Since the article doesn't actually repeat what Apple has said, here's what Apple says:
== Begin quote ==
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.
The “low usage” comment is going to be more ammo against Apple unfortunately. The whole reason they are low usage on PWAs is because of a lack of investment from Apple and a lack of parity, yet for the longest time Apple has played both sides by saying PWAs are a viable alternative to the App Store, all while channeling people to App Store for actual app downloads and not providing similar marketing or anything for PWAs
Thanks for posting that. I'm no iOS expert but it actually sounds like a pretty reasonable explanation. It's at least good to hear Apple's side here, and more knowledgeable commenters here can weigh in as to whether it really does seem genuine.
"EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. "
Does this "minimal impact to their functionality" mean, the app will loose its local data after 7 days of not using the app, like it is for normal websites? That is a pretty heavy impact.
What an absolute crock of shit. Someone at apple must be feeling really, really pathetic lately. Why can't they just get over themselves and actually deliver a useful product instead of trying to achieve cult status?
Apple's argument was the iOS was a robustly secure platform AND the app store made it even more secure. The reality of the situation looks more like the app store was a bandaid over a maybe-not-as-robustly-secure-as-we-hoped platform.
I think the DMA is not the best legislation. Some parts don't require regulation whereas missing parts definitively require regulation. For example, I cannot publish my app in the app store. I don't need an alternative market. I'd like to have an anti-discrimination law for app publishers (side note, I'm not trying to publish a porn app, just a small productivity app for a limited audience).
In a previous comment [1], I considered abandoning Apple. With this official statement, I'll actually switch to Android. I'll welcome the F-Droid store very much.
Apple, I've been your customer since 2006. I started with the iPod. During this time I had a significant fraction of your lineup. I'm not affected by your changes but I'm using some PWAs. With this erratic behavior, I'm afraid you kill features that I'm using.
I'm a little confused. So that long list of requirements is useless for PWAs?
Some people will actually believe this. I'm utterly disgusted by Apple and their arrogance regarding the DMA, and the way they've managed all of this. My perception of them has completely changed. However, they seem very obedient when China asks them to censor apps or, for example, limit AirDrop when there's a protest going on.
Feels like the same kind of malicious compliance with the rest of their DMA changes:
1. WebKit has access to special OS-level APIs that allow it to install and power web apps.
2. The DMA requires support for alternative browser engines with the same abilities as WebKit.
3. It is reasonable to assume this requirement extends to PWAs.
4. By taking away WebKit's ability to power PWAs, all browser engines are now on a level playing field.
_Could_ they have done it differently? Maybe, maybe not: software development always takes longer than you think, and throwing more engineers at a problem doesn't always make it go faster. Do I think they saw another chance to be petulant and took it? Yes.
So yeah, I'm disappointed, but no more here than with the rest of Apple's DMA response.
> Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture
Translation from Apple talk to real talk: allowing competing browser engines will undermine our grip on the market through lock-in to the engine we fully control. We don't want to lose power. As control freaks, we'll do all we can to sabotage it.
>low usage
This is hilarious. As a developer, if PWAs work properly I'm much more interested in writing them, test them on ios and market them to ios users. If the feature is uncertain, or outright broken like now of course no sane, businesses sense driven dev will spend the time to build a PWA app specifically for iOS.
Oh wow. I'd assumed, in earlier discussions about this, that Apple'd just keep forcing Safari-only for PWA installation and use.
Does the rule not allow that? If so... yeah, as a user deep in their ecosystem and once-developer for the platform, hard agree on this. Whatever their other motivations (and Apple are masters at arranging things so that their interests happen to coincide with legitimate concerns about UX) the user-facing issues expressed are worth worrying about.
Apple cannot simply invoke DMA (50) as a free pass. For its arguments to align with the intent of the legislation, here's a roadmap of what they need to do to justify their security-based restrictions on iOS:
Apple must be transparent about the exact security issues posed by alternative browser engines with concrete instances (not merely speculative risks). They need to prove that these are unique to iOS, given the successful use of unrestricted browser engines on macOS (and every other OS).
Before opting for the extreme step of removing functionality, Apple needs to offer documentation of all the methods for managing and mitigating specific threats that were considered and subsequently ruled out as infeasible (sandboxing, enhanced APIs, etc.). This emphasizes that their actions are indeed the last resort and not merely a way to suppress competition.
