regular full iOS Safari), or something else?
Going on a slight tangent: I do get many clients inquiring about PWA because "they don't need to pay 30% per purchase". This is anecdotal, of course... they wouldn't be able to tell you what it is, but all they care about is that they save 30%. So there is definitely "interest" in PWAs.
Correct on it being a tech industry viewpoint— people think "apps come from the App Store" and therefore anything else that's clunky requires a fair amount of education and payoff for users to adopt.
It's off balance, and it shows now that the tech has to be removed since it wasn't actually at parity despite it being an argument for it unfortunately.
The worst part? This has been the case for 15 years. It's not like there wasn't enough time to fix it. That's plenty of time to hire and develop solutions, yet now look at the reasons for it being taken away.
So are PWAs really popular on Android?
I think the advocate retort is that lack of support on iOS makes them a nonstarter for developers on all platforms. I think this argument is more of an excuse.
Right, Android has something like 70% global marketshare. PWAs aren’t popular because they don’t really benefit developers/businesses. They also don’t offer any advantages in user experience over a native app. Apart from the economics, there’s no developer friction advantage since you can use something like react native and deploy anywhere.
The kind of deep user information you can gather by installing a full blown app compared to a more sandboxed web app is worth way more than the 30% royalty cut.
There is great value in building one product instead of three.
What kind of information is that?
Great value to whom? The only value I've ever heard of that made any sense at all was "saves me money and lets me change things and publish them faster" and that (as other commenters have said) is a developer / manager value, not a user value.
Developer value is totally user value. The developer "changes things and publish them faster" for the customer, it's not a hobby.
It's tempting to think so, but IME users download apps to get things done more than they want to "ooh" and "aah" over an app's UI changes and I've been an app developer since 2009. It's all too easy to push out someone's pet feature (or something to buff up someone's resume for their next job) and if it's a speed-focused company it's a coin flip whether there is someone acting as the gatekeeper to keep that kind of nonsense out.
70% of marketshare isn't the important part, it's what the share of potential revenue is. And it's well know that iOS has more revenue per user.
I can’t believe Apple is holding back my vision for a resurgence of COBOL apps. If only Apple would support native cobol apps, surely Android would follow and the world would see peace and prosperity forever. /s
This is a trite argument that hasn’t been true ever since Jen Simmons joined Apple in 2020 and changed the course of Safari significantly to the point that PWAs not only are viable, they have been given feature parity with native apps on many fronts.
Simultaneously, the argument completely bypasses the fact that install rates of PWAs are abysmal on any platform. Whether it be iOS, Android or Windows.
Contrary to what PWA developers, industry organizations and other stakeholders proselytize, PWAs aren’t the second coming and the next best thing since sliced bread. At least not when it comes to install rates.
Edit:
Don’t get me wrong, I’m sure they’re great as “websites”.
Lord knows people who sell PWAs[0] love to brag about bounce rates and conversion rates and what not. But there’s a reason why you can find barely anything about install rates other than some vague statistics about individual unnamed PWAs[1] or PWA sellers[2] talking about obviously bogus 10x and 3-5x install rates, and it’s not because the PWA crowd is too shy to brag.
0: https://www.pwastats.com/
1: https://developer.chrome.com/blog/pwa-install-features
2: https://mobsted.com/pwa_vs_native_mobile_apps_install_rates_...
That's kind of the point, PWAs don't have parity on any platform, but Apple's platforms are the only ones where it is being positioned as a legitimate alternative; Android has "sideloading", Windows has REGULAR loading. It doesn't matter who joined Apple when and did what, PWAs on iPhone are not like native apps, it's not even really close. It's good that this pathetic line of argument wasn't much of a deterrence for the EU.
What people want isn't PWAs, they just want the kind of capabilities that computers have had for decades, including many of Apple's current computers for sale today. To be able to install an application and run it.
That’s not true, nor what I posited. PWAs have almost all the native features, if not all, depending on the platform. Plenty of “pro-PWA” people go out of their way to demonstrate this[0].
I’m talking about install rates and usage by end users in a way similar to using a native app.
Whether you agree on parity or not, you seem to concede that PWAs aren’t wildly adopted the way native apps are.
As such, it makes sense that Apple wouldn’t want to waste engineering resources on it by rewriting the underlying architecture, which is the topic at hand.
That in and of itself ends the debate.
You then go on, OT, about whether Apple should or shouldn’t position websites and PWAs as legitimate alternatives.
Saying:
Specifically, Apple states[1]:
An alternative isn’t, as you seem to imply, an identical option; instead, it is simply understood to mean a different choice, usually a choice different from what is usual.
One might say, "In the absence of a better alternative, we’ll have to proceed with our original plan.” This use in and of itself implies that one option is better than another, thus not identical.
Whether something is “legitimate” or, more specifically, a “legitimate alternative” entirely depends on the person making the consideration and the value judgment they make based on their needs and wants.
I might consider soda a “legitimate alternative” to coffee because I’m just looking for a beverage, whereas a different person might not deem it a legitimate alternative. After all, they are solely interested in a warm beverage.
With that in mind, I consider web pages, particularly PWAs, a legitimate alternative to native apps because most native functions are available to PWAs on iOS. You might not because your need might be one of the few things PWAs can’t provide.
That doesn’t make it a bad-faith argument on Apple’s part; they never claimed that PWAs are an identical option to native apps via their App Store. They offered up an alternative that can provide some, if not most, of what a native app can provide.
