This is just more malicious compliance by Apple. Indie developers are completely locked out of web distribution, and it applies only to developers who are already paying the Apple tax.
> To be eligible for Web Distribution, you must:
> Be a member of good standing in the Apple Developer Program for two continuous years or more, and have an app that had more than one million first annual installs on iOS in the EU in the prior calendar year.
> Developers will pay a CTF of €0.50 for each first annual install over one million in the past 12 months.
> and have an app that had more than one million first annual installs on iOS in the EU in the prior calendar year.
In other words the option is still a joke not worth using. "Yes, you can distribute independently... as long as you've already been popular on the iOS App Store in the past year".
It's a half-assed bribe to try and keep big developers on their side. "Alright, alright, we'll let you keep some money - just stop crying to the regulators already!"
Which part? I don't think the EU can rule that Apple can't charge publishers to be on iOS. This isn't malicious compliance, sans the size requirement it's exactly what they asked for.
This keeps happening where people keep hitching "I don't want to pay Apple" to every wagon except a law that requires Apple to make access to iOS free.
"Allow other payment processors": Okay you still pay 27%
"Allow other stores": Okay you still pay a commission, a different one.
"Allow installing from websites": Okay you still pay a commission, you just have to write us a check.
Even if they were allowed to ask for a fee, they would not be allowed to set conditions that they can subjectively rule on. Particularly the "in good standing with Apple" is a blatant violation since it effectively lets them block anyone they want for any reason, which is in violation of the very basic "shall allow and technically enable" language of the DMA.
> I don't think the EU can rule that Apple can't charge publishers to be on iOS.
Oh I think the EU can rule whatever they want on their domestic market. Apple can try to find all the holes they want, the Commission is probably just taking notes of those holes to fix them in the DMA 1.1
I really think Apple (and Meta, fwiw) is making a huge mistake if they think they are in position to negociate anything. DMA is here to fix competition issues on the european market and if the goal isnt reached, there will be enough iterations until achievement.
It's not a fight again Apple, it's about preserving the core of what is the EU : the European Single Market. The European Single Market was created after WWII with the goal to enforce peace on the european continent. The Single Market IS the European Union. There is no way they'll let Apple get around this. The only thing Apple don't understand is that the EU is traditionally really slow to act so they had an entire decade (and more) to think that locking access to the market in the EU was fine.
> if the goal isnt reached, there will be enough iterations until achievement.
I wish I was as optimistic as you. GPDR was already supposed to be such an improvement. I have no doubt that current Apple's dance won't work. But I don't think any European company will actually benefit from DMA. (I'd say the ones who will really benefit from it are Epic Games and Google, maybe Mozilla a bit)
That being said, I'm very happy the EU implemented the DMA.
Yeah that's why I'm expecting another change. When they tried banning Epic the EU said no, and Apple was forced to move to this point. I expect/hope that the EU comes back with a further "clarification" on Apple's contention that they can gate this to 1,000,000 downloads.
It is funny to see American companies scream "that's not fair" when faced with a functional government.
This is somewhat a naive interpretation. Yes, the EU can enforce certain regulations, ban Apple, etc, but not without repercussions. We live in a global trade environment. It really comes down to whether the US administration would find the EU's actions unreasonable and whether there would be economic repercussions in turn.
A trade war is the last thing the EU wants, especially when they are completely and utterly dependent on the US for technology and protection, so it's very unlikely that the EU will get all extreme on Apple or other US tech companies.
It will push as hard it can but we will not see a protracted ban. The EU understands that it can only push so hard before it starts a trade war and harms itself out of spite.
They'll not ban anyone, the DMA allow fines up to 20% of the international revenue. I think there is enough room to enforce rules without banning anyone.
Sufficiently high fines are no different from a ban. The DMA will never actually fine at 20% because companies would be forced to leave, triggering the above scenario.
Just the size requirement makes it useless, why would anybody bother with a web distribution if they already have 1 million (!) installs on the appstore where they already have all their customers?
The front runners for doing this would probably be Google and Meta. Large companies that publish several ad-supported apps. Side stepping the App Store would let them revert Apple’s privacy protections for tracking
However, I believe another statute of Apple’s implementation is that developers must pick. App Store or Self Distribution— an app cannot be both
If you really have to pay a fee per install, ad-supported apps are probably the worst candidates to go standalone in my opinion. Those don't get much money per user.
