Archive for January 26, 2024

Friday, January 26, 2024

Sign in With Apple No Longer Required

Apple:

In line with Apple’s mission to protect user privacy, Apple is updating its App Store Review Guideline for using Sign in with Apple. Sign in with Apple makes it easy for users to sign in to apps and websites using their Apple ID and was built from the ground up with privacy and security in mind. Starting today, developers that offer third-party or social login services within their app will have the option to offer Sign in with Apple, or they will now be able to offer an equivalent privacy-focused login service instead.

Previously, if an app supported any third-party sign-in service it was required to also support Sign in With Apple. As with the rule changes for streaming gaming, Apple is not saying this change is due to the DMA, but it was announced at the same time as the DMA changes.

Previously:

Streaming Games in a Single App

Apple:

Available for developers’ apps around the world, Apple also announced new options for streaming games[…]

Apple (MacRumors):

Apple is introducing new options for how apps globally can deliver in-app experiences to users, including streaming games and mini-programs. Developers can now submit a single app with the capability to stream all of the games offered in their catalog.

Apps will also be able to provide enhanced discovery opportunities for streaming games, mini-apps, mini-games, chatbots, and plug-ins that are found within their apps.

[…]

The changes Apple is announcing reflect feedback from Apple’s developer community[…]

They are implying that this is not due to the DMA.

Benjamin Mayo:

Previously, Apple required developers submit a separate app for each game individually, a laborious and untenable affair.

Unlike most of the other changes introduced today which apply only in the European Union, the game streaming policy update applies globally.

Previously:

Update (2024-02-20): Juli Clover:

Microsoft does not plan to bring an Xbox Cloud Gaming app to iOS at this time because there’s no opportunity for monetization, Microsoft Gaming CEO Phil Spencer said in an interview with The Verge. When asked whether Apple’s recent app ecosystem changes in the European Union make “room” for Xbox Cloud Gaming on iOS, Spencer said that monetization was an issue, and that the Digital Markets Act forcing Apple’s updates does not “go far enough to open up competition.”

Previously:

DMA Compliance: Default App Controls and NFC

Apple:

Apple will introduce new default controls for users in Settings for:

  • App marketplace apps — Users will be able to manage their preferred default app marketplace through a new default setting for app marketplace apps. Platform features for finding and using apps like Spotlight are integrated with a user’s default app marketplace.
  • Contactless payment apps — Users will be able to manage their preferred default contactless payments app through a new default setting, and select any eligible app adopting the HCE Payments Entitlement as the default.

Apple:

Apple is also introducing a new choice screen that will surface when users first open Safari in iOS 17.4 or later. That screen will prompt EU users to choose a default browser from a list of options.

This change is a result of the DMA’s requirements, and means that EU users will be confronted with a list of default browsers before they have the opportunity to understand the options available to them. The screen also interrupts EU users’ experience the first time they open Safari intending to navigate to a webpage.

Emphasis added. Apple is not happy about this.

Previously:

Update (2024-01-26): Joe Rossignol:

Apple said iPhone users in the EU will be presented with a list of the 12 most popular web browsers from their country's local App Store at the time, and noted that the options will be shown in random order for every user.

Apple shared an alphabetical list of the browsers that will currently be shown in every EU country.

See also: John Voorhees (Hacker News).

Juli Clover:

Going forward, NFC payments will be available directly in apps without the need for Apple Pay or the Wallet app, paving the way for third-party payment services and banks to offer their own tap-to-pay solutions on Apple devices.

[…]

This access to NFC technology is limited to banking and wallet apps that are in the European Economic Area, which includes the 27 European Union countries plus Iceland, Liechtenstein, and Norway.

DMA Compliance: Alternative Browser Engines

Apple:

The coming changes to iOS in the EU include:

[…]

New frameworks and APIs for alternative browser engines — enabling developers to use browser engines, other than WebKit, for browser apps and apps with in-app browsing experiences.

Apple:

To use an alternative browser engine in your app, you’ll need to request the Web Browser Engine Entitlement (for browser apps that want to use alternative browser engines) or the Embedded Browser Engine Entitlement (for apps that provide in-app browsing experiences that want to use alternative browser engines).

Apple will provide authorized developers access to technologies within the system that enable critical functionality and help developers offer high-performance modern browser engines. These technologies include just-in-time compilation, multiprocess support, and more.

[…]

To help keep users safe online, Apple will only authorize developers to implement alternative browser engines after meeting specific criteria and who commit to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities.

It sounds like this only applies to iPhone apps, they have to be EU-only, and they’re not allowed to be set as the default browser.

David Pierce (MacRumors):

Since the beginning of the App Store, Apple has allowed lots of browsers but only one browser engine: WebKit. WebKit is the technology that underpins Safari, but it’s far from the only engine on the market. Google’s Chrome is based on an engine called Blink, which is also part of the overall Chromium project that is used by most other browsers on the market. Edge, Brave, Arc, Opera, and many others all use Chromium and Blink. Mozilla’s Firefox runs on its own engine, called Gecko.

On iOS, though, all those browsers have been forced to run on WebKit instead, which means many features and extensions simply don’t work anymore.

Previously:

Update (2024-01-26): BrowserEngineKit:

Create a browser that renders content using an alternative browser engine.

[…]

If you use an alternative browser engine in your app, you must design your secure browser infrastructure to separate different components into extensions that your browser manages. Design a limited inter-process communication (IPC) protocol that coordinates work across the extensions. Separating your alternative browser engine into distinct extensions limits the impact of security vulnerabilities in any one process.

Via Steve Troughton-Smith:

Holy moly that’s a lot of APIs and granular architecture specifics. If you dig into the setup instructions, it has everything from splitting tasks across multiple XPC processes to mandating arm64e to a whole collection of new entitlements. You don’t just ‘build a web browser’. This almost feels like an AppleInternal Safari spec with a ‘your implementation goes here’. I love it

Update (2024-01-30): Juli Clover (Hacker News):

While support for alternative browser engines sounds like a win for browser companies, Mozilla spokesperson Damiano DeMonte told The Verge that Firefox is "extremely disappointed" with the way Apple is implementing the feature because it does not extend to the iPad.

Firefox uses the Gecko engine and could swap to that on the iPhone, but it would need to continue using WebKit on the iPad.

And outside the EU.

James Moore (via Hacker News):

This news is tempered by the fact that Apple’s proposed solution to comply with the DMA rules to allow browser competition has not been well received.

Others in the industry we have spoken to described Apple’s compliance plan as it relates to browsers as “unworkable”, “a massive problem for us” and “doing everything they can to make the DMA fail”.

[…]

Apple claims repeatedly, if you don’t like their app store, don’t use it. You can use the web and web apps to reach your customers.

They say this, while at the same time preventing this from happening by not providing the tools needed in their own browser and blocking other browsers from providing them.

Previously:

Update (2024-02-14): See also: Hacker News.

Previously:

DMA Compliance: Interoperability Requests

Apple:

Today, developers can ask questions or share feedback or suggestions to Apple in a variety of ways — such as developer support, the Apple Developer Forums, and Feedback Assistant. To reflect the DMA’s changes, Apple has created an additional dedicated process for developers to request additional interoperability with iOS and iPhone features.

Apple will introduce a new request form for developers to request additional interoperability with hardware and software features built into iPhone and iOS. Apple will evaluate requests on a case-by-case basis and design a solution if one can be supported, and let the developer know if one cannot.

I don’t have much hope for this given the brokenness of the current processes for bug reporting, security bounties, entitlement requests, and guidelines challenges. And it only applies to the EU. They do promise to provide updates every 90 days.

Apple (MacRumors):

Get started with requesting effective interoperability with iOS by submitting the request form.

[…]

Based on Apple’s initial assessment of the appropriateness of your request and whether it falls within Article 6(7) of the DMA, Apple will start working on designing a solution for effective interoperability with the requested feature. Apple considers multiple factors when designing effective interoperability solutions. The integrity of iOS will always be among the important considerations for Apple.

What happens if there’s disagreement about whether a request would affect the integrity of iOS?

Previously:

DMA Compliance: App Analytics and User Data Portability

Apple:

Apple will expand the analytics available for developers’ apps both in the EU and around the world to help developers get even more insight into their businesses and their apps’ performance. Over 50 new reports will be available through the App Store Connect API to help developers analyze their app performance and find opportunities for improvement with more metrics[…]

[…]

Apple’s Data & Privacy site will be enhanced to provide users with additional App Store data categories and provide users the ability to consent to exporting this data to authorized alternative app marketplace developers. To help ensure that the intended uses of this sensitive user data meet user expectations, marketplace developers are responsible for meeting minimum eligibility requirements before they may access the Account Data Transfer API for requesting this data within their interfaces.

Previously:

DMA Compliance: Alternative Payments

Apple:

  • Payment Service Providers (PSPs) — where developers use an alternative payment processor that lets users complete transactions within their app.

  • Linking out to purchase — where developers direct users to complete a transaction for digital goods and services on their external webpage. The presentation of the link out to purchase may communicate information for EU users about promotions, discounts, and other deals.

To use these new payment options in an app, developers will need to use the StoreKit External Purchase Entitlement, the StoreKit External Purchase Link Entitlement, or both. Developers are not required to submit a separate binary to use alternative payment processing.

Due to the App Store’s tight integration with In-App Purchase, and to reduce confusion for users, developers may not offer both In-App Purchase and alternative PSPs and/or link out to purchase to users in their App Store app on the same storefront.

Unlike app marketplaces, this applies to all of Apple’s platforms (but only in the EU).

Apple:

When using an alternative payment processor within your app, it will display a system disclosure sheet to customers explaining that purchases are made through a source other than Apple.

[…]

When linking out to your webpage from within your app, Apple will display a system disclosure sheet to customers that explains to the user each time that they’ll be leaving the app and going to an external webpage through a source other than Apple.

[…]

If you support either alternative payment processing or link out to your webpage, you’re responsible for paying a commission to Apple on the sale of digital goods and services in the EU. iOS apps on the App Store will pay a reduced commission of either 10% (for developers participating in the App Store Small Business Program and for subscriptions after their first year) or 17% on transactions for digital goods and services, regardless of payment processing system selected; while for iPadOS, macOS, tvOS, and watchOS you’ll get a 3% discount on the commission you owe to Apple.

[…]

Please note that Apple has audit rights pursuant to the Alternative Terms Addendum for Apps in the EU.

See also: Benjamin Mayo.

Previously:

Update (2024-01-26): Kosta Eleftheriou:

Why doesn’t Apple show this warning for apps like Amazon, Uber, or AirBnB?