You continue with your OT by presenting a false equivalence
It’s a false equivalence because neither Google nor OEMs present sideloading as a legitimate alternative; it simply exists, but it’s not promoted as an alternative option.
Google specifically likes to write copious amounts of words in blog posts[1] and whatnot, talking about how great PWAs are while wearing their Chrome hat. Meanwhile, the PWA experience on Android is marginally better than that on iOS, provided you use Google’s browser. Where is your indignation for that? They’re promoting PWAs harder than Apple will ever do.
For that matter, Microsoft also doesn’t call “regular loading” a legitimate alternative, so again, your equivalence makes no sense.
Of course it does; if you don’t go OT, that is. Whether Safari is or isn’t suitable for PWAs is essential to assess if PWAs are used in meaningful quantities.
If someone posits that Safari doesn’t properly support PWAs when that isn’t true, like GP did, then it’s important to point that out and provide context on when that changed.
It doesn’t matter to you because you’re having an entirely separate discussion.
Yes, they are.
As stated above, they’re not identical, but they are similar to, or if you prefer, “like” native apps.
This is a value judgment because it requires that you and I agree on the definition of “close.” I argue that they’re pretty close because they can do about 90% of what native apps can do.
Let’s keep it classy and within HN guidelines.
Hence, the low install rate of PWAs and why it’s not weird that Apple didn’t decide to spend engineering resources on rewriting the underlying architecture for PWA installs.
Again, that, in and of itself, ends the debate.
I’m not sure what you base this on.
From here, it looks like you’re projecting your own wants onto the average iPhone user base at large. Do you have anything that expands on how many iPhone users share your vision?
The commercial success of iPhones suggests that not many seem to care for this.
I suppose alternatively, you could argue that the fact that Android dominates globally indicates there is a demand for this in the smartphone market[2]. Still, the obvious question then becomes why those iPhone users wouldn’t just join in Android’s dominance and switch over, particularly those who feel so strongly about this that they’d spend their time online lamenting its absence.
0: https://whatpwacando.today
1: https://developer.apple.com/app-store/review/guidelines/#int...
2: This is simplified, of course; one feature wouldn’t be the sole driver of Android’s dominance
I'm not going to go point by point on this one, but I do have some remarks. I am not "projecting", I own multiple Apple devices, therefore, I am very well within my right to talk about what I want as an owner of Apple hardware and on behalf of likeminded users, even if people on Hacker News don't like that fact as is evident from time to time. Wanting "sideloading" aka regular loading is not wildly off topic, it's literally MORE on topic than PWA vs native app parity, which is really not relevant to the EU DMA compliance issues at hand. And on that note, of course PWAs do not have parity with native applications. They're quite a lot slower, for starters. Is anyone shocked? No... it's not weird that it is much slower when you are going through Webkit instead of native APIs like Metal, in WebAssembly and JavaScript instead of C and Swift. That's disregarding the fact that both policy-wise and in what APIs are available, clearly PWAs have significantly more limited access to integrate with their host platforms, which again, is hardly surprising for glorified bookmarks.
web apps are websites with standalone
the name "install" is bad and the wording is NOT a web standard, NOTHING is installed
the question is web capabilities
one core capability is caching and offline via service workers
no need for "install" for this
"installing" a web app does not even need anything anymore, not even offline or service workers... it is ONLY switch to standalone and get a launch button or be integrated into app launchers on OS
behind "install" is a bad and immature web app manifest api, it is a draft... the wording install must go
it is one of MANY possible web capabilities for a web domain to be able run standalone and get a button
apple cannot ban this since a shortcut to chrome cannot be deemed unsafe, where then CHROME decides to run standalone or not
the real problem is NOT that safari kills standalone
they try to kill a lot of web capability, like service workers, and NOT JUST FOR SAFARI
I mean this will not stand, you CAN stay apple-level-safe (whether it is more or less than other platforms) by CHOOSING safari
it is an obvious CHOICE to be granted to trust google, mozilla or microsoft and their web security model to stay safe with THEM on the web
no argument why this should not be allowed if other native apps are allowed
and come on, even mac os is safe with service workers in chromium
I recommend that everyone interested in this topic read some of the comments from PWA developers at: https://bugs.webkit.org/show_bug.cgi?id=268643
Apple’s decision is going to kill businesses and break apps used by hundreds of thousands of people in Europe, many of whom are healthcare workers delivering patient care.
Patient care apps as PWAs? Yikes.
Patient care apps as native blobs for selected platforms? Yikes.
What's unusual with it? I even do my online banking exclusively via web browser.
What's the concern here?
From Apple’s PoV, PWAs don’t earn them any money, aren’t forced through review by Apple, and decrease lock-in. There is no incentive for Apple to support PWAs.
So it is now their fiduciary duty to enshitify the web? Nice system
Enshitify ChromeOS actually.
That cringe neologism refers to shifting from making money by delivering value to users to making money by exploiting the user base.
how do they know low usage if there is no download from apple?
Because they know what’s on your Home Screen If you enable Usage analytics?
Most likely telemetry in iOS itself. iOS knows when users pin web pages to the home screen, and iOS knows each time a user taps on and opens those pinned web pages.
It's functionality to add an arbitrary webpage. What exactly are you expecting them to "provide"?
So why is there also low usage on Android?
I don’t know if this ironic given that apple originally didn’t want to support native apps and gave in due to developer demand.
Apple both did and didn’t want web apps
Seems like an OS problem. They should fix that.
Or they could just not.