It’s per install including updates. All apps from Meta and Google update almost weekly. That’s 100s of millions of dollars a year in CTF that they won’t have to pay if they stay in the store.
Trivially easy. Create an app that generates a random number and store it in the apps local storage. Send that with any interaction to whatever service you're providing. Hiding this feat in plain sight isn't that hard.
Currently there are two things preventing a developer from doing this:
1. you're supposed to be honest and not do that.
2. you could be caught during review by a bot or a human.
But all that does is let one app track your usage in that app. To do tracking outside of that, you'd need other apps to get access to another apps' local storage. Which you need the OS to give you permission to do.
We have toggles for preventing cell data usage, they could trivially do the same for wifi usage, or accessing other app's local storage.
I think computing devices need to have some kind of zero trust sandbox available for installation (kinda like a VM) where any API and system calls that an app use is spoofed. iOS have done this for files and photos (recently), but some is still all or nothing, like contacts. At least camera and microphone access show an indicator when they're in use.
Sure you can create a sandbox that can cater for some app and keep it completely isolated. And yes, whereas previously any app could basically see and do anything, now there are limits at the OS level.
But an app that shows the latest cat video needs connectivity and the server serving that car video now tracks when you were watching it.
The only Google application (besides Play store and all the stuff that's more or less part of the system) I use is Google maps and it doesn't require being logged.
56: The gatekeepers should, therefore, be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services and hardware
That's not what that means, that's saying Apple can't give themselves special private APIs to do things other apps can't or charge to access them.
Which is funny because you can drive a shipping container through the loophole which is OS components can have special privileges and the boundary between apps and OS for 1st party software is fuzzy.
Using 'Tile' trackers, ios pops a messages up every so often saying 'Tile' has been accessing the Location API from IOS.
But Apple introduced a competing product, 'AirTags', and this doesn't have the same (annoying) regular popup.
Does this mean that Apple's Product will no longer be allowed to use a special Location API bypassing the security/barriers their competitors have?
I understand the need for security, but Apple has no incentive to remove friction from the process when it negatively impacts their competitors and doesn't impact them at all.
It's basically saying the same thing. One thing other apps can't do on iOS is... installing packages on the system. This is only a thing that the App Store app can do. So Apple has to open up to third party the possibility to install packages on the device, exactly how on Android any third party can install apps on the device.
By the way, this will impact Android too, since there are permissions that are limited only to Google applications such as the Google Play Services, that (interpreting this rule) now shall be opened to any apps that require them.
That's a pretty tortured reading of the DMA. Yes, Apple has to allow more than just the App Store to install iOS applications, but nowhere does it stipulate that Apple can't collect fees from apps installed through alternative stores.
This is the tension, people really really want "ability to install apps" or "ability to install from web" to mean "install without Apple being allowed to collect fees" but that's not what the law says.
I think the original reading is pretty damn correct. It says apps should be able to access the platform "free of charge". Maybe I'm wrong but it seems to me that the reading that limits this to special API access is the tortured reading.
Besides, even Apple's reading is not what Apple is doing either. They're saying that ANY API access that is possible should be done free of charge. Ok. That INCLUDES app installation of course. It does not specify WHO doesn't get charged, which Apple then takes to mean those alternative app stores don't get charged, but the app owners do? Now THAT is tortured reading. Obviously that means NOBODY gets charged. Not the alternative app store, not the application being installed. Apple is not complying with their own reading either.
It seems to me pretty clear. Either interpretation, apps should be able to run on ios free of charge.
Y'all really need to read the whole act. The quote that stated this doesn't even come from (56).
> (56) Gatekeepers can also have a dual role as developers of operating systems and device manufacturers, including any technical functionality that such a device may have. For example, a gatekeeper that is a manufacturer of a device can restrict access to some of the functionalities in that device, such as near-field-communication technology, secure elements and processors, authentication mechanisms and the software used to operate those technologies, which can be required for the effective provision of a service provided together with, or in support of, the core platform service by the gatekeeper as well as by any potential third-party undertaking providing such service.
