Apple vs the Law

It’s extremely complex. I’m not debating whether they should comply - they should. But it’s gonna cost them years of engineering effort, and maintenance far into the future. See, for example, BrowserEngineKit

https://developer.apple.com/documentation/browserenginekit

They needed to engineer, maintain, document and support a whole class of APIs so that third parties can create their own competitive browser engines (that offer JIT, etc) while still maintaining iOS sandbox security. There are going to be hundreds of frameworks, thousands of APIs, that will need to come to ensure compliance with the DMA

Or, they could just let their pocket computers run the software users download and install, like every single other computer ever made and sold, rather than special-case engineer padded cells for every use-case, application class, or bit of interoperability.

Somehow, Android manages to do it. Not only for browsers; all apps have JIT access without any entitlement/review needed.

It doesn't seem like the average Android user is worse-off because of that, security-wise.

And Android apps can be installed from apk files without any Google involvement whatsoever. All apks are self-signed anyway and signing identity only comes into play for updates, not initial installation. As in, when you first install an app, it doesn't matter who signed it, but installing an update over an existing app requires the new apk to be signed with the same certificate as the initial one. This is to protect the potentially sensitive data in app's private storage (under /data/data).

But iOS requires that everything be signed by Apple in one form or another. Even debug builds of your own apps you run on your own device from Xcode. IMO, it is absolutely unacceptable to market your devices as general-purpose ones, make the SDK public, but still be an intermediary in app distribution for no good reason whatsoever. I'm surprised the EU is so seemingly patient with Apple's clearly contemptuous conduct.

The average Android user is far worse off security-wise than the average iOS user, and it isn't even close.

How so? As of late, Android FCZC exploits pay out more than iOS ones do at the moment[1]. And anecdotally from what I hear from friends involved in security, Android is very well hardened at this point and is equal to iOS despite having a much wider surface area for attacks.

[1] https://opzero.ru/en/prices/

You mean those users that don't even know what an application is? And you mean that software that only has the users best interests in mind and is not spying on them, trying to scam or confuse them into buying unnecessary stuff?

I think Apple has done a great job of protecting non-technical people from a lot of the possible harms of malware. There's a lot of incentive for them to make sure security is handled right. I'm convinced going back to the 90s and giving every software developer full access to users phones would create a lot more problems than it would solve.

An iPhone isn’t a pocket computer. It needs to be really secure because someone gaining full access to it through a badly written browser would cost you your life savings if not your life for some.

How and why is that somehow fundamentally different from someone gaining complete access to your computer, which allows you to run anything freely? Both are your personal devices that store your sensitive personal information.

Maybe let's not optimize everything around people being tech-illiterate? We live in a society. You are expected to have some baseline knowledge to live in one. So let's instead educate people about that stuff instead of encouraging ignorance and punishing power users.

Would be nice if everything instantly became better with a bit of explanation, but I'm just a bit to cynical to trust that. Most people using tech need guard rails.

That’s a very good and valid question but did they sell the device with the premise that anyone can run any app they want or only the apps Apple approved can run?

We believe in the same thing, our devices should be free like speech. But the whole thing turned into a show because some rich software companies don’t want to pay Apple 30% while they have no problem with other platforms like gaming consoles.

Yes, guard rails are good. I'm not denying that. They are an important part of user education.

But only when they can be overridden. MacOS around 10 years ago is a good example. It came out of the box in a foolproof state — only apps from the app store or registered developers would run, and SIP is enabled. But if you know what you're doing, you could disable both those things without any loss of functionality.

Apple does market the iPhone as a general-purpose communication and computing device. Not an appliance like a game console. Most iPhone users don't know what making an app is like, how asinine the app store review process is, and what kinds of bonkers rules developers have to follow.

Apple initially did that to protect the ecosystem from malware and make sure all apps meet their quality standards. Also to make distribution easy for indie developers. All commendable goals. But as the iOS market share grew, this turned into a very convenient revenue source that they can't let go now.

You can see the problem by browsing old help forums and see how often people suggest 'disable SIP' as a solution to some problem instead of really fixing the problem. Also, the clueless user will -at best- just follow instructions and disable all kinds of security features making them more vulnerable to malware.