The company needs to demonstrate how they would proactively work with browser engine developers to establish strong security controls and threat monitoring on par with or exceeding their current practices for native-only experiences. This shifts the focus to building a safe environment rather than merely limiting the scope of capabilities.
Apple must guarantee that if and when these security challenges are met, it will progressively expand support for unrestricted use of web standards for third-party browser engines. This creates the long-term perspective the DMA is designed to protect and gives confidence to developers investing in advanced web app solutions.
Without taking action in these key areas, Apple's reliance on this DMA portion won't hold up to regulatory scrutiny. They cannot cite generic security dangers then fall back on "practicality" arguments without robust, evidence-backed reasoning.
This would be a lot easier to believe if they allowed you to stop apps from accessing the internet. As they don't, I simply don't buy any argument they make from a privacy or security perspective.
My hat's off to Apple PR on this one: they came up with some spin for why they were adding a malicious component to how they are complying with the DMA.
They're likely not lying when they say that it's more difficult to maintain their security standards while at the same time allowing any browser engine to run PWAs. But this is a problem they absolutely could solve, and a company with Apple's size and skill absolutely has the resources to make this work. But they've chosen not to.
Another option would be to actually engage with EU regulators on the issue, and see if they could carve out an exception -- temporary or otherwise -- to allow them to require PWAs to run under their existing WebKit-based framework, regardless of the default browser. But they've again chosen not to do that.
PWA adoption is likely as low as Apple claims. I think they're toeing a line here: because Home Screen Apps are a bit of a niche feature, they can break it without pissing off too many users, but also give a subtle middle finger to the EU. "Poor Apple users, Apple just has to disable a feature some people like because of the evil, overreaching EU and its burdensome DMA!"
This is a shame in that I personally think we all should be relying less on mostly-closed-source, proprietary apps for everything. While the web platform is a bit of a mess, it actually does (or could) offer the same functionality that native apps do, especially if Apple and Google had worked on that sort of thing over the past 15+ years rather than pushing native apps so hard. We'd be in a much better place if that were the case: consider the savings in time and money if every company out there could just write a single PWA and not have to build two completely separate apps for iOS and Android. (Yes, I know there'd be some extra people dedicated to fixing issues caused minor but significant-enough differences between the platforms, but it'd still be a ton less work than two apps for two different platforms.)
Also consider how much easier it would be for other smartphone platforms to break into the space, if all existing apps (as PWAs in my imaginary smartphone-utopia) would run on their platforms without much work. A big reason I will likely never adopt an alternative smartphone platform is because none of the apps I rely on day-to-day exist on them. Even though I'd absolutely love to ditch Android, but don't consider iOS any more palatable.
Anyway, that ship sailed a long time ago. I'm still bitter about it, though.
Ultimately this won't matter much. The number of people using PWAs on iOS is probably a rounding error. Restrict that to only people in the EU and it's even smaller. But Apple still gets in a jab at the EU over this, and most affected users will likely side with Apple on this one.
> malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent.
How is this even possible? It's shocking that these APIs even exist for any browser to use.
They simply could ask browser vendor to follow strict rules, that they can check themselves. This is not like they would have to verify dozens of browsers every day. Only a few per months, top.
It makes sense. This is one of the many reasons why I’m not in favor of the government demanding things of Apple, it’s not like people don’t have another platform to choose from.
As the governments demand more and more, I predict we will see several monkey paw moments.
so, tldr: Apple tries to bullshit the EU again. EU commission - get them.
They say themselves it would be possible to be compliant with the DMA without removing what is obviously competition they don't like. But they try to take the road which - just by chance, obviously, the security is the real reason - helps them to keep more people away from competition. I don't buy it.
>Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent
Sounds like Apple is saying webkit is insecure and to not use safari or iOS webviews because if they can't be trusted to run a PWA then they can't be trusted for anything ;3
Said it before and it seems clearer every day, that we're in an era
reminiscent of the 1920s with big mobs fighting it out. One of the old
games back in town is protection rackets [0], digital forms of
ransacking, vandalism, threats and "tax" collecting are all the rage
dontchyknow.
Everyone's got their "security" to give you. But it ain't your
security, and it ain't compatible with noone else's.
Nice app store you got here. Shame if anything might 'appen
to it!
I don’t think Apple’s pettiness is gonna work in their favor.