> (57) If dual roles are used in a manner that prevents alternative service and hardware providers from having access under equal conditions to the same operating system, hardware or software features that are available or used by the gatekeeper in the provision of its own complementary or supporting services or hardware, this could significantly undermine innovation by such alternative providers, as well as choice for end users. The gatekeepers should, therefore, be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services and hardware. Such access can equally be required by software applications related to the relevant services provided together with, or in support of, the core platform service in order to effectively develop and provide functionalities interoperable with those provided by gatekeepers. The aim of the obligations is to allow competing third parties to interconnect through interfaces or similar solutions to the respective features as effectively as the gatekeeper’s own services or hardware.
They are explicitly talking about gatekeepers that are both app maker and OS maker giving their own apps access to parts of the OS that other apps can't access. You as a 3rd party are able to deeply integrate into iOS with your own apps to the same level as 1st party apps. It does not say that anyone must be allowed to access the platform free of charge. Plus this is the preamble to the actual act, you can write whatever you want in there (and legislators frequently do to use it as a pulpit) none of this is the actual law.
I read that as: if Apple wants to allow installation of programs ("apps") on IOS, it must allow, free of charge, others to do the same. Free of charge to everyone. Free of charge to alternative app stores, free of charge to developers, free of charge to apple customers, ... free of charge to anyone. As I said, I'm no lawyer, but that is definitely a valid interpretation to me.
Petition your representatives to designate those as gatekeepers of a core platform service. But first look up the definitions of those, and the criteria for gatekeeper designation, in the DMA.
Ahh yes, the "all lightbulbs regardless of their manufacture are required to have at least <this> energy efficiency" style regulation where <this> is set "neutrally" at the efficiency of LED bulbs.
Read article 3 paragraphs 1 and 2 and tell me this wasn't written to target like five US tech companies in total.
I have read it. I defines how much money the company needs to be making the EU and how many users they need to have. Sure, it's targeting big companies.
The LED example you gave is actually a great one: I don't think the regulator cares if you're using LED or not. The intention is to reduce the usage of lightbulbs that aren't as energy efficient as modern technology allows them to be. If you can make a incandescent lightbulb that is as efficient, good for you. No one has targeted incandescent light.
Same here. Yes, companies this size are almost only American (and Chinese). That doesn't mean that American companies were the target.
US, with its severe underregulation of oligopolies, allows companies to grow that big. Why do you then complain that they are the ones targeted by laws in countries which are sane enough to understand the need to regulate such things?
Apple is welcome to vacate the EU if it finds it all too onerous.
Since when do you have to pay to use an ABI or link against system libraries? Shipping your own apps to your own customers doesn't entitle Apple to a payment.
The gatekeepers should, therefore, be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services and hardware
The DMA absolutely allows charging money for access to a regulated platform. The Core Technology Fee is the only thing Apple is charging that can even remotely seem like it may be prohibited. We'll see how that goes:
> Pricing or other general access conditions should be considered unfair if they lead to an imbalance of rights and obligations imposed on business users or confer an advantage on the gatekeeper which is disproportionate to the service provided by the gatekeeper to business users or lead to a disadvantage for business users in providing the same or similar services as the gatekeeper. The following benchmarks can serve as a yardstick to determine the
fairness of general access conditions: prices charged or conditions imposed for the same or similar services by other providers of software application stores; prices charged or conditions imposed by the provider of the software application store for different related or similar services or to different types of end users; prices charged or conditions imposed by the provider of the software application store for the same service in different geographic
regions; prices charged or conditions imposed by the provider of the software application store for the same service the gatekeeper provides to itself.
The CTF is a platform access fee, and not a fee for interoperating with system ABIs/services/APIs. That's the distinction, and why it isn't automatically illegal. It would only be illegal if it gives Apple's App Store an unfair competitive advantage.
And as you can see from the text of the DMA, in order to declare the CTF illegal, the EC has to conduct a fair, impartial, fact-based investigation that considers Apple's viewpoint. Then they produce a preliminary report which Apple is allowed to rebut. After that they can issue a final ruling, and Apple is allowed to appeal that to the court of justice. Even if the CTF is found to be illegal after all of that, Apple gets 6+ months to make changes unless the EC can prove that they were working in bad faith.