If someone is trying to help themselves by participating in forums and following instructions, that's already very much an above-average user. They'll be fine anyway. I'm talking more about the kinds of people who would download a .jpg.exe and run it. Or transfer their savings to a "safe account" because someone called them out of the blue and told them to do so. Or fall for scammy ads. You get the idea.

I'm more concerned about the 'good with computers' type people helping the average users. Those are the people who use google and forums and leave other peoples phone and/or computer in a less than optimal state which makes the .jpg.exe attack more likely to succeed.

Average Android users are not targeted by exploits.

> some rich software companies don’t want to pay Apple 30% while they have no problem with other platforms like gaming consoles

Why would you think they don't have a problem with the cut game console manufacturers take?

It's also different kinds of companies: Epic and Spotify have quite different concerns, for example.

Would you say that's primarily due to JIT, or maybe due to the budget for security patches for most Android devices being a tiny fraction of what Apple has?

You missed my point. My point is that if Apple wants to add this now, it's going to cost them engineering resources.

You think side loading on Android cost Google "nothing" to implement and maintain? No, it costs them engineering resources to support that feature. It's a good feature to support and it's beneficial to users. But it's not free, it doesn't magically insert itself into the Android codebase if they "comment out an `if` statement" as the GP suggested.

Also, Android is gradually adopting many iOS-like permissions and security models. We recently updated our Android apps related to reading and writing to the file system. Why is that? Because the free-for-all they shipped with was heavily abused by developers.

Google engineered and maintains the system that allows you to install APK files. This is my point. The fact that they have developed a security model around APK updates is exactly what I'm talking about.

If Apple wants to offer something similar, now, they are going to have a lot of work cut out for them.

You're not thinking this through, it's not a magic button Apple presses. They are going to have to develop a ton of frameworks just to get something like installable APKs.

Apple allows developers to use iCloud and Maps for free. Presumably because you distribute through the App Store. So if they allow for side-loading they're going to have to lock down and split their App Store "services" into a separate framework — hey, sounds familiar? Just like Google Play services.

Separating out all of Apple's authentication layers, paid and cloud services, and ensuring apps can be cleanly distributed without dependencies on those things it not a trivial engineering exercise.

I'm not trying to imply that Apple should not comply with the DMA. I believe they should. I also believe that it would be a seriously complicated thing to extract their App Store services from their developer APIs in such a way that people could develop against a baseline SDK sans Apple services.

That is an oversimplification of what I stated.

Apple has a significant engineering challenge to turn their current operating system into something that allows side-loading similar to what Google offers. It's not a matter of "commenting out an if statement"

The current developer SDKs Apple offers are strongly tied to their services, which cost them money to run. So first thing is, they have to decouple that so developers can implement applications using a baseline SDK that does not use Apple services (no iCloud, no Maps, no HealthKit and so on)

I think it would be great for users if they did do this. It would be akin to what Google does by shipping and updating Play Services separately from the base Android install

The reason I linked BrowserEngineKit is because if you want to do this properly, you have to build something like Apple has built with that framework (which was built to comply with these policies). Take for example, implementing your own JIT: because arm64e uses pointer authentication, the system uses PACs to ensure that pointers into executable code have not been tampered with. Apple now develops and supports a whole slew of APIs like `be_memory_inline_jit_restrict_rwx_to_rw_with_witness()` in order for developers to manage this themselves.

You saying "just let their pocket computers run software users download and install" is not like every single other computer ever made and sold. This is a gross oversimplification of the modern state of computing, both on mobile and on desktop. There are reasons you don't want random developers loading code into your OS kernel, and Windows and macOS both have protections for this (though the CrowdStrike crashes recently shows what happens when those protections are lax!)

If Apple gave the users root and let them run arbitrary software and just didn't sign certificates for their infrastructure (for push for example) this wouldn't be a problem. Supposedly they've already even developed a VTE for iOS. All they need to do is have a toggle under settings to disable signature checking and ship the VTE so people have an escape hatch and everyone would probably calm way down.

Sure, I'd be into that. But that would not comply with the DMA I think? As in, Apple still has a ton of work to do, engineering wise, if they are to make their platform available to all in the way specified by the DMA

For example, I don't think it would fly that they could say to the EU: users who want a third-party browser just have to enable root access and lose access to all Apple services and authentication

Ah I forgot Apple advertises managing SSO as a feature of iOS and not an external service like sane people would.