I am not in the EU but my next iPhone is almost certainly not gonna be an iPhone despite me having used a non iPhone for about 6 months in the last 15 years.
Their throwing their customers under the bus just to throw a tantrum in the EU does not bode well for how they would treat their customers in other situations.
In combination with the 'Core Technology Fee' that financially cripples any developer that tries to release a popular app outside the official app store, this is pathetic behavior. Hopefully the EU smacks them down for this temper tantrum at being forced to adhere to the DMA. They are trying to flex their market power and should be reminded they operate within a system of laws that doesn't bend for anyone, regardless of their size.
As a European dev I want apple to fail super hard and implode. They used to be so cool and make slick hardware for their nische but now I'm happy to use worse hardware as long as they disapear from the face of the earth.
Very questionable argumentation. This can be seen from two different angles:
1. PWA is a native wrapper for a web application, not a browser. It is supposed to be limited to the app website. DMA does not tell Apple that every app with embedded WebView should offer users possibility to switch the engine. Why PWA should be treated differently here? I‘d rather clarify this with regulators first, before harming end users.
2. There’s no browser engines currently supporting PWA on Apple mobile devices. Apple has enough resources and time to figure out how to sandbox PWAs on other engines together with the first browser vendor that decides to offer such support and commit engineering resources to this project. In the meantime current solution could stay simply because it does not hinder any competition.
I’m not a legal expert, so maybe I miss something here. But Apple statement does not look convincing to me.
I’m primed to be upset with Apple these days, but this doesn’t seem like an unreasonable position. The EU is forcing them to do a bunch of work to support alternate browser engines, this in turn creates a bunch of additional work if Apple wants to fully support PWAs, and PWAs aren’t really in Apple’s financial interest to begin with, so f-it. They're not going to spend resources to add support for PWAs in the EU. It's easier to just disable them and call it a day.
It's a rational choice. Apple isn’t a charity, so why would they spend resources on extra work that they didn’t want to do in the first place, given that work is not required for legal compliance. The security spin is clearly nonsense, but other than that I can't really fault Apple for their position on this, even if I wish it were different.
Bad move from Apple. It's time to boycott iOS and move to FOSS alternatives, such as: AOSP, Ubuntu Touch, GNOME Mobile, KDE Plasma, Sailfish OS. Personally I am using both UBports and Sailfish OS and I appreciate the privacy they provide.
As a possible workaround to fullscreen PWAs in iOS in the EU, I propose a convention to append some hash to the Web App Manifest start_url, e.g. #__pwa__, then set the default iOS web browser to e.g. Firefox, then add the PWA to the home screen from it with this special hash. When a user clicks on a PWA icon in the home screen, it would open in the default browser (e.g. Firefox), the browser then checks if the newly opened tab is opened from external source and its URL ends with #__pwa__ and if so, then hides the UI providing a fullscreen viewport for the opened PWA.
So, here's Apple's concern, which is valid: every website (PWA) should have isolated storage (cookies etc), and independent access to system resources (webcam etc) confirmed by the user on a per-site basis. I think we can all agree that's how things should be.
Previously, Safari handled these requirements because it's a modern browser (isolated storage has been a cornerstone of browser security for a long time), and had special privileges in iOS to configure per-site user permissions, whereas normal apps only had app-wide permissions.
Luckily, Chrome already has isolated per-site storage because it's also a modern browser. If it didn't, the world would probably explode.
That leaves per-site permissions as the only real problem. I'm sure the Chrome-on-iOS team would do whatever it takes to make this a good user experience, but let's assume for the sake of argument that this would actually be a burden for Apple to support.
How does disabling PWA functionality change the security situation whatsoever? Users preferring Chrome would just load the sites in Chrome as a bookmark, which has no meaningful difference from a "security" perspective. Users strictly using Safari obviously have a strictly-worse experience. Who does this help? What is made more secure by disabling this?
That's why I almost wouldn't buy a new Apple product anymore, with their draconian Chinese model (Apple as the big parent), and instead I crack Apple's product to assert my freedom (I do use Hackintosh, by the way).
The only exception is an iPad Pro (M1) because there aren't good competitions in the market. Over the time I'm starting to think about replacing it with an Android tablet but I'm still yet to find one with a decent pen and memory.