> The CTF is a platform access fee, and not a fee for interoperating with system ABIs/services/APIs.
Since Apple already charges $99/yr for a dev account, for which the Xcode price is included, and the CTF applies even when not using the App Store... what are they charging for if not API access in the form of the dev's user's devices? That's the only thing that's left
The CTF applies when not using the App Store, because the equivalent of the CTF is baked into Apple's 30%. People asked for unbundling, and this is what Apple came up with.
Those who are surprised that you have to pay for access to an ABI have obviously never had to pay for their compilers from their software vendors (the price for the HP-UX garbage compiler was eye wateringly high).
> Those who are surprised that you have to pay for access to an ABI have obviously never had to pay for their compilers from their software vendors (the price for the HP-UX garbage compiler was eye wateringly high).
But that doesn't seem to be the case, as Apple hasn't monetized Xcode and the iOS SDK libraries differently since the DMA came up.
Apple can charge for the SDK and all that it entails, but they can't charge for apps getting to run on users' iOS copies, as that's not something IP law contemplates.
What happens when a fully FOSS iOS dev environment comes out, like the way you can compile Windows binaries on Linux right now? What would Apple be charging for then?
The CTF offsets Apple's costs in developing and maintaining the "core technology": the OS and the frameworks that the developer uses in their application.
GCC works on HP-UX, so I don't know what this is trying to prove. They can charge for Xcode whatever they want, but what does that have to do with installing apps.
Back when I was working with HP-UX, GCC worked if you wanted something completely independent and didn't need to link against system libraries. For the companies I worked for when using AIX, that wasn't an option.
At least on AIX and other UNIXes, the system compiler and GCC worked together. HP-UX was a special kind of hell.
A sibling reply pointed out that developer kits and distribution deals for consoles (which are general purpose computers, regardless of how they are presented, as much as modern smartphones are) are extremely expensive (and there are no alternatives for distribution).
The point that I am making is that the idea that you can develop and distribute for free on any platform is a relatively new one.
It is not new on microcomputers, though, and those have essentially defined the expectations for consumer devices going forward. That is why it was such a big deal back when Apple first introduced the app store with all the restrictions - that was new, even compared to other mobile devices in the market (even feature phones had J2ME by then).
But regardless, it seems like a good idea in general, and proven to work, so why shouldn't we want more of it? I don't see the problem with applying the same logic to game consoles etc - that racket also needs to go down.
Exactly. Not to mention, the HP-UX business model famously flopped in the face of Linux, BSD and Free Software. It's almost the perfect example of how Open software distribution provided a better experience than the alternatives.
The CTF is it's own refutation. A competitive market should not need to kiss anyone's ring in order to function.
> The CTF is a platform access fee, and not a fee for interoperating with system ABIs/services/APIs
So the distinction is that they're charging devs to be allowed to run their app on iOS period, rather than charging for access to a particular set of APIs (which would be illegal)?
Because if so, there's a hole in that argument. Right now I can run any web app I want on my iPhone and the developer need pay no platform access fee. However, that app is blocked by Apple from accessing many native APIs, despite it running on my hardware. And to access those APIs it would need to pay Apple a fee...
So in conclusion, Apple should charge every website operator a per-user annual fee for using the Apple's platform.
Why do you say the EC is fine with it? I bet you can't produce any statement from the EC even marginally supporting it. All you know is that Apple proposed something blatantly illegal, and then backed down from that plan.
It's impossible for the EC to have given Apple any kind of guarantees about it being fine to restrict PWAs to just Safari. That's just not how the process works.
Well, is there a legal basis for Apple charging this fee? I'm licensed to use Xcode presently, which means I can legally produce iOS binaries without paying them. I'm legally allowed to distribute those binaries because I own the rights to them, the apps being original works (and not derived works).
What, specifically, is the core technology fee for other than dissuading competition? It's not for using Xcode (I already have that now), and it's not for redistributing Apple software (iOS binaries aren't that). What technology specifically? Is it a software license? Is it for a patent license? Is it payment for a service? What is it?
Have you actually read the licensing terms you agreed to for Xcode and Apple SDKs?