What's the benefit for you as a user to side with Apple on things like this?
Looking at these things as sides is a mistake. Instead of just being tribal, it's better to look positions on their merits.
I've been asking these people for the merits of Apple's decisions for years, and all I ever get in response is "Apple knows best, I don't need these features."
That seems like a perfectly reasonable argument on the merits. What user actually needs web apps? What's the market for apps whose developers can't stomach a $99 developer fee and/or with functionality not allowable by app review?
Well shit, what user needs an app store to begin with? It was never about need, it was about what they could convince users to put up with.
Why do you think an app store isn't something people want, rather than something they put up with? What about the pre-app store world made it the one preferred by consumers in your mind?
Because it seems to be that way on MacOS. On Mac, the App Store is absolutely useless and exclusively something people do not want. It does not distribute the software users want, it charges them extra fees, and limits the type of app you distribute.
Judging by every single professional Mac user I've met, circumventing the App Store is a functional necessity for some. Most of them absolutely "put up with" the limitations and issues of MacOS.
The freedom? The cheaper software? The stronger OS security models and lack of social-manipulation-as-a-security-feature?
If the post-App Store world is so great, people will keep living in it even when alternative stores exist. I suspect that most users will not give a rats ass about convenience if there's a 30% cheaper subscription elsewhere.
I hope you realize the irony that this just your personal view on what is reasonable and what is or isn't a merit. I don't see the point in bullying someone who is simply expressing an opinion - which happens to be anti-Apple - and one which makes a lot of sense to me.
How do you do this when any value a "merit" could have is based in this dichotomy of vendor/user?
It's not based on that, as far as I can see. Saying "browsers are extremely complex from a security perspective and we will only allow the one we made on to our platform" is in service of making a better product.
You might say that that's not true, and browsers are easy to secure, but that would be arguing the point on its merits. Not on the tribalist lens you're seeing this situation through.
Apple has a decade+ track record of making devices that i really like. (At several points I’ve compared solutions across the market).
Instead of siding with Apple, why would I side with anonymous and random internet commentators who have never made devices I want to buy?
It is definitely odd to outsource your moral principles based on which mega corp you opened your wallet to.
Morals? You think you’re some kind of righteous crusader?
I’m talking about toys and gadgets. The ability to view memes.
If that's your use case, then great!
My iPhone connects me to my government, my bank, my school, my family on the other side of the world, my portfolio, and perhaps most importantly; critical safety services (local avalanche forecasts in my case).
You can be damn well sure I'll be passionate about how it's controlled, and what capabilities the manufacturer is derailing in the interest of record profits.
(For clarity - I'm not the person you responded to, but this is HN so I thought I'd chime in on why some people are so passionate about this so called "toy")
You opened your wallet to the same megacorp. The only difference is you're sitting on your high horse for some reason.
I don't care about PWAs and would generally prefer companies not have the option so they can't try to push me into one. Anything that makes that less-viable is good for me.
I wish Apple'd held a hard line on the "no apps that should be a web site" rule(s) for similar reasons. Alas, they did not.
I agree. My experience with PWAs is they are usually downgrade from a safari bookmark... they are created to benefit the provider, not the user, by taking away browser abilities from me (back, forward, copy url, etc).
Pretty simple: I like the way Apple does most things. I'm rarely disappointed by the culmination of all of their decisions. I'm frequently disappointed with how other companies do things therefore I don't want their disease to spread to things I'm perfectly content with.
I couldn’t put my feelings into words but this sums it up fairly well. Apple, for all their flaws, typically creates an outstanding product from a security, privacy, and general end-user perspective.
At the end of the day, Apple has earned my trust to make choices that maybe aren’t the most “open” choices, because usually they end up being the best experience for me as an end consumer.
Please drop the tribalistic vitriol and be an adult about this. The statement is “or they could not”. It’s factual. It’s what Apple did. It’s not a religious stance.
The question was "What's the benefit for you as a user to side with Apple on things like this?". There's no vitriol there. Jumping to the defense of a trillion dollar corporation seems religious or at least tribalistic to me.
And lest I be dismissed as a hater, I currently own five Apple computers, an iPhone I've upgraded every year since they came out, an iPad, a watch, and a virtu^wspatial computing heads^wdevice. But that's because of the transactional value they provide, not because I believe Apple loves me and has my best interests at heart. They love my money and that's where it ends.
I use several PWAs and I will be very disappointed if this is the stick Apple uses to close the window on this short period of time where we had a reasonably interoperable standard for making "apps" using web technologies. I can run Elk in a browser, but it's suboptimal.
He's not necessarily siding with Apple. He's pointing out they don't have to do that.
The sides in this debate are: Apple, Chrome advocates (with a little bit of separation), and the EU. It's not that perplexing to choose the first.
There are lots of things that Apple could do to benefit me that aren’t reasonable.
Advocating for security and user privacy protection.
A seat at Steve Jobs' table in the lunch cafeteria in he...aven?
The fact that Apple controls the entire stack means that they can provide better guarantees for security and experience and also make optimisations that are difficult or impossible when integrating 3rd party software.
There's little benefit to the user for many of Apple's design decisions; that seems like an odd way to predict their behavior.
boots taste good and these kids are too young to recall why any of this matters.
They could develop APIs to support alternate browser engines but could not allow them to install sandboxed web apps on the system? Like all other OSes do, including macOS?
How surprising.
Are not some of the changes in the EU so that people won’t have to rely on Apple’s APIs?
The whole point is that doing so would privilege safari over other browsers, which is illegal.