Alas, to quote Benjamin Franklin, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". You gave up your liberty to be colonialized by Apple, and now you get neither Liberty nor Safety in the future eventually.
Why can’t Apple continue to provide the normal way progressive web apps function when Safari is selected (that work like they do outside of the EU) and provide this other system for alternative browsers makers?
I don’t believe they are trying to abide by the spirit of the EU law and are trying their best to behave extremely poorly towards it in how they are complying, choosing the most user hostile interpretations possible. I hope the EU issue the maximum fine.
When companies and the state collide, and the state is serious about the issue, the companies lose. Always. I know they want to win and the CEOs ego - I can imagine Cook in his office - is hurt, so "Ok, then you don't get PWAs!", and for some time companies get away with it (especially startups operating a grey area until they get enough customers), but in the end, the state wins. Because it can put people in jail and the company can't.
So many laypeople that I know don’t even use bookmarks.
I’m a Linux geek with macOS and Windows in the house and I’ve never used a PWA.
I just can’t get excited over this one.. technical, political.. Apple is doing what I’d expect from a company being told how to build and change their product.
And since I don’t want to live in a Dell world running Windows paired to an Android phone of any kind, I personally am inclined to give them a pass on their obstinance. There’s very little in the tech world that runs as cleanly as iOS on an iPhone.
(And yes I’d love to run Linux on my mobile desktop but it’s all really terrible and not even close to a whisper of a starter. And I’ve tried them all.)
Not an Apple apologizer, just ranking them against the performance and quality of the alternatives.
It’s disappointing to see that Apple’s spin job is apparently working (based on some of the comments here). While it sounds superficially plausible, it’s actually quite deceitful.
For example, the argument that one web app could steal the permissions of another web app is predicated on the assumption that a non-Apple browser engine will fail to sandbox the apps. But *the exact same* threat vector will exist for non-Home Screen web apps accessed through third party browsers. That’s because ordinary websites ALSO have the ability to request access to microphones and cameras, and it will be up to the developers of the browser engines to ensure that these permissions are properly sandboxed. Apple won’t be able to eliminate this risk without breaking vast numbers of sites that people use every day.
In truth, a PWA is no different from a website. It’s built using the same technologies and APIs. The main difference is that it can run in full-screen mode like an app, and it has its local storage cleared less often. These are nice extras that benefit users who choose to “install” such apps, and they carry no special security risks.
The good news is that DMA contains private right of action. Might as well start drafting the responsive court filings already, March 8th is just around the corner.
I’m a bit of a hobby coder, and I have enjoyed writing small, home cooked apps (https://www.robinsloan.com/notes/home-cooked-app/) and publishing them as PWAs that my friends and family can enjoy. I can’t justify an annual 99 USD for an Apple developer licence, and my family have a mix of iPhones and Androids.
This step makes it much less possible for me to do this kind of “home cooked” development, and it makes me sad.
I think Apple would do well to offer a solution for folks like me, maybe a significant discount (or free?) developer accounts for folks with apps with fewer than 50 users or no App Store access, etc.
[+] [-] LeoPanthera|2 years ago|reply
== Begin quote ==
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.
== End quote ==
Source: https://developer.apple.com/support/dma-and-apps-in-the-eu/#...
[+] [-] benguild|2 years ago|reply
[+] [-] zer00eyz|2 years ago|reply
30 some million lines of code in chromium browsers.
Thats bigger than the linux kernel.
The HN crowed might not LIKE apples response but they have a very defensible position.
Edit: Its not like we haven't seen this play out on the desktop recently: https://www.theverge.com/24054329/microsoft-edge-automatic-c...
[+] [-] sigmar|2 years ago|reply
>Browsers also could install web apps on the system without a user’s awareness and consent.
Couldn't this be entirely solved with an OS permission-like prompt "are you sure you want [progressive web app name] added to home screen?"
[+] [-] crazygringo|2 years ago|reply
[+] [-] jensensbutton|2 years ago|reply
[+] [-] lukan|2 years ago|reply
Does this "minimal impact to their functionality" mean, the app will loose its local data after 7 days of not using the app, like it is for normal websites? That is a pretty heavy impact.
[+] [-] beeboobaa|2 years ago|reply
[+] [-] WWLink|2 years ago|reply
[+] [-] glenjamin|2 years ago|reply
Couldn’t they allow you open PWAs in Safari, or fall back to opening a URL in another browser?
