iOS 17.4 Changes PWAs to Shortcuts in EU
Apple has argued for years that developers who don’t want to abide by its rules for native iOS apps can always write web apps.
It has done so in its platform guidelines, in congressional testimony, and in court. Web developers, for their part, maintain that Safari and its underlying WebKit engine still lack the technical capabilities to allow web apps to compete with native apps on iOS hardware. To this day, it’s argued, the fruit cart’s laggardly implementation of Push Notifications remains subpar.
The enforcement of Europe’s Digital Markets Act was expected to change that – to promote competition held back by gatekeepers. But Apple, in a policy change critics have called “malicious compliance,” appears to be putting web apps at an even greater disadvantage under the guise of compliance with European law.
We have been alerted that Apple has broken Web App (PWA) support in the EU via iOS 17.4 Beta. Sites installed to the homescreen failed to launch in their own top-level activities, opening in Safari instead. This demotes Web Apps from first-class citizens in the OS to mere shortcuts. Developers confirmed the bug did not occur outside the EU.
Now, when a user in Europe taps a web app icon, they will see a system message asking if they wish to open it in Safari or cancel. The message adds that the web app “will open in your default browser from now on.” When opened in Safari, the web app opens like a bookmark, with no dedicated windowing, notifications, or long-term local storage. Users have seen issues with existing web apps such as data loss, since the Safari version can no longer access local data, as well as broken notifications.
Previously:
Update (2024-02-14): Bruce Lawson (via Hacker News):
Presumably Apple doesn’t want PWAs to open in third-party browsers that have more powerful features than Safari, because those would directly compete with native apps in its own App Store. However, in the EU, it can’t privilege PWAs in Safari with its own private APIs any more. And so its solution, in its spirit of malicious compliance, seems to be “if we can’t have them, nobody can!”.
Update (2024-02-16): Apple (MacRumors, Hacker, News, 3, Slashdot):
Why don’t users in the EU have access to Home Screen web apps?
[…]
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
Apple had two years or so to prepare for the DMA, but they “had to” to remove the feature entirely (and throw away user data) rather than give the third-party API parity with what Safari can do. I find the privacy argument totally unconvincing because the alternative they chose is to put all the sites in the same browser. If you’re concerned about buggy data isolation or permissions, isn’t this even worse?
There is no way to have a reliable web app that is bound to the default browser. It would mean every time you changed default browser, you would lose all your data.
Apple citing “low user adoption” of PWAs as a reason for the lack of support. [image]
It’s a complete coincidence that iOS killing PWAs in Europe means that PWA developers should move to the App Store if they want to be on the platform.
For anyone who was there when Steve Jobs declared web apps a ‘Sweet Solution’ when developers clamored for Apple to open up the iPhone’s OS to native apps, taking them away in the face of regulations that force Apple to open up to alternative browser engines carries a heavy dose of irony.
Apple made this change without notice to developers, despite Cupertino’s repeated insistence that web apps represent an alternative to native iOS apps for those unable or unwilling to abide by its platform restrictions.
[…]
Maximiliano Firtman, a web developer who works on PWAs, added, “The technical reasons behind the decision published in the document are childish and it contains many lies.”
The EU isn’t forcing Apple to make awful policy choices.
Was this statement from Apple written by a hallucinating AI? All mainstream web browsers have a strict security model for JavaScript. Cookies and local storage cannot be accessed across web apps. It’s even difficult or impossible to make certain web requests from JavaScript because of cross-site scripting and CORS limitations. The only way this could be circumvented is with a rogue web browser engine that did away with these standard constraints, but Apple already has this scenario covered because they approve every browser engine[…]
In fact, I actually have less and less interest in developing (or even supporting developing) for Apple platforms due to this kind of deliberate and maliciously arbitrary amputation of existing features.
Apple thought its bullshit Core Technology Fee was worth investing effort in, but not homescreen web apps 😛
“If Apple ever asked its engineers to make iOS worse in favor of making the company money, they would quit”
Turns out that was a lie. Who knew
I kind of think assuming that the EU is just going to go “oh noes, Apple has beated us!” is maybe, just maybe, underestimating quite how pissed off they’re going to be about Apple’s arsing about.
See also: the WebKit bug.
Update (2024-02-20): Open Web Advocacy (Hacker News):
This is emphatically not required by the EU’s Digital Markets Act (DMA). It’s a circumvention of both the spirit and the letter of the Act, and if the EU allows it, then the DMA will have failed in its aim to allow fair and effective browser and web app competition.
It’s telling that this is the feature that Apple refused to share. And it makes sense: the idea that users could install safe and secure apps that Apple can’t tax, block or control is terrifying to them.
