ProtonVPN Security Updates Rejected Due to Previously Approved App Description
Andy Yen (Hacker News, MacRumors, 9to5Mac):
ProtonMail is not the only Proton app being used by activists and protesters in Myanmar. For the past month, the Myanmar military has forced the national telecom companies to regularly shut down the internet and block access to social media to prevent damaging evidence from getting out.
[…]
On the same day the UN recommended Proton apps, Apple suddenly rejected important updates to our ProtonVPN iOS app. These updates include security enhancements designed to further improve safeguards against account takeover attempts which could compromise privacy.
Apple says it blocked our security updates because our app description in the App Store, which we have used without issue for months, mentions ProtonVPN is a tool to “challenge governments… and bring online freedom to people around the world”. Given the current context, Apple’s actions could not be more insensitive.
Apple says that the description violates section 5.4 of the guidelines, but that section doesn’t say anything about how the app is presented:
Apps offering VPN services must utilize the NEVPNManager API and may only be offered by developers enrolled as an organization. You must make a clear declaration of what user data will be collected and how it will be used on an app screen prior to any user action to purchase or otherwise use the service. Apps offering VPN services may not sell, use, or disclose to third parties any data for any purpose, and must commit to this in their privacy policy. VPN apps must not violate local laws, and if you choose to make your VPN app available in a territory that requires a VPN license, you must provide your license information in the App Review Notes field. Parental control, content blocking, and security apps, among others, from approved providers may also use the NEVPNManager API. Apps that do not comply with this guideline will be removed from the App Store and you may be removed from the Apple Developer Program.
Apple does not allege that the app violates local laws. Furthermore, if there’s no legal issue, the app should be approved based on the August 2020 rule that updates aren’t delayed over guidelines violations.
Apple: We need an absolute monopoly on app distribution to protect security.
Apple: <blocks security updates because a developer speaks about human rights>
The future is more cases like HKMap.live & ProtonVPN. This is the real issue w/the @AppStore: Apple has chosen to put itself at the center of every international issue. If iOS had side-loading, they could say “you can still ship, it doesn’t have to be in our store.
[…]
Apple and Tim Cook can wax poetic about values during keynotes all they want, but the actions they take represent their true values. And the @AppStore creates a clear and undeniable binary demarcation of what they approve of and what they don’t.
Previously:
- Surprised
- ProtonMail Forced to Add IAP
- Apple’s Commitment to Human Rights
- Allowing Bug Fixes and Challenging the Guidelines
- HKmap Live Removed From the App Store
- HKmap Live Rejected From the App Store
Update (2021-04-16): John Gruber:
Nothing to do with Myanmar — this spat is entirely about the phrase “challenging governments”. Again, I think it’s a bit silly for Apple to have rejected the update to ProtonVPN over that phrase.
[…]
Seems to me that the ProtonVPN update should have been approved, and the dispute over the app description settled afterward. Is the phrase “challenging governments” a “legal issue”? It certainly isn’t a legal issue in most countries. So Proton has legitimate gripes here.
While I am willing to give Apple the benefit of the doubt and consider this an inconvenient coincidence, I would not be surprised if this were a deliberate move. After all, Apple has pulled VPN apps from the App Store before. For now, we can assume (as Gruber highlights) that this is yet another issue with Apple’s poorly executed app review process where its so-called rules are applied arbitrarily.
However, there is still reason to be concerned, because Apple does not have a laudable record when it comes to cooperating with authoritarian governments. Below is a brief history of events that I have been tracking so far.
See also: Hacker News.
Apple says it approved ProtonVPN’s latest App Store update on March 19 and says, correctly, that Proton published the update to users two days later, on March 21. ProtonVPN, another two days later, published a blog post correlating the rejection to Apple limiting free speech and human rights in Myanmar.
I don’t think this proves anything about Apple’s motivations because the situation in Myanmar was already developing, with the UN recommending the app, before Apple’s initial rejection.
4 Comments RSS · Twitter
Pages, installed on every Mac.
Stands for "Poisonous Apple, Friend to Authoritarian Governments of Every Stripe."
Apple behaving oh, so very honorably:
“The big show turned out to be a no show. The bill was killed in mid-air while on the agenda with a backroom deal. Apple has hired the governor’s former chief of staff, and word is that he brokered a deal to prevent this from even being heard,
More of the same:
https://www.macrumors.com/2021/03/25/apple-devs-not-limited-app-store-distribution/
Even if a user only owns iOS-based devices, distribution is far from limited to the Apple App Store because developers have multiple alternative channels to reach that user. The whole web is available to them, and iOS devices have unrestricted and uncontrolled access to it.
Just don't mention to the court all the things that can't be done via the web, and only via iOS APIs, and hope the court is too stupid or well bribed to notice.
The App Store, which exists to protect its customers from "scams" and "viruses", contains such gems as software made by a paramilitary corps that is accused of detaining, physically abusing or sterilizing up to 2 million Uyghurs.
One supposes Apple doesn't believe Uyghurs could be customers, since it obviously cares less about their worries about being ethnically cleansed, than it does about software developers using the wrong icon. Our policy of allowing corporations to self-police is clearly working out so very well for humanity. Oddworld/RuptureFarms wasn't supposed to be a manual.
[…] Most recently, there was a dispute with ProtonVPN (the company that also makes ProtonMail) over an update for its app in the App Store. Proton Technologies claimed that Apple was intentionally blocking the update amid the ongoing crackdown in Myanmar. I agree with Gruber that there is little direct evidence to support this exact claim. While I am willing to give Apple the benefit of the doubt and consider this an inconvenient coincidence, I would not be surprised if this were a deliberate move. After all, Apple has pulled VPN apps from the App Store before. For now, we can assume (as Gruber highlights) that this is yet another issue with Apple’s poorly executed app review process where its so-called rules are applied arbitrarily. […]