Is there some part of the DMA which demands full feature parity?
[+] [-] mo_42|2 years ago|reply
In a previous comment [1], I considered abandoning Apple. With this official statement, I'll actually switch to Android. I'll welcome the F-Droid store very much.
Apple, I've been your customer since 2006. I started with the iPod. During this time I had a significant fraction of your lineup. I'm not affected by your changes but I'm using some PWAs. With this erratic behavior, I'm afraid you kill features that I'm using.
[1] https://news.ycombinator.com/item?id=39299007#39299469
[+] [-] carlosrg|2 years ago|reply
I'm a little confused. So that long list of requirements is useless for PWAs?
Some people will actually believe this. I'm utterly disgusted by Apple and their arrogance regarding the DMA, and the way they've managed all of this. My perception of them has completely changed. However, they seem very obedient when China asks them to censor apps or, for example, limit AirDrop when there's a protest going on.
[+] [-] oddevan|2 years ago|reply
1. WebKit has access to special OS-level APIs that allow it to install and power web apps. 2. The DMA requires support for alternative browser engines with the same abilities as WebKit. 3. It is reasonable to assume this requirement extends to PWAs. 4. By taking away WebKit's ability to power PWAs, all browser engines are now on a level playing field.
_Could_ they have done it differently? Maybe, maybe not: software development always takes longer than you think, and throwing more engineers at a problem doesn't always make it go faster. Do I think they saw another chance to be petulant and took it? Yes.
So yeah, I'm disappointed, but no more here than with the rest of Apple's DMA response.
[+] [-] shmerl|2 years ago|reply
Translation from Apple talk to real talk: allowing competing browser engines will undermine our grip on the market through lock-in to the engine we fully control. We don't want to lose power. As control freaks, we'll do all we can to sabotage it.
[+] [-] Roark66|2 years ago|reply
[+] [-] vundercind|2 years ago|reply
Does the rule not allow that? If so... yeah, as a user deep in their ecosystem and once-developer for the platform, hard agree on this. Whatever their other motivations (and Apple are masters at arranging things so that their interests happen to coincide with legitimate concerns about UX) the user-facing issues expressed are worth worrying about.
[+] [-] szasamasa|2 years ago|reply
Apple cannot simply invoke DMA (50) as a free pass. For its arguments to align with the intent of the legislation, here's a roadmap of what they need to do to justify their security-based restrictions on iOS:
Apple must be transparent about the exact security issues posed by alternative browser engines with concrete instances (not merely speculative risks). They need to prove that these are unique to iOS, given the successful use of unrestricted browser engines on macOS (and every other OS).
Before opting for the extreme step of removing functionality, Apple needs to offer documentation of all the methods for managing and mitigating specific threats that were considered and subsequently ruled out as infeasible (sandboxing, enhanced APIs, etc.). This emphasizes that their actions are indeed the last resort and not merely a way to suppress competition.
The company needs to demonstrate how they would proactively work with browser engine developers to establish strong security controls and threat monitoring on par with or exceeding their current practices for native-only experiences. This shifts the focus to building a safe environment rather than merely limiting the scope of capabilities.
Apple must guarantee that if and when these security challenges are met, it will progressively expand support for unrestricted use of web standards for third-party browser engines. This creates the long-term perspective the DMA is designed to protect and gives confidence to developers investing in advanced web app solutions.
Without taking action in these key areas, Apple's reliance on this DMA portion won't hold up to regulatory scrutiny. They cannot cite generic security dangers then fall back on "practicality" arguments without robust, evidence-backed reasoning.
[+] [-] breather|2 years ago|reply
[+] [-] kelnos|2 years ago|reply
They're likely not lying when they say that it's more difficult to maintain their security standards while at the same time allowing any browser engine to run PWAs. But this is a problem they absolutely could solve, and a company with Apple's size and skill absolutely has the resources to make this work. But they've chosen not to.
Another option would be to actually engage with EU regulators on the issue, and see if they could carve out an exception -- temporary or otherwise -- to allow them to require PWAs to run under their existing WebKit-based framework, regardless of the default browser. But they've again chosen not to do that.
PWA adoption is likely as low as Apple claims. I think they're toeing a line here: because Home Screen Apps are a bit of a niche feature, they can break it without pissing off too many users, but also give a subtle middle finger to the EU. "Poor Apple users, Apple just has to disable a feature some people like because of the evil, overreaching EU and its burdensome DMA!"