> Except as otherwise expressly set forth in Section 2.2.B., You may not distribute any Applications developed using the Apple SDKs (excluding the macOS SDK) absent entering into a separate written agreement with Apple.
> I don't think the EU can rule that Apple can't charge publishers to be on iOS
Why not? Maybe they can't rule that Apple must make the App Store free for developers, but they can rule that the App Store can't be the only way to install apps.
> But that isn't the same thing as saying Apple can't take a cut from other App Stores, and surprise, they are.
Yes, it is. For Apple to be able to take a cut from other app stores, they need to have full control over said stores, so effectively it's just their App Store under a different name. Hopefully this won't fly under DMA.
> 4. The gatekeeper shall allow and technically enable the installation and effective use of third-party software applications or software application stores using, or interoperating with, its operating system and allow those software applications or software application stores to be accessed by means other than the relevant core platform services of that gatekeeper.
> 7. The gatekeeper shall allow providers of services and providers of hardware, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same hardware and software features accessed or controlled via the operating system…
Yes, people keep quoting these sections but it doesn't say what folks want it to say.
4. Gatekeeper must allow people to install applications from outside the App Store. That has no relationship at all to whether Apple is allowed to require a contractual relationship with iOS developers that stipulate payment under certain conditions -- installs, IAPs, number of developers, number of users, etc..
7. Gatekeeper can't give themselves special APIs that allow them to do things other apps can't or charge extra for those special privileged APIs. Apple can nonetheless still charge developers to access iOS. But from there Apple can't give themselves an advantage by saying that only Apple apps can access Bluetooth.
Here's something to blow your brain: perhaps the English version is incorrectly translated. With Ireland now the only Anglophone country in the EU, I would trust the French and German versions of the text to have far more clear intent.
I'm not saying they don't have force of law. I'm saying the EU did not write them as strongly as the other versions, making them harder to understand and potentially steering the law in a different direction.
I'm reading the French version, and I find it clear that Apple is not following the DMA with its fee it cannot charge itself.
It’s intentional. Replace EU with Apple and law with AppStore rules and you’ll see the parallels.
> I'm saying the EU did not write them as strongly as the other versions, making them harder to understand and potentially steering the law in a different direction.
I suppose the next stage of malicious compliance will be to allow absolutely everyone to publish apps everywhere, but with some technical warning that is designed to be ignored.
I would love that. I have recently tried downloading a few apps for different reasons and every single all is locked away, for any useful features, behind in app purchases. I remember the days back when iPhone first came out you could find apps and no such thing as purchasing features. It dawned on me that my iPhone is a pretty shitty platform unlike my Pc where I can download many free open source projects made by passionate people who like to share. I haven’t owned an android in years but I am seriously contemplating getting a google pixel phone as they still have unlocked bootloaders. Our phones are capable of so much more but have been dumbed down so apple can let developers sell us features through apps while taking a 30% fee along the way.
> I have recently tried downloading a few apps for different reasons and every single all is locked away, for any useful features, behind in app purchases.
And you think those developers, once freed from the Apple App Store, will release their apps for free on the web???
Probably not them, but other developers for whom Apple's bullshit (like the 99$/year fee) is too much of a barrier of entry would be happy to share their work for free.
Well if the iPhone was not locked down and one could install open source freeware yes. There are apps for almost anything you can imagine for free on a pc. Look at OpenOffice for example. Free where ms version is quite costly. People are passionate about sharing things. Yes there are paid software that is great and I think they should be allowed as well but they should also have to keep innovating and offer something to entice customers like real human support for example. But open source freeware also has a place but it is being blocked for “security “ which too is alright but at the end of the day we have these phones which are very powerful mini computers and if I want to risk my security I should be allowed to install anything I want. This is why I was into jailbreaking back in the day. I bought an iPhone and the guy at the cell store sold me 1000 video messages with my plan. Be me surprised to learn there was not even a way to take videos on the iPhone back then (people think this is bull shit but it is the truth iPhone only had a camera back then no video). When I searched how to take videos I learned about cycorder available on cydia. Then I learned about jailbreak and took the chance and did it. Then I was able to take videos. Although apple slowly closed the gap a jailbroken phone was far more superior for years. My current iPhone is jailbreakable but I have been out of the scene a long time so not sure I want to mess around I think it might break my banking app not positive but haven’t the time to figure it all out.