Of course they could. They looked at the cost of rewriting the entire integration and framework for running PWAs and said, "eh, nah."
They'll have to allow some kind of app installation API to allow for alternative app stores. If Google implements some kind of WebAPK technology on iOS, they may just be able to launch a Google Play for iOS to work around these PWAs as a workaround, and Safari will be down a feature.
I have the feeling Apple is betting on Google not caring enough about the PWA platform to try to compete. Maybe they're right, but if they're not, they're only making the browser wars worse for themselves.
My guess is it's easier for developers to throw their website into Cordova than to start paying Apple a Core Technology Fee and convince users to download an alternative app marketplace to support what is effectively a differently packaged Cordova app.
I don't think it's about Google, I think they assume consumers won't care, and they're probably right.
Spend money to lose money, not a great investment in their eyes.
TLDR: We did not want to give other browsers too powerful apis to compete with Safari & App Store.
From the (admittedly little) I know about how iOS handles security and the speed at which they responded this sounds like a pretty credible explanation to me. What makes you think it isn't?
Because that's literally what it says when you really read into it? They acknowledge that 1) Safari already has all the integrations required to support PWA securely and that 2) they can't be bothered to provide the same API's for third party browsers because it's not "practical".
They built their PWA support in an anticompetitive manner assuming App Store & WebKit would be a monopoly forever, and now as a result the baby is going out with the bathwater.
This is why I purchase iOS devices - ultimately their closed garden provides a smaller attack surface, clearly evidenced by the comparative (to Android) cost of exploits on the black market.
I cannot see this as anticompetitive. If you want open, you have that choice in Android.
I'm sorry to say the EU regulators disagree with you on that.
We noticed! I’m not thrilled about the decision.
If Apple doesn’t support PWAs then PWAs stop being a viable method of app deployment - killing the platform outright. That’s anticompetitive.
Only if you give a damn about PWA's. Evidenced by the fact I have none on my phone, and don't feel the need for any either, I'm fine with them being out.
"Hey PWA, don't let the door hit you on the backside, on your way out".
The browser is just about the most vulnerable attack surface on any computer. Using it as a general-purpose application host is nuts, IMHO.
This is exactly my feeling too. I don't want the platform to open up more. I left Android because I wanted to make fewer decisions about my device, and to just think about it less in general.
Also, Safari is a non-Chromium-based (though still related) browser which developers are forced to support because it's the only thing allowed on iPhones. Most users aren't going to install Firefox on their iPhone, they're going to install Chrome, which is just going to make Chromium's market dominance worse.
I know it's used as an intensifier, but this feels like a particularly bad place to use "literally" that way.
Not really sure how to respond to this. An airliner already has all the controls required for being piloted. Why am I not allowed to pilot my next commercial flight?
But my more serious point:
Why are you glossing over "practical" there and putting it in sarcastic quotes?
This sounds like a huge change in the security model given how tightly Safari is integrated with the rest of iOS. Heavily restricting permissions and sometimes functionality to prevent security threats is very consistent with what I've seen from Apple in the past (and is one of the reasons I prefer them).
Even if they intended to open this stuff up, I can't imagine this is a change which wouldn't require massive changes to iOS and a long review and testing process.
They built their PWA support for the architecture they've had since the iPhone's release. Why should they have wasted time building affordances for a world in which they were forced to support other browsers?
What kind of ridiculous "argument" is this? Am I putting hundreds of other people in risk by installing Firefox on my iPhone? The fact remains that the EU in fact does intend to put you in front the airliner's controls. You can of course choose to turn on autopilot and keep using Safari.
Guess what, "tight integration" of Internet Explorer into Windows for whatever technical reasons was not a favorable argument for Microsoft in front of the European Commission either. Lack of foresight to design open systems is not an excuse in front of the law.
Certainly it’s an extreme example, but yes, giving people the ability to install other browsers and app stores is increasing their risk. This ruling makes it possible for some companies to decide to only allow their app to be installed through an alternate app store, which won’t necessarily restrict malicious code in the same way.
But it is increasing _their_ risk. That's the massive difference from your example. Installing other browsers and app stores is increasing _your_ risk
Flying a plane badly risks the lives of your passengers, the lives of people on other planes, and people in the nearby area.
Doing whatever you want with your phone doesn't risk other people's phones.
They built their PWA support with assumptions about how the application, OS, and WebKit were going to run. That's like saying, "Oh, Microsoft didn't build an API layer into Windows to support running X11 apps side by side with Win32 apps, so they were being monopolistic." No, you have limited engineering time and you make engineering tradeoffs. You don't need to design an interface layer and API and hooks between system components if your design doesn't call for it or doesn't need it.
They built it in such a way that it was sustainable and sensible for the time it was made (iOS 2.0). That's a really long time ago in the software world. More than a dozen versions of the OS have been built on top of this. Saying "they should have just figured it out back then" is completely ignoring the reality of what was offered by the OS and the mobile space entirely at the time.
Now laws have been passed that say "you must provide alternatives." OK. They can choose to spend an ungodly amount of time refactoring the OS to undo 16 revisions of the OS of assumptions for zero benefit for the company, or they can say "Sorry we can't comply with that for your market."
It sucks. But it's a result of reasonable business decisions and their evolutions from a significantly different era.
No, it's saying that they shouldn't have designed a operating system with no support for other browsers (unlike lesser known alternatives such as "Apple Mac OS X") in the first place and that you shouldn't have any sympathy when such an anticompetitive technical design and behavior blows up in their face.