This is a shame in that I personally think we all should be relying less on mostly-closed-source, proprietary apps for everything. While the web platform is a bit of a mess, it actually does (or could) offer the same functionality that native apps do, especially if Apple and Google had worked on that sort of thing over the past 15+ years rather than pushing native apps so hard. We'd be in a much better place if that were the case: consider the savings in time and money if every company out there could just write a single PWA and not have to build two completely separate apps for iOS and Android. (Yes, I know there'd be some extra people dedicated to fixing issues caused minor but significant-enough differences between the platforms, but it'd still be a ton less work than two apps for two different platforms.)
Also consider how much easier it would be for other smartphone platforms to break into the space, if all existing apps (as PWAs in my imaginary smartphone-utopia) would run on their platforms without much work. A big reason I will likely never adopt an alternative smartphone platform is because none of the apps I rely on day-to-day exist on them. Even though I'd absolutely love to ditch Android, but don't consider iOS any more palatable.
Anyway, that ship sailed a long time ago. I'm still bitter about it, though.
Ultimately this won't matter much. The number of people using PWAs on iOS is probably a rounding error. Restrict that to only people in the EU and it's even smaller. But Apple still gets in a jab at the EU over this, and most affected users will likely side with Apple on this one.
[+] [-] secondcoming|2 years ago|reply
How is this even possible? It's shocking that these APIs even exist for any browser to use.
[+] [-] stephc_int13|2 years ago|reply
They simply could ask browser vendor to follow strict rules, that they can check themselves. This is not like they would have to verify dozens of browsers every day. Only a few per months, top.
[+] [-] rmbyrro|2 years ago|reply
The "community note" of HN.
[+] [-] al_borland|2 years ago|reply
As the governments demand more and more, I predict we will see several monkey paw moments.
[+] [-] sgift|2 years ago|reply
They say themselves it would be possible to be compliant with the DMA without removing what is obviously competition they don't like. But they try to take the road which - just by chance, obviously, the security is the real reason - helps them to keep more people away from competition. I don't buy it.
[+] [-] sccxy|2 years ago|reply
[+] [-] agust|2 years ago|reply
[deleted]
[+] [-] wnevets|2 years ago|reply
[deleted]
[+] [-] fennecbutt|2 years ago|reply
Sounds like Apple is saying webkit is insecure and to not use safari or iOS webviews because if they can't be trusted to run a PWA then they can't be trusted for anything ;3
[+] [-] nonrandomstring|2 years ago|reply
Everyone's got their "security" to give you. But it ain't your security, and it ain't compatible with noone else's.
Nice app store you got here. Shame if anything might 'appen to it!
[0] https://en.wikipedia.org/wiki/Protection_racket
[+] [-] joshxyz|2 years ago|reply
history often rhymes and really rhymes on this one.
[+] [-] dclowd9901|2 years ago|reply
[+] [-] nonethewiser|2 years ago|reply
[deleted]
[+] [-] addicted|2 years ago|reply
I am not in the EU but my next iPhone is almost certainly not gonna be an iPhone despite me having used a non iPhone for about 6 months in the last 15 years.
Their throwing their customers under the bus just to throw a tantrum in the EU does not bode well for how they would treat their customers in other situations.
[+] [-] deminature|2 years ago|reply
[+] [-] johanneskanybal|2 years ago|reply
[+] [-] ivan_gammel|2 years ago|reply
1. PWA is a native wrapper for a web application, not a browser. It is supposed to be limited to the app website. DMA does not tell Apple that every app with embedded WebView should offer users possibility to switch the engine. Why PWA should be treated differently here? I‘d rather clarify this with regulators first, before harming end users.
2. There’s no browser engines currently supporting PWA on Apple mobile devices. Apple has enough resources and time to figure out how to sandbox PWAs on other engines together with the first browser vendor that decides to offer such support and commit engineering resources to this project. In the meantime current solution could stay simply because it does not hinder any competition.
I’m not a legal expert, so maybe I miss something here. But Apple statement does not look convincing to me.
[+] [-] w4|2 years ago|reply
It's a rational choice. Apple isn’t a charity, so why would they spend resources on extra work that they didn’t want to do in the first place, given that work is not required for legal compliance. The security spin is clearly nonsense, but other than that I can't really fault Apple for their position on this, even if I wish it were different.