Same with PDF reader. A simple one that just let you read and annotate is something I guess no one is asking for. Everything has a premium plan that is a subscription.
This kind of UX is why I ended up installing a bunch of the official geogebra apps on an ipad in the past. Although, almost any calculation you'd want to do on a calculator can be done inside of spotlight search.
It's not frowned upon, it's the normal way of doing anything non-trivial in Windows land. You don't get something from a repo, you go to the Foobinator Tools website to download BarApp Pro
Laptop sales decline every year. People are giving up the idea of keyboards and big screens to avoid Windows laptops. Copying and monetizing the open source repo idea is the smartest thing smartphone manufacturers did.
“I’ve driven many miles and never crashed. Why do I need to pay for seatbelts?”
These are population level decisions which require you to think about mainstream use. For example, you probably have been safe because you know what to look for. This is not true of the general public and there are millions of people who _thought_ they were making a safe choice and only realized later that the polite person in the call center was not actually trying to help them, etc.
The implication that restricting user freedom to the degree that Apple does is as vital as the seatbelt in your car is hilarious to me. A better analogy would be "how come my Apple car can only drive on Apple-owned toll roads but every other car can drive wherever it wants?"
> Apps offered through Web Distribution must meet Notarization requirements to protect platform integrity, like all iOS apps, and can only be installed from a website domain that the developer has registered in App Store Connect.
If you can’t see a safety benefit, go look at the Windows or Chrome extension malware industry and the billions of dollars it costs people every year. You don’t have to like Apple or agree with everything they’re doing to understand that there is a real problem here.
The problem exists in the Apple app store. So why behave as if it is an issue unique to windows and android?
The apple situation makes it worse, people now expect the app store to be a safe place to download from and perhaps do less due diligence because they assume apple are doing the heavy lifting, mainly because Apple keep telling us they are doing the heavy lifting to protect us.
Right; but the whole point of a browser extension is that it interferes with how other webpages work. But iOS apps can’t do that. They’re more like webpages themselves - sandboxed and run as isolated processes. In the absence of browser bugs, it should be safe to click any web link. Websites can impersonate one another. But my device stays secure.
iOS apps already work like that. Why does Apple have so little trust in their own security model?
I have no emotional attachment to any brand, and I suspect that you are projecting your own attachment by saying so. I simply want tools that take orders rather than give them. I want a system that gives me so much freedom that it will let me sudo rm rf myself. That is important to me on a pragmatic level (not an emotional one) because it is useful enough to me that it is non negotiable.
The usual line after this is "then just don't use Apple," and you'll be happy to learn that I don't and probably never will regardless of what changes they make. I am just baffled by the comments in here defending their behavior. Why subject yourself to this? Of all the brands to get attached to, why the one that makes it so obvious that they're milking you for every dollar they can get? If that answer is that you genuinely can't avoid getting malware unless you are physically prevented from doing so preemptively, then so be it, but I don't get it otherwise.
> “I’ve driven many miles and never crashed. Why do I need to pay for seatbelts?”
Bad analogy. A better analogy is: I’ve driven many miles and never crashed. Why do I still need Toyota's permission to drive?
I'm absolutely in favor of "seatbelts" for computers, but that means sandboxing, not censorship or rent seeking. It also means you can remove the "seatbelt" when you need to.
I used seatbelts because every car safety measure you can think of has had someone complaining about having to pay a cost for something they’re too good a driver to need. Having apps notarized to enforce some basic legal & safety standards seems similar: it definitely costs more than zero, it definitely is a restriction on absolute freedom, but it helps prevent things which are statistically certain to keep happening otherwise.
That's a very weak argument in favor of apple, and I respectfully disagree. Just another variation of 'think about the children' meme without much substance, repeated in every single apple discussion ad nausea.
Look, you lock your phone as much as you like, your device, your choices (here we are already very far from apple mindset). Why the obsessive need to push this on literally everybody and not even giving the choice? Maybe you have some serious impulse control issues, but most of us don't.
It can even be part of purchase process - choose ultra secure more locked down model, or on-your-risk more free.
But we all know all this is just about 1 singular thing - revenue via customer/market capture. Oracle stuff indeed.