Support for installing progressive web apps was added in iOS 11 [1], released in 2017. This is decade(s) after Microsoft was dragged to court in the US and EU for similar behavior with Internet Explorer. Of course being the authoritarian company they are, Apple would rather dig their heels until the bitter end instead of just doing the right thing.
Sorry, but the rest of the mobile space did figure it out at the same time. All of the things being debated in this thread simply just work on any Android phone and Google Chrome or Mozilla Firefox in a secure manner. I'm so tired of this reality distortion field.
[1] https://developer.apple.com/library/archive/releasenotes/Gen...
Have to agree (disclaimer, haven't been an iPhone user since the 4). Suddenly allowing all browsers to have those kinds of native permissions, even with massive testing, sounds like a security nightmare. You're introducing an entire extra dimension for security holes, given how much trust people place in their phones.
This doesn't sound at all the same as allowing other engines for use inside browsers, based on both apples defense and the take-downs on them.
Browsers support PWAs on the desktop platforms without there being a security nightmare, and while I'm sure there are some permissions that could be a problem, things like the camera and microphone are managed on the desktop without issue.
Is there some flaw in iOS that makes it harder to secure than the desktop?
They know that giving too powerful apis to other browsers will kill their marketshare and competitors will build a better product in free environment.
iOS was never conceived of as something which would run arbitrary code that could access system-level data (the siloed data). So basically the situation exists by design, and in order to achieve security when enabling PWAs from other browser engines, they'd have to add another layer of security that currently doesn't exist (since they never had to trust anyone's code but their own).
So... yes, there is apparently a lack of security there, but that's because the layer in question was never intended to be anything but proprietary until this ruling.
I think this is an extremely cynical interpretation.
I think any other interpretation is extremely naive.
Could you explain why?
naive people accept at face value PR speak. unwilling to look past that and look for other ulterior motives even less charitable ones would pretty much be textbook naivety to me.
I didn’t ask because I think someone should take a company’s word at face value.
I asked because the thing this company said in this particular instance aligned with what I’d heard from other (independent) parties and I wanted to know why this person seemed so sure about that being wrong.
Naive people also forget the best lies have some truth woven in.
I don't think believing why the most valuable company in the world with the highest and thickest walls around its garden, and a track record of not playing nice with others, is doing this, requires much explanation except that they want to kill the possibility of anyone bypassing the toll gate to the said garden.
Apple could support PWAs and enforce the same Core Technology Fee they do on them as they do for 3p distributed apps, so this argument makes no sense.
Apple has no way of enforcing any kind of platform fee for PWAs since the developer does not need to interact with Apple at all. This financial conflict of interest is why the availablity of the full PWA feature set is desirable to developers and undesirable to Apple.
Because accidentally this move will make more money for Apple. (Follow the money.)
tbh, I thought the summary in techcrunch was much easier to read and concise.
Couldn't this be entirely solved with an OS permission-like prompt "are you sure you want [progressive web app name] added to home screen?"
You don't want random processes firing off permissions prompts, you want them to remain meaningful to users on a platform else they'll get prompt fatigue. Think of all the prompts users see and just press 'ok' to.
Heard. But we're going to entirely eliminate all PWAs because there might be an additional prompt added? Seems excessive/specious to me.
It's not one additional prompt, it's a class of prompts that could be exploited over and over again. A single site could trigger hundreds by sites popping up in the background each which trigger it, and then the user's home screen is full of fake PWAs with names like 'save money' 'in debt?' 'casino cash bucks' etc. Next you're developing mitigations, spam cleanup, etc. We've gone through this kind of thing before.
If that's a real potential problem, why doesn't this already happen on Android?
Why would this be exploited on the relatively small marketshare platform that is iOS, when in all those years this year not been a problem on the dominant platform?
Because it's not a real problem.
You mean like this? https://www.tomsguide.com/news/hackers-are-using-a-new-trick...
This stuff is part of the reason people commit to the Apple ecosystem despite its shortcomings.
While Android dominates globally, iOS has nearly 60% market share in the US and some other countries.
i don't think that's right, i think apple dominates the US because they're genius at marketing and design. you don't have to build something more secure, you just have to convince people you did
I'm not especially aware of this particular thing, but sending an SMS with a link to a web page that asks to install a PWA seems to me like it would work on any platform that allows PWAs, irrespective of whether PWAs are restricted to one rendering engine or not, and totally unrelated to the exploit outlined in the post I was responding to (about a somewhat unclear process to me, that would open sites in the background, sending prompts to the user and somehow automatically installing many different PWAs this way).
What we are talking about is specifically targeted at the EU where iOS represents about 30% of users, and doesn't apply to the US. So it's unlikely that scammers would just hold off from exploiting Android and wait for the EU to force iOS to allow different browsers, and only then exploit this class of vulnerability.
The user would get rid of the app/browser that is doing this, no? The same way they would have to for any malicious app that persistently requests a special permission?
I'm guessing you've never had to clean up a relative's Windows machine. I wish I could say the same.
Yeah ideally. Given there are nearly 1.5 billion active iPhones tho, a lot (100s of millions) of users aren't going to understand the relationship between the prompts and the browser and/or know (/know how) to uninstall the browser and/or have desire to do it at the moment they experience the problem, especially if the browser has other qualities they like. Many more would just blame it on themselves, ignore the problem, etc. These users may make up a plurality or majority of iOS users, and have a totally different experience from a technical user working on a desktop OS (HN crowd).