[+] [-] niutech|2 years ago|reply
As a possible workaround to fullscreen PWAs in iOS in the EU, I propose a convention to append some hash to the Web App Manifest start_url, e.g. #__pwa__, then set the default iOS web browser to e.g. Firefox, then add the PWA to the home screen from it with this special hash. When a user clicks on a PWA icon in the home screen, it would open in the default browser (e.g. Firefox), the browser then checks if the newly opened tab is opened from external source and its URL ends with #__pwa__ and if so, then hides the UI providing a fullscreen viewport for the opened PWA.
[+] [-] hardcopy|2 years ago|reply
https://lemmy.world/post/12001569
(I develop https://github.com/aeharding/voyager)
[+] [-] bloppe|2 years ago|reply
Previously, Safari handled these requirements because it's a modern browser (isolated storage has been a cornerstone of browser security for a long time), and had special privileges in iOS to configure per-site user permissions, whereas normal apps only had app-wide permissions.
Luckily, Chrome already has isolated per-site storage because it's also a modern browser. If it didn't, the world would probably explode.
That leaves per-site permissions as the only real problem. I'm sure the Chrome-on-iOS team would do whatever it takes to make this a good user experience, but let's assume for the sake of argument that this would actually be a burden for Apple to support.
How does disabling PWA functionality change the security situation whatsoever? Users preferring Chrome would just load the sites in Chrome as a bookmark, which has no meaningful difference from a "security" perspective. Users strictly using Safari obviously have a strictly-worse experience. Who does this help? What is made more secure by disabling this?
[+] [-] gargs|2 years ago|reply
[+] [-] stevefan1999|2 years ago|reply
The only exception is an iPad Pro (M1) because there aren't good competitions in the market. Over the time I'm starting to think about replacing it with an Android tablet but I'm still yet to find one with a decent pen and memory.
Alas, to quote Benjamin Franklin, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". You gave up your liberty to be colonialized by Apple, and now you get neither Liberty nor Safety in the future eventually.
[+] [-] andy_ppp|2 years ago|reply
I don’t believe they are trying to abide by the spirit of the EU law and are trying their best to behave extremely poorly towards it in how they are complying, choosing the most user hostile interpretations possible. I hope the EU issue the maximum fine.
[+] [-] KingOfCoders|2 years ago|reply
[+] [-] givemeethekeys|2 years ago|reply
[+] [-] browningstreet|2 years ago|reply
I’m a Linux geek with macOS and Windows in the house and I’ve never used a PWA.
I just can’t get excited over this one.. technical, political.. Apple is doing what I’d expect from a company being told how to build and change their product.
And since I don’t want to live in a Dell world running Windows paired to an Android phone of any kind, I personally am inclined to give them a pass on their obstinance. There’s very little in the tech world that runs as cleanly as iOS on an iPhone.
(And yes I’d love to run Linux on my mobile desktop but it’s all really terrible and not even close to a whisper of a starter. And I’ve tried them all.)
Not an Apple apologizer, just ranking them against the performance and quality of the alternatives.
[+] [-] anon373839|2 years ago|reply
For example, the argument that one web app could steal the permissions of another web app is predicated on the assumption that a non-Apple browser engine will fail to sandbox the apps. But *the exact same* threat vector will exist for non-Home Screen web apps accessed through third party browsers. That’s because ordinary websites ALSO have the ability to request access to microphones and cameras, and it will be up to the developers of the browser engines to ensure that these permissions are properly sandboxed. Apple won’t be able to eliminate this risk without breaking vast numbers of sites that people use every day.
In truth, a PWA is no different from a website. It’s built using the same technologies and APIs. The main difference is that it can run in full-screen mode like an app, and it has its local storage cleared less often. These are nice extras that benefit users who choose to “install” such apps, and they carry no special security risks.
[+] [-] 5evOX5hTZ9mYa9E|2 years ago|reply
[+] [-] d1sxeyes|2 years ago|reply
This step makes it much less possible for me to do this kind of “home cooked” development, and it makes me sad.
I think Apple would do well to offer a solution for folks like me, maybe a significant discount (or free?) developer accounts for folks with apps with fewer than 50 users or no App Store access, etc.
But I guess they don’t really care, which is sad.
[+] [-] Alifatisk|2 years ago|reply