> Look, you lock your phone as much as you like, your device, your choices (here we are already very far from apple mindset)
It keeps software and service vendors from going around security and privacy protections. Folks don’t always have a choice of what they have to install, so “just don’t install their stuff if you don’t like it” isn’t sufficient to achieve the same results, even if we ignore the inherent difference in UX between “100% of the software for this goes through the App Store” and “some software is not on the App Store”.
Doesn’t mean you have to agree that path is better, of course, but it’s also definitely not so easily dismissed as ridiculous.
Software and service vendors can't "go around security and privacy protections", they can do exactly what the operating system and Apple allow them to do (short of actual bugs and vulnerabilities which would exist regardless of distribution method).
Either those protections are technological, baked into the OS, and therefore apply equally to all installation sources, or they don't exist. There's no in between.
There’s in-fact an in between, which is humans enforcing rules. It’s what’s in place now. It does have an actual effect, it’s not like it’s imaginary or doesn’t do anything. Some of the rules aren’t practically enforceable by software alone, at least so far (things like “don’t try to fingerprint the user or device in unauthorized ways”)
Those rules are even less enforceable by human reviewers because they don't employ people to reverse engineer your app, never mind any subsequent updates.
Your contention is that the review process entirely fails at enforcing privacy and security rules that cannot be achieved entirely through automation, or fails at such a high rate that it may as well be entire?
That doesn’t reflect my experience submitting apps, nor as a user of Apple devices. It’s certainly imperfect, but it achieves a lot more than if they simply stopped doing it.
[edit] and in fact, some of the automated checks wouldn’t be practical to run on a user’s device—are those also totally ineffective?
Look at the history on the PC and Mac desktop side. Ever see someone who had Firefox or VLC, only the binary they got was loaded up with things not shipped by the real developer? Notarization prevents that shady phished from talking your dad into installing “a critical security update!!!” from their own server and then either having it immediately get access to his stuff or walking him through logging into his password manager, etc.
I'm not against notarization as long as it's free (akin to Let's Encrypt) and strictly used for combating outright malicious software like you described, and not as a way to keep competitors off the platform, rent seek, or ban apps for "philosophical" reasons (like NSFW content).
They're intentionally conflating these objectives to give themselves an excuse for maintaining their stranglehold on users and developers alike. They need to give up some ground if their security concerns are to be taken seriously.
I'm sure all the smart people in Cupertino (and elsewhere) can figure out some really great solutions for protecting users in an honest manner, if only their leadership didn't instruct them otherwise.
Analogies don’t really work in arguments, it always just devolves into an argument about the analogy. They are useful in other contexts (like teaching, where it might be necessary to simplify something).
Overuse of analogies is one of the worst things the internet has done to discussion in general.
Consider how well malware and adware has done where the authors can impersonate legitimate developers (remember when people got faux-Firefox as the first Google hit?) or can run distribution campaigns from shady web hosts for years? Notarization and domain limits mean Apple can block malware almost instantly and the developers have to burn a real company identity on each attack campaign.
Some people need to be protected from themselves though. I don't receive support requests anymore from my grandparents since they switched from a Windows-based computer to a ChromeOS system. It suits their needs while being locked down, and it limits the amount of damage that can be done.
Isn't ChromeOS secure because of sandboxing, not because of curation? And isn't the situation similar with iOS? I wouldn't really expect Apple's curators (or automated analysis) to reliably detect malware, but I expect the OS to limit what kind of damage can be done.
Well, not really. Usually people have all their personal data on their PC, rather than mobile phone.
Maybe this is changing for young people, but on my parents hard drive (for example) there is 30+ years of all sort of personal data, documents of every kind, emails, documents, etc. Not counting all the password and access saved in the browser itself.
If we talk about businesses, public administrations, hospitals basically everything is inside computers, including very sensitive data.
They're locked down through technological measures such as sandboxing, which is designed to resist against malicious guests regardless of their origin and distribution method.
I'm developing an open source app(flutter) I have already started it in a simulator(kvm). I just don't want to jump through all the hoops and pay to be able to publis the app somewhere for ios users.