Are you sure we can't have additional plugin toolbars for Safari? Maybe have one or two that tell us that we can get paid to surf the Web, and a couple of others that definitely don't show popups?
"Yes, allow install (this time)" / "No, don't allow install (this time)" / "No, and never prompt me again"?
iOS has been doing something very similar and it's arguably worked pretty well.
I guess that's why they say that "would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps"
Personally, I'm not concerned with the costs of an EU mandate on Apple for interoperability but that could just be me.
You've not been asked to be concerned. Apple is saying what their reasoning is, and you can believe it or not, but you don't have to feel pitty for them.
Apple is just playing pr games trying to get their cult followers to rage against the DMA which apple hates having to follow. So yes, people are being asked.
Well, this is just 'we don't want to do it because our market projections steer us in a different direction, but we really don't have any solid arguments so here is some blah our marketing & legal came up with'.
3 trillion company can implement this without breaking a sweat properly if they cared, what are they trying to say here - 'we are incompetent'? Not buying that for a second, we know they can deliver.
More like "that pesky eu is forcing us to behave like a normal company and we don't like that. Let's punish the users in hopes they'll revolt"
So, as an abusive stepparent, you run the "Spy on Me" PWA on your stepdaughter's phone, and click the permission dialog, and she's none the wiser. Do you think that's great?
Apple does not.
If you're an abusive step-parent with access to your daughter's phone, you can already install "Spy on Me" software in the form of regular apps, a PWA changes nothing here.
True, but in the regular app case apple gets its cut.
You can already do that with apps
Sounds like the type of dialogue message I got sick of in Android
Thanks for posting that. I'm no iOS expert but it actually sounds like a pretty reasonable explanation. It's at least good to hear Apple's side here, and more knowledgeable commenters here can weigh in as to whether it really does seem genuine.
Sure it's reasonable ... because of course all these browsers don't have a security model and just allow web apps to do whatever they want.
This is essentially saying no-one can build a secure browser.
I know at least Firefox has per-site permissions for location, webcam, and microphone access. Is it a correct interpretation that Safari on iOS does not have this feature?
Their argument was they want the system (iOS) to enforce those permissions, not browsers on behalf of apps they've added.
Ideally there should be both browser-level and OS-level controls. Reduces the chances of things slipping through the cracks and it limits the blast radius in case a browser vendor can’t get a hole patched up quickly for some reason.
Safari has those features.
Nobody can build a secure browser.
Truer words have not been spoken! Maybe only second to nobody can build a secure baseband.
Security is well achievable, absolute security is not. Somehow almost everyone seems to grasp that intuitively, but a subset of IT keeps pretending they're the same thing.
I don't think they're saying that. I read their statement more like "someone might build an insecure browser", which isn't that invalid a concern I think. I'd like Apple to be a bit more daring and just open up those APIs too, but I kind of get their incentives point the other way. Apart from some landmark design decisions, Apple is an extremely conservative company, and stalling on an issue like this is just what such an org would do.
But they already give the "insecure browser" access to display web pages, access the camera etc. They just don't want "runs best on chrome" pwas eating they're app store cake.
Nobody but Apple has experience building a secure browser. [1]
[1] On iOS.
No, it’s saying they’re being forced to support at least one insecure browser which would affect the security of an obscure feature so they’re removing the feature.
It's a massive blow for PWAs. There are a lot of corporate apps that are PWAs as the app stores do not really support "private" distribution of apps (other than via MDM-based solutions which doesn't work for use cases where you don't control the users' devices). Furthermore, by forcing the apps to load in a browser tab (rather than as a full screen home screen app) it breaks the support for push notifications. In my opinion this is malicious compliance.
So much this. I am the author of a barcode scanning library for JavaScript, my customers are mainly SMBs running in-house apps, and they love frigging PWAs.
- No App Store review
- Full control of distribution channel
- Instant deployment from CI/CD
- Single codebase
- Easy to source developers, even in-house
- No administrative burden from having to maintain accounts at Apple/Google.
Adding to home screen is important for non-technical end-users to recognize it as an "app" and not a "website".
How is this even possible? It's shocking that these APIs even exist for any browser to use.
I assume you mean the "read data from other web apps" part. That'd be because there's (presumably) not a system-level way to launch a third-party browser in "web app mode", with all data siloed off per-PWA. Thus the only way they could currently make web apps work would be to launch the third-party browser and trust that it silos everything adequately itself internally.
Apple could add a bunch of new APIs to support this case for third-party browsers. Presumably there's something equivalent that's being done for said web apps currently in Safari. But they're not wrong to say that there's not an existing system in place that said third-party browsers are already written to use. (And, you know, they're clearly not invested in trying to make this law succeed.)
the bunch of new APIs might just be a containerized copy of the users browser? Seems very easy.
I think there's a lot of edge cases, and just spinning up an entire new data container for iOS Chrome and launching a web app inside it would probably make Chrome very confused. (It wouldn't know to hide its normal tab/browser UI, to not nag the user about logging into their google account, etc.)
Like I said, Apple could totally make APIs so that Chrome could know it was being launched in a container with data isolation and should behave as a web app. Google could then adopt those APIs, with the alacrity that it's famous for showing with new iOS system APIs. But the behavior Apple is implementing here is probably how any default-browser that hadn't yet opted into those new APIs would have to behave.
(To be clear: I think Apple is being petty here by not having those APIs announced. But "we're going to regress everything to bookmarks" is probably more DMA-compliant than "things are better when you use Safari, and we promise we'll extend that to other browsers someday".)