Well. I guess they'll have to choose between opening it up like every other company does or acknowledge that it's a separate pay for service then.

They do a lot of that kind of thing and my answer for all of it is the same: Open it up to everyone or acknowledge it's a pay-for cloud service that has nothing to do with the actual phone OS. If people have root they can (and will) develop their own services that won't need that which would comply with the DMA.

I want my phone to be free like speech and I want free commerce. But I also know that if people start ganging up on and start taking over other people’s property, not because they did anything illegal but because they just don’t like them anymore, things soon turn savor really fast.

The Original iPhone didn’t have any apps and Apple later created their own ecosystem with an end user agreement which supersedes the ads.

The digital market should be regulated for sure but what’s happening is a bunch of companies who are in the digital market (and not regulated themselves) exploiting the public sentiment and the regulatory processes.

Spotify and others fail to mention that they were able to access billions of Apple customers without paying a single dime to Apple initially which is unheard of in business relationships.

I keep seeing that argument made but it doesn't make any sense.

Yes, Apple may deserve a cut when a user was acquired thanks to the app store alone. Like in that case when you're an indie developer and the app store putting your app listing in front of potential new users is genuinely helpful. However, to many developers, and especially large ones like Spotify that do their own marketing, the app store is a hindrance. It's an obstacle they need to clear. It provides no value to them.

Spotify is able to "access billions of Apple customers" because Spotify spends millions on ads and because statistically some people who would like to use Spotify on their phone happen to have an iPhone. Apple has no part in this at all. Simple as that.

> The Original iPhone didn’t have any apps and Apple later created their own ecosystem with an end user agreement which supersedes the ads.

The whole "user agreement" thing is one of the biggest problems, because it means Apple thinks you buying an iPhone doesn't inherently entitle you to the advertised functionality of it.

Which is, to out it mildly, highly misleading and potentially illegal. The "small print" shouldn't contradict the big picture. You can't pretend you're selling a device and then turn around and declare that those sales were only about raw hardware and not actual functionality. That's not how products work, and most importantly, not how consumer protection laws see it.

The reason why Apple is so adamant in this line of reasoning is clear once you factor in the App Store rationale. From that perspective, any time a third-party app runs on a user's device and calls iOS APIs in order to actually function, it's not part of what the user actually paid money for. Any execution of any software that uses those APIs is an additional transaction altogether, dealt with separately through the iOS EULA. In short, Apple's position is that any time iOS does anything, either by default or powering a third-party app, it's not actually part of the functionality that was paid for in full by the iPhone's owner, because the owner never paid for ANY functionality at all, only the hardware.

Sounds like they're better off then, since they're not getting targeted?

No, the threat to most users is losing their device, cloud backups, sensor permissions, and the like. The price of a remote zero click has nothing to do with whether your phone offers end to end encrypted cloud backups (which Android does not) or secure bioauth (remember when Android vendors shipped various insecure versions of face unlock before giving up on replicating Face ID?).

> Why would you think they don't have a problem with the cut game console manufacturers take?

Because they haven't sued them in the US nor lobbied the EC to label game console manufacturers as "gatekeepers".

This is the case with any kind of computer and the iPhone is not particularly secure, you're just locked out of yours.

Japan is also a very big player in the console market by the way. Anyway, I got sidetracked, nobody has to put their apps on Apple products. The premise Apple is making is that they're allowing access to billions of possible users in exchange for a certain percentage of the sale price.

The record labels are charging artists up to 50% for an album and nobody is even betting an eye about it or talking about regulation. That's why I find all this noise so artificial.

It's called EULA Roofie. I think Apple will eventually fade away and be replaced by another company that has a more free and open platform. My main concern throughout this discussion is how we're drifting from regulating the digital market place itself. Preventing things like EULA Roofies etc. where somebody can track your personal life and sell it to others to manipulate you.

According to the App Store policies, if I remember correctly, technically all the customers belong to Apple. Although, the developers are also correct to see it the other way around as well.

The ecosystem was built on the assumption that hardware would be sold with its own profit margin and software would have its own separate profit margin to sustain its own operations, tools, and libraries.

The DMA made the entire software branch unsustainable and everybody thinks that Apple earned enough and they should give the software for free. Well, it's their platform and they're entitled to profit from it as they're pleased. Even the European Commission admitted that as well, because saying otherwise is akin to confiscating their intellectual property. I wouldn't bet the house on it but I think Apple would give up the European market before the core technology fee.