Nah, I bet they'll let people install apps from anywhere, but for those apps they'll purposefully crack open the app sandbox to truly allow anything & everything, then when malware/scams hit Apple will be like "see, we told you it was a bad idea "
If indie developers were to quality, anyone would qualify and security incidents would inevitably increase. That's what Apple is trying to prevent. Keep the attack surface small.
Apple's philosophy is similar to the justice philosophy of nations like Singapore. Freedom in exchange for security. Some people like the trade off and some don't. And if there is anything that we know for sure is that when it comes to tech, freedom is the last of people's priorities.
something something "those who give up freedom for security deserve neither" something something
The problem with the "freedom-for-security" tradeoff is that there is nothing to keep the security provider - a government or private corporation - from continuing to provide security once you've surrendered freedom. Apple was very good at combating scams and fraud on the App Store when the iPhone was new. The problem is, that's expensive, which is why Apple decided to charge 30% in the first place. Once competitors stopped trying to release mobile operating systems and users had been accustomed to "just download App Store stuff it's safe", Apple moved away from investing in App Store security. We can see this with how many outright scams wind up on the store today.
Singapore is a similar situation. The security a government is supposed to provide is protection against, say, organized criminals, but government and organized crime has the same structure, function, and incentives as one another. A government that takes away your freedom may be able to protect against organized crime, but that also lets them do exactly the same things organized crime might do. The only security this provides is security of Singapore's tax revenue and political control from appropriation by competing violence-users.
Same thing with Apple. They aren't securing you, they're securing themselves in power, with your security trickling down from their handcuffs.
My comment was from the point of view of the security provider. The security provider receives your freedom and gives you security. Of course, from the point of view of the freedom holder, there are no guarantees that the security provider will fulfill the promise in the sense that you expect (i.e. that they won't violate it themselves) but you can generally expect that they will at the very least reduce the number of individuals threatening your security from private individuals plus the state to just the state.
Your full and complete security can't never be guaranteed unless you hand over your full and complete freedom. Sure, today there are many scans in the App Store but today there are also way more mobile users than there were in the early days and phones have gone from digital toys to holders of digital personal life.
If you want to see what a world where you keep most of your freedom looks like, try using the Google App Store with an average phone (see: phone with no security updates since 2021) and see how many scams you get. Guaranteed way more than Apple. Like an order of magnitude more.
Let me give you another analogy. You are a villager in a corrupt country besieged by out of control armed gangs taking control of areas of the country. Areas such as yours. You got a corrupt country making your life hell and gangs making your life hell. Now you have a choice to move to another country where there is corruption but no gangs. That other country is Apple, Singapore and basically any South American country got its gangs under control. There are millions of people that literally want to get an Apple, get into Singapore and get into this kind of SA country. Sure, a world where higher powers don't abuse their power is nice but that world does not exist in our reality. You choose the lesser evil. That's what Apple is doing here.
It doesn't have to be an exclusive choice for Apple: more money and more security for Apple. Many HN folks (many of them using plenty of Apple products) probably won't like it but the reality is that we all vote with our wallet and with our time
We're all free not to buy Apple products if we don't like how they lock them down. There are several alternatives, Android being the most obvious. And yet, iPhones still sell well.
There are also minimum standards of behavior that we require of every participant in society, including regulations on the behavior of products.
The DMA's identification of "gatekeepers" makes a distinction between the requirements on products with smaller vs larger market shares. More successful products are now held to a higher standard, if you like.
This isn't unprecedented: progressive taxation, labor laws, etc -- there are many situations where this happens.
It's not like Apple has a monopoly on phones, but they're significant enough that the EU wants them to behave in a certain (different) way. Both the DMA and Apple's responses to it seem a bit clunky (so far). I expect it'll take some time for an equilibrium to emerge.
I think it's also notable that Apple now has (at least) three major different versions of its software/infrastructure: EU, China, and rest-of-world. I fear that's a trend that will only continue.
> To be eligible for Web Distribution, you must:
> Be a member of good standing in the Apple Developer Program for two continuous years or more, and have an app that had more than one million first annual installs on iOS in the EU in the prior calendar year.
> Developers will pay a CTF of €0.50 for each first annual install over one million in the past 12 months.
https://developer.apple.com/support/web-distribution-eu/