Bookmarks are superior to PWAs, anything that reduces the spread of PWAs is a good thing in my opinion.
Currently Safari on Mac copies over login cookies and data directly relevant to the site and nothing else when installing an app as a PWA.
This strikes me as the way to go, there’s no good reason for anything else to be copied and it reduces the amount of data that integrated privacy-compromising ad and analytics services can readily glean from users.
https://www.theverge.com/24054329/microsoft-edge-automatic-c...
Ask MS, they already did it.
This is completely irrelevant to the discussion, there is no sandboxing on PC.
iOS and Windows’ security models are not remotely comparable. I can’t imagine that you’d be making such intellectually lazy comparisons if it wasn’t in the context of some perceived holy war.
I didn't read the article, but to me it sounds like Safari's security mechanisms need more work.
Safari is fine.
Other browsers would have to be trusted, Apple doesn’t have a mechanism to ensure that they do what they’re supposed to.
So until they have time to add one (remember they already had to create all the API‘s for third-party browsers to use), they’re not allowed to give Safari preferential treatment. So they had to remove the feature.
What an absolute crock of shit. Someone at apple must be feeling really, really pathetic lately. Why can't they just get over themselves and actually deliver a useful product instead of trying to achieve cult status?
I dislike how Apple is evolving as an evil corporate, but they seem to have a real security and privacy concern on this issue.
I completely understand that companies will defend their own business interests. But the extent to which Apple has been leaning on spurious security arguments in order to do that is really starting to damage their reputation and in fact the security of their platforms.
Clearly, they're just making a point here, hurting developers and users just to spite a regulator.
What they are signalling to me as a developer is that mobile devices are just not a reliable platform. Better do as much as possible on the server.
I usually do not like these moves from Apple. For example, I strongly dislike all the new guidelines they added to comply with the introduction of alternative payment systems.
However, I'm on their side in this case. I run a business. If having a feature comply with some regulation meant implementing a whole infrastructure I don't have to serve a minority of customers, I would also abandon the feature.
Apple isn't just any business though. They are a multi-trillion platform company. I expect them to prioritise backward compatibility over spiting regulators and over itemised profitability considerations.
They could have implemented this feature securely but they chose to use the opportunity to make a point instead.
Evil does indeed lead to real security and privacy concerns.
That's always how they spin their FUD. They already have an app sandbox in place for all fo their apps. Sideloaded, PWA, or not.
Just like they had when asked to support alternative browser engines, but the DMA formally mandates it, sot they did comply and allowed them.
All other OSes support web app installation from any browser, including macOS. This is a lot more secure than installing any native app.
This is just Apple spreading FUD as an excuse to keep preventing web apps from competing with native apps.
I've been thinking about this and I think Apple has two motivations.
1. The DMA is striking at the heart of their revenue model by targeting the app store. Tim Cook testified before Congress and said that Apple would be "giving up our total return" on their intellectual property if they did not monetize the app store aggressively. So my read is that this move is intended to prevent a shift to PWAs as a way to get around the new policies.
2. Legislation like the DMA, if successful, could spread to other countries, much in the same way the link tax spread from Australia to Canada. I think Apple has an explicit goal to make this legislation as painful as possible, for both the legislators and the citizens, so that other countries do not attempt to pass similar laws.
There was a time between 2007 and 2011 where I bought Apple computers and was a big fan. These days, despite the very cool new processors Apple has released, it's very hard for me to see them as anything other than antagonistic. What a fall from grace.
The technical justification are bullshit.
They simply could ask browser vendor to follow strict rules, that they can check themselves. This is not like they would have to verify dozens of browsers every day. Only a few per months, top.
They are not saying it is impossible, only that they have not done it. How long do you think it will take to spin up such a review and certification program? How much will it cost, and how many sales will they lose because of the lack of this feature in the EU?
There will already be a review and certification program for third party browsers that want the required entitlements (https://developer.apple.com/support/alternative-browser-engi...), so why don't you ask Apple?
Because I read their statement, which makes it pretty clear that there are additional security considerations beyond what is needed for a browser application.
Browsers need to run javascript to be competitive browsers. It would be practically impossible to check even simple "strict rules".
I have never used PWAs, so could you elaborate what you mean with ‘work properly’? What happens now that is not ideal?
Now that push notifications and long-term localstorage are disabled, a PWA can't compete. Not being able to send notifications to your user is a huge drawback for many types of apps, and limiting localstorage means that offline capabilities are limited, so PWAs will require increased access to a network as compared to native apps.
"EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. "
Does this "minimal impact to their functionality" mean, the app will loose its local data after 7 days of not using the app, like it is for normal websites? That is a pretty heavy impact.
It means apple is lying, again
My hat's off to Apple PR on this one: they came up with some spin for why they were adding a malicious component to how they are complying with the DMA.
They're likely not lying when they say that it's more difficult to maintain their security standards while at the same time allowing any browser engine to run PWAs. But this is a problem they absolutely could solve, and a company with Apple's size and skill absolutely has the resources to make this work. But they've chosen not to.
Another option would be to actually engage with EU regulators on the issue, and see if they could carve out an exception -- temporary or otherwise -- to allow them to require PWAs to run under their existing WebKit-based framework, regardless of the default browser. But they've again chosen not to do that.
