That's not Facebook's fault its Apple's. iOS's UIWebView uses an older version of webkit and a much older version of there javascript engine. Apple doesn't want you building web apps they can't monetize.
I don't know if you're an iOS developer, but that's plain mis-information.
The reason native apps use a different flavour of WebKit to Safari is because the latter operates in a privileged security mode, whereas the former are all sandboxed. Mobile Safari uses a JIT compiler, but this introduces the possibility for remote code execution.
It's not that Apple 'doesn't want you building web apps they can't monetize' - it's that JIT compilation of JavaScript doesn't sit well with the current iOS security model.
People seem to easily forget that Mobile Web was originally the only way to get apps onto the iPhone. A number of Apple's own apps (the App Store, for example) are HTML based rather than ObjC based.
"It's not that Apple 'doesn't want you building web apps they can't monetize'"
That's simply not true.
1) A year ago Apple rejected one of our app updates because a webview inside the app had a payment form. (They told us that they do not allow any other payment option other than Apple in app purchases)
2) Yesterday they rejected yet another update for our app because it had a form where users could enter bonus codes.
Their explanation: We don't know if you are not selling those bonuscodes to your customers somewhere else on the web. (We don't, thats just bonus codes from promotion agreements with blogs/newspapers etc)
Of everything that irks me about the app store (and I say this as someone who uses almost exclusively Apple computers / mobile devices), this is pretty high up there. It makes it damn near impossible to run a successful marketplace businesses on iOS: if your business is based on skimming a percentage fee off the top of your user's transactions, Apple taking 30% is more often than not a dealbreaker.
That being said, that's not an issue of native apps vs. web apps. If you want your application distributed through the app store, anything payment-related (or even potentially payment-related) needs to go through Apple's payment services. Period. Apple would complain just as much if you had a native app that had your own payment form, and they'd be 100% fine if you built a pure webapp (i.e. not on the app store) that accepted non-Apple payment.
> because a webview inside the app had a payment form
You didn't get rejected because it was inside a webview. You got rejected because you were selling something outside of In-App Purchases. You know this.
That's insane, I just had the same 2) rejection and spent literally weeks thinking that I wasn't able to properly explain what the codes where for, because it didn't make any sense for them to reject that. But since you've had the same issue, i guess they really start to be seriously deranged.
That issue is not as simple as you make it out to be. Just in time compilation of Javascript requires an app to have permission to execute code that is generated as data on the fly. Applications with this permission are vulnerable to exploits.
The standard UIWebView available to applications doesn't include just-in-time compilation because 3rd party applications don't have this permission. This is the biggest reason why its Javascript engine is slower than the one built into Safari.
Apple doesn't want you building apps that open up exploit vectors into iOS.
If it really is an engineering challenge it needs to be fixed. We're going on 2 years of Mobile Safari having JIT and UIWebView not having it. They can simply make an exception for UIWebViews without making an exception for the rest of the app. I don't know their codebase and it might be really really hard to fix, but I hope it isn't something they've given up on. It cannot continue in perpetuity, as the web cannot continue to evolve if the makers of one of the most popular browsers have given up on speed improvements.
No they can't: part of a process cannot create executable memory while another part cannot. They'd have to move WebKit completely out of process: a huge task as it already does most text drawing.
An interesting alternative would be to enhance the current 'Save to Home Page' feature beyond specifying a manifest of resources and a home page icon. If this was fattened up to allow developers to make something that looked even more like an app but was running Safari (not a UIWebkitView inside a native app), you might have something interesting.
No, but web pages (including apps that are installed to the home screen and run full screen) run inside the MobileSafari process, which is much more carefully audited than your typical iOS app.
Audited how? Unless MobileSafari is itself tightly sandboxed, I don't see how auditing the code inside it is useful. Once you get malicious executable code inside MobileSafari, it can do whatever MobileSafari can do.
I doubt they're trying to audit behaviour, you can always write an app in Lua with an interpreter and they would have a hard time "auditing" the app statically.
The propblem is that if you allow executable memory you open aup a lot of exploit vectors. Now, that's true of Mobile Safari as well, but they trust their own team more than they trust you, and they have one app to watch instead of 100,000, and if an exploit os found they can push out a fix immediately, whereas 3rd party apps have a tortuous process for pushing out bug fixes.
Remember, it's part of their value proposition that apps from the app store appear to be relatively safe in comparison to the clusterfuck that is downloading random desktop apps, especially on Windows.
Can you give an example of an exploit that would do harm from within a UIWebView but would not do harm from within Mobile Safari? Not questioning you, I'm genuinely interested.
Given the current architecture, if UIWebkitView within an application can execute data, then the entire application can execute data.
So you could have a buffer overrun anywhere in the app. For example, if they are silly, you could go to the preferences for Facebook and enter a very, very, very long user name, overrun the name buffer, and have executable code.
That's not an exploit of UIWebkitView, it's an exploit of giving the application the permission it needs to have UIWebkitView use a JIT compiler for JS.
This seems like a silly argument. You can release a free app in the iOS app store with a UIWebView or as a native app. It seems like Apple is optimizing for safety (a sandboxed version of the web view) and encouraging app performance. I don't see any monetization strategy at the heart of this (since Apple's cut of a free app is still 0).
> Apple doesn't want you building web apps they can't monetize.
This doesn't even make sense. You have it backwards.
If you run a web app in Safari, or save it as a web app in the home screen, it's going to run full-speed. If you wrap it in a UIWebView and sell it in the App Store (hello monetization) it's going to be slower.
And that is somehow a valid justification for writing an inadequate "native" app? Why would you choose to do it this way then if the platform you are targeting is 1) important and 2) doesn't have good support for whatever technology you are using?!?!
This is equivalent to being hired by a bank to re-write an entire enterprise timesheet app and then I decide on using Websockets and WebGL. Of course I will blame the fact that the app doesn't work on any of the internal bank computers because "they run crappy IE8 and nobody should be running it anyway". Nevermind that 50% of the bank's computers have those constraints.
Sometimes, you have to face reality and write the best application that you can considering the current constraints that you presently have.
If UIWebView is the cause, how come the Android Facebook app is also really slow? And to be honest, even surfing to mobile.facebook.com in Mobile Safari the app was really slow.
You know it takes talent to write a statement that is so completely wrong.
Others have addressed the JS point but Apple originally wanted developers to only build web apps and it took a lot of convincing to get them to change their mind. Also Apple has a lot of free apps. So this idea that Apple is somehow obsessed with monetizing apps is simply not true.
Not really... if you write an app that's native, then in-app purchases are controlled by Apple and they get a 30% cut of those sales. If you build an app using UIWebView then you could by pass those in-app purchases and get 100% of the sale.
1) A year ago Apple rejected one of our app updates because a webview inside the app had a payment form. (They told us that they do not allow any other payment option other than Apple in app purchases)
2) Yesterday they rejected yet another update for our app because it had a form where users could enter bonus codes.