I would like to explain it, if you're genuinely interested.

Apple designs and manufactures incredible hardware and software. The ecosystem they created is beautiful, secure, and intuitive to use. When it was first announced, many people started using it even before they allowed apps on it. Apple later launched the App Store and allowed 3rd party developers access to their platform in exchange for a percentage of the sale price.

And this is where most people trip, it's their platform, not an open ecosystem. Apple is granting Spotify access to billions of Apple's users in exchange for a cut of the sale price. It doesn't matter if one person bought a subscription or one million, the platform still belongs to Apple. And in exchange billions of Apple customers are likely to purchase a subscription from Spotify.

If a company builds a 50,000 people capacity football stadium, and I open a concession stand in there in exchange for a percentage of the sales, can I say I want to sell to all these people without paying my contractual obligations? Spotify is free to sell their subscriptions and install their applications wherever they like but that's not the contractual agreement they had with Apple.

Private ownership is essential to our economy, Apple created this platform and their own it. Forcibly taking it from them would give all the wrong signals to everyone else about what could happen to them next. Who knows, maybe someone says you voted for the wrong party.

---

Digital marketplace, not just Apple or gatekeepers or whatever, must be regulated from the first principles. A couple of rich software companies cozying up to regulators and trying to force changes that will increase only their profit margins is not the way to do it in my humble opinion.

Well, if I have a state actor after me then I have bigger problems already.

Security is relative concept. For most people being able to browse internet, add/remove apps, and be sure that they will not break things goes a long way.

Yeah, who knows if the EU would see it that way. They may require Apple to provide first-party APIs that are equivalent in power to what they offer developers who submit via the App Store. Either way, my post was pointing out that it is non-trivial engineering effort to do this, and I think that's still the case.

Hell, just releasing my own personal code as open source — auditing it, decoupling libraries, removing internal stuff, it's a huge multi-week effort for me to do. For any company with as much code as Apple, it's pretty daunting

> . Apple is granting Spotify access

No. Those users control themselves. They are not Apples users. They own their own device and they are free to do whatever they want with the hardware that they own.

> the platform still belongs to Apple

No actually. The device is owned by the user.

> billions of Apple customers

They aren't Apples. They own their own device.

> e but that's not the contractual agreement they had with Apple.

Or instead of that, they can completely ignore apple's copntract, and force Apple by law to allow them access to this market. If apple doesn't like it, then they can leave the EU entirely, or accept 10s of billions of dollars in fines.

> Forcibly taking it

Its not Apples. The device belongs to the user.

> must be regulated from the first principles.

Ok, and what about the first principle of "A user owns there own device and should be free to pay Apple exactly 0 dollars for the ability to install spotify on the device that they own".

Thank you for writing it all out for me :D

You must be thinking this is all wrong. I completely understand and agree with your sentiment, but we're talking about what the contract says.

I'm not allowed to install any software I want on my car's computer, the platform belongs to them. They don't provide the tools, libraries, the know-how, or even sue the people who share it online. And similarly, according to Apple's EULA the devices cannot run any app that is not approved by Apple and they can even revoke their approval or even disable the phone.

Those were the license conditions the hardware sold under, which sounds very user hostile. Regardless, nobody has to buy their products, they chose to buy it because the benefits it provided surpassed the limitations. When Spotify created their developer account they knew what the limitations were as well. This isn't an open platform. One can sue Toyota to get access to install Spotify to Corollas and get another 500 million customers, but that also wouldn't work either.

The only thing that can stop Apple is people not buying their products and developers not making apps therefore reducing the value of their ecosystem. Only then they will by themselves would open the ecosystem, which they should've done 5 years ago.

Regarding the EU forcibly taking stuff over. Well, if push comes to shove, do you think the US would allow a 3 trillion dollar American company to be bullied, go after European companies or would they react in a really unpredictable way?

Apple devices are successful because they provide a great value. They didn't just sell the hardware like Nokia did, they kept delivering software updates and spend billions of dollars sustaining the ecosystem. The limitations were put to improve user experience, for example they didn't allow apps to run continuously in the background so that users can have all day battery life. The high level of control they have allowed them to provide greater value than other ecosystems which brought more users and so