PWA adoption is likely as low as Apple claims. I think they're toeing a line here: because Home Screen Apps are a bit of a niche feature, they can break it without pissing off too many users, but also give a subtle middle finger to the EU. "Poor Apple users, Apple just has to disable a feature some people like because of the evil, overreaching EU and its burdensome DMA!"
This is a shame in that I personally think we all should be relying less on mostly-closed-source, proprietary apps for everything. While the web platform is a bit of a mess, it actually does (or could) offer the same functionality that native apps do, especially if Apple and Google had worked on that sort of thing over the past 15+ years rather than pushing native apps so hard. We'd be in a much better place if that were the case: consider the savings in time and money if every company out there could just write a single PWA and not have to build two completely separate apps for iOS and Android. (Yes, I know there'd be some extra people dedicated to fixing issues caused minor but significant-enough differences between the platforms, but it'd still be a ton less work than two apps for two different platforms.)
Also consider how much easier it would be for other smartphone platforms to break into the space, if all existing apps (as PWAs in my imaginary smartphone-utopia) would run on their platforms without much work. A big reason I will likely never adopt an alternative smartphone platform is because none of the apps I rely on day-to-day exist on them. Even though I'd absolutely love to ditch Android, but don't consider iOS any more palatable.
Anyway, that ship sailed a long time ago. I'm still bitter about it, though.
Ultimately this won't matter much. The number of people using PWAs on iOS is probably a rounding error. Restrict that to only people in the EU and it's even smaller. But Apple still gets in a jab at the EU over this, and most affected users will likely side with Apple on this one.
I beg people making these claims to look outside their web bubble for at least a nanosecond.
Google couldn't care less about "as good as native". If they did, this project wouldn't have been started by devs from Microsoft (of all companies) in 2020: https://open-ui.org
Yes, you should be building native apps for each platform unless your "app" is a barely functioning text-only page.
Am I missing something?
Couldn’t they allow you open PWAs in Safari, or fall back to opening a URL in another browser?
Is there some part of the DMA which demands full feature parity?
Very likely the EU wouldn't like them prioritizing their own browser for a feature
Oh wow. I'd assumed, in earlier discussions about this, that Apple'd just keep forcing Safari-only for PWA installation and use.
Does the rule not allow that? If so... yeah, as a user deep in their ecosystem and once-developer for the platform, hard agree on this. Whatever their other motivations (and Apple are masters at arranging things so that their interests happen to coincide with legitimate concerns about UX) the user-facing issues expressed are worth worrying about.
> Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture
Translation from Apple talk to real talk: allowing competing browser engines will undermine our grip on the market through lock-in to the engine we fully control. We don't want to lose power. As control freaks, we'll do all we can to sabotage it.
so, tldr: Apple tries to bullshit the EU again. EU commission - get them.
They say themselves it would be possible to be compliant with the DMA without removing what is obviously competition they don't like. But they try to take the road which - just by chance, obviously, the security is the real reason - helps them to keep more people away from competition. I don't buy it.
That's very informative, thank you.
The "community note" of HN.
Feels like the same kind of malicious compliance with the rest of their DMA changes:
1. WebKit has access to special OS-level APIs that allow it to install and power web apps. 2. The DMA requires support for alternative browser engines with the same abilities as WebKit. 3. It is reasonable to assume this requirement extends to PWAs. 4. By taking away WebKit's ability to power PWAs, all browser engines are now on a level playing field.
_Could_ they have done it differently? Maybe, maybe not: software development always takes longer than you think, and throwing more engineers at a problem doesn't always make it go faster. Do I think they saw another chance to be petulant and took it? Yes.
So yeah, I'm disappointed, but no more here than with the rest of Apple's DMA response.
I think the DMA is not the best legislation. Some parts don't require regulation whereas missing parts definitively require regulation. For example, I cannot publish my app in the app store. I don't need an alternative market. I'd like to have an anti-discrimination law for app publishers (side note, I'm not trying to publish a porn app, just a small productivity app for a limited audience).
In a previous comment [1], I considered abandoning Apple. With this official statement, I'll actually switch to Android. I'll welcome the F-Droid store very much.
Apple, I've been your customer since 2006. I started with the iPod. During this time I had a significant fraction of your lineup. I'm not affected by your changes but I'm using some PWAs. With this erratic behavior, I'm afraid you kill features that I'm using.
[1] https://news.ycombinator.com/item?id=39299007#39299469
Sounds like Apple is saying webkit is insecure and to not use safari or iOS webviews because if they can't be trusted to run a PWA then they can't be trusted for anything ;3
Didn't Apple made a comprehensive list of requirements for alternative web browsers and web browser engines so they are secure and don't compromise the user's security? (https://developer.apple.com/support/alternative-browser-engi...)
I'm a little confused. So that long list of requirements is useless for PWAs?
Some people will actually believe this. I'm utterly disgusted by Apple and their arrogance regarding the DMA, and the way they've managed all of this. My perception of them has completely changed. However, they seem very obedient when China asks them to censor apps or, for example, limit AirDrop when there's a protest going on.
This would be a lot easier to believe if they allowed you to stop apps from accessing the internet. As they don't, I simply don't buy any argument they make from a privacy or security perspective.
It makes sense. This is one of the many reasons why I’m not in favor of the government demanding things of Apple, it’s not like people don’t have another platform to choose from.
As the governments demand more and more, I predict we will see several monkey paw moments.
Apple's argument was the iOS was a robustly secure platform AND the app store made it even more secure. The reality of the situation looks more like the app store was a bandaid over a maybe-not-as-robustly-secure-as-we-hoped platform.