The legal obligation to allow third-party browsers onto iOS removes their ability to set a ceiling on web app functionality via their control of Safari and the WKWebView. Suddenly Web Apps would be a viable competitor. It is particularly galling for them to cite low adoption when they have had their thumb on the scale suppressing them for over a decade.
[…]
Apple also makes tenuous, bordering on laughable, claims regarding web app security. In addition to unwarranted and unjustifiable attempts to project their own model onto competing browsers, Apple makes claims that ignore the history of web applications and browsers in providing strong privacy and security separation. Apple offers no evidence to back these assertions, and ignores the long track record of superior security of PWAs on other OSes.
The company has had years to prepare for this. If it got blindsided, that’s a management failure. If it’s being petulant, that’s a management failure. If it can’t devote the resources to make this work, that’s a management failure. And if this is an attempt to enforce using native APIs and the App Store rather than PWAs… well, that too is a management failure.
I don’t understand what Apple’s end game is with this and the rest of their “compliance” with the DMA. It seems foolish to expect regulators in the EU to turn a blind eye to Apple’s changes, which are obviously outside of the spirit the DMA’s intentions.
Tim Sweeney (Sarah Perez, Hacker News):
I suspect Apple’s real reason for killing PWAs is the realization that competing web browsers could do a vastly better job of supporting PWAs - unlike Safari’s intentionally crippled web functionality - and turn PWAs into legit, untaxed competitors to native apps.
Apple has long promoted web apps as an open and free — as in speech — alternative to the more restrictive policies of the App Store. No matter why Apple made this decision, it is trading the inherently competitive web for third-party browser engines and app distribution for reasons that, as Reece explains, are difficult to believe.
Jeremy Keith (via Hacker News):
Now Apple need to provide parity on iOS, at least for users in the EU. Again, Apple are decribing this coming scenario as an absolute security nightmare. But again, the conditions they’re describing are what already exist on macOS.
All Apple is being asked to do is offer than the same level of choice on mobile that everyone already enjoys on their computers. Rather than comply reasonably, Apple have found a way to throw their toys out of the pram.
[…]
This is a huge regression that only serves to harm and confuse users.
[…]
Presumably Apple is hoping that users will direct their anger at the EU commission instead. They’re doing their best to claim that they’re being forced to make this change. That’s completely untrue.
Update (2024-03-01): Hartley Charlton:
Following intense criticism, Apple today walked back its plan to disable Home Screen web apps in the European Union starting with iOS 17.4.
Apple (Hacker News):
Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA. The need to remove the capability was informed by the complex security and privacy concerns associated with web apps to support alternative browser engines that would require building a new integration architecture that does not currently exist in iOS.
We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU. This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.
Developers and users who may have been impacted by the removal of Home Screen web apps in the beta release of iOS in the EU can expect the return of the existing functionality for Home Screen web apps with the availability of iOS 17.4 in early March.
Poor grammar and no clarification about what the DMA requires here, but this is good news.
Update (2024-03-05): Nick Heer:
Apple is framing this as a decision it made because it is just so dang nice — “[w]e have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability”. If this is true, that means its earlier statement must have been wrong — there was no legal rationale for web app regressions, only a preference.
[…]
A version of this entire debacle which is fair to Apple is that it misunderstood its obligations, and would never have degraded PWAs in the E.U. if not for its too-careful interpretation of the law. But it does not get to take credit for undoing its mistake.
7 Comments RSS · Twitter · Mastodon
@Kevin Whose idea was it for BrowserEngineKit not to support PWAs?
I am wading into waters that I am not intimately familiar with (only what I've read), but wouldn't it be up to each browser vendor using BrowserEngineKit to support PWAs?
It's trivial to open a pwa as a pwa running on the browser engine it was initialized in without annoying popups and demotions.
I know because that's how it's been on Android for years.
This is Apple, yet again, showing their true selves.
@Kevin I’ve only skimmed the API, but I didn’t see a way for third-party browsers to do this. But, anyway, Safari does support PWAs as separate apps, and I see nothing in the DMA saying that this has to be dropped—especially if Safari is the default browser. If anything, I would think the spirit of the Act is that all browsers should be able to do this.
Is the point here that Apple will not allow a short cut on their Home Screen that executes arbitrary code on launch inside of a web engine they do not control
Is this a security risk? Does this pave a path for a new kind of app runtime Apple can’t control
@Julian No. It’s not a security risk because the Web engine has to use their framework and is sandboxed and aggressively isolated into separate processes. And they are already allowing a shortcut on the home screen for this engine. They’re just making the user experience worse and throwing away user data.
Yes, it's definitely "malicious compliance" to lay the groundwork for the user to open PWAs in their chosen default browser (another EU requirement) instead of a full-screen Safari window.
People don't even try thinking rationally anymore as long as they have somebody to attack.