I think Apple made a serious miss-calculation there. If they’re being honest, and removed web apps because they are technically difficult to implement, they should have said something along the lines of “we are working on this and will disable it temporarily to avoid penalties”.
But I suspect it’s got nothing to do with that. Web apps can run native code with WASM and it would only be a matter of time before someone (google?) releases a “browser” that allows you to run native Android apps. Or worse, native iPhone apps… bypassing Apple’s Core Technology fee since it’s “just a webpage”.
It would be a massive vector for malware. Without many options for Apple to fix if the users isn’t using safari to access the PWA. One that many more people are likely to fall for as they exist outside of any marketplace, even third party ones.
Apple doesn’t want to say this, as it makes iOS sound bad and it’s users irresponsible.
When you allow an app functionality it can be exploited. Security comes through only allowing apps that are vetted and routinely monitored (apps stored and repositories do this). The only way around this is to extremely limit softwares access to the rest of the system, which impairs functionality. Even access to sensors can be exploited to spy on users and access passwords.
When Apple allows users in the EU to install different browsers PWA would have apple relinquish all control over vetting of how PWA can interact with the system. The new browser would now be responsible for this.
Apple won’t be able to control it, but they will be liable in reputation for the damage that happens. Their walled garden doesn’t only keep their users in, it keeps hostile actors out (for the most part). iPhone users expect this and may see it as a feature. The same way Linux users see their distros repository as a feature. Remove this security will devalue the device in the minds of many of their customers.
I think you’re confused on this topic, because Apple has to allow users to sideload full applications soon. This is a much bigger attack vector than PWAs, which are still sandboxed in the respective browser. PWAs need to find a browser exploit + an iOS exploit, whereas native apps only need an iOS exploit.
No, they don’t only need a browser exploit, because the browser itself is sandboxed too. Otherwise the danger exists for literally every webpage - no need to install a PWA to break out if you have a browser exploit! You understand that a PWA is just a website and nothing more, right?
You understand that a PWA is just a website and nothing more, right?
This is sort of reductive. Yes, and no. It’s more than just a link on your home screen. More than just a set of html pages saved locally. It downloads the entire javascript app, the manifest, the icons, all that stuff and packages it up. When you run one of these you’d have no indication that you’re in a website. There is no browser URL bar or any of that. Only the controls in the app. It’s not really “just a website and nothing more”. It’s a javascript program running on a phones javascript engine (which is currently webkit and locked down). An app in just about every sense of the word. https://app.starbucks.com is a great example. Even works offline once you save it.
This is sort of reductive. Yes, and no. It’s more than just a link on your home screen. More than just a set of html pages saved locally. It downloads the entire javascript app, the manifest, the icons, all that stuff and packages it up. When you run one of these you’d have no indication that you’re in a website. There is no browser URL bar or any of that. Only the controls in the app. It’s not really “just a website and nothing more”.
No, it really is just a website and nothing more. Just because the browser UI is different doesn’t mean it’s a different thing. All of the technology itself is available to all websites, which is what is relevant for PWAs being “a massive vector for malware”, as initially claimed.
It’s a javascript program running on a phones javascript engine (which is currently webkit and locked down).
Yes, just like with any other website that uses Javascript. And Apple will have to allow other Javascript engines - so what’s the difference with PWAs specifically?
An app in just about every sense of the word. https://app.starbucks.com is a great example. Even works offline once you save it.
Yes, and the same APIs are available to other websites. Look up service workers.
I think Apple made a serious miss-calculation there. If they’re being honest, and removed web apps because they are technically difficult to implement, they should have said something along the lines of “we are working on this and will disable it temporarily to avoid penalties”.
But I suspect it’s got nothing to do with that. Web apps can run native code with WASM and it would only be a matter of time before someone (google?) releases a “browser” that allows you to run native Android apps. Or worse, native iPhone apps… bypassing Apple’s Core Technology fee since it’s “just a webpage”.
It would be a massive vector for malware. Without many options for Apple to fix if the users isn’t using safari to access the PWA. One that many more people are likely to fall for as they exist outside of any marketplace, even third party ones.
Apple doesn’t want to say this, as it makes iOS sound bad and it’s users irresponsible.
PWAs doesn’t change that, though. The users will instead just visit the page through their web browser
How so? If they actually have a secure operating system, even a buggy/insecure browser wouldn’t allow malware to do anything bad.
When you allow an app functionality it can be exploited. Security comes through only allowing apps that are vetted and routinely monitored (apps stored and repositories do this). The only way around this is to extremely limit softwares access to the rest of the system, which impairs functionality. Even access to sensors can be exploited to spy on users and access passwords.
When Apple allows users in the EU to install different browsers PWA would have apple relinquish all control over vetting of how PWA can interact with the system. The new browser would now be responsible for this.
Apple won’t be able to control it, but they will be liable in reputation for the damage that happens. Their walled garden doesn’t only keep their users in, it keeps hostile actors out (for the most part). iPhone users expect this and may see it as a feature. The same way Linux users see their distros repository as a feature. Remove this security will devalue the device in the minds of many of their customers.
I think you’re confused on this topic, because Apple has to allow users to sideload full applications soon. This is a much bigger attack vector than PWAs, which are still sandboxed in the respective browser. PWAs need to find a browser exploit + an iOS exploit, whereas native apps only need an iOS exploit.
PWAs only need a browser exploit. If alternative browsers are allowed apple no longer controls this mechanism.
It’s also easier to slip a PWA by a user, making it confusing for uniformed users who would be targeted.
No, they don’t only need a browser exploit, because the browser itself is sandboxed too. Otherwise the danger exists for literally every webpage - no need to install a PWA to break out if you have a browser exploit! You understand that a PWA is just a website and nothing more, right?
This is sort of reductive. Yes, and no. It’s more than just a link on your home screen. More than just a set of html pages saved locally. It downloads the entire javascript app, the manifest, the icons, all that stuff and packages it up. When you run one of these you’d have no indication that you’re in a website. There is no browser URL bar or any of that. Only the controls in the app. It’s not really “just a website and nothing more”. It’s a javascript program running on a phones javascript engine (which is currently webkit and locked down). An app in just about every sense of the word. https://app.starbucks.com is a great example. Even works offline once you save it.
You just described a website…
No, it really is just a website and nothing more. Just because the browser UI is different doesn’t mean it’s a different thing. All of the technology itself is available to all websites, which is what is relevant for PWAs being “a massive vector for malware”, as initially claimed.
Yes, just like with any other website that uses Javascript. And Apple will have to allow other Javascript engines - so what’s the difference with PWAs specifically?
Yes, and the same APIs are available to other websites. Look up service workers.
All this theater makes it look like a lot of their security is dependent on App Store verification. I hope it isn’t.
It really sounds like it. And then idiots will say apple was right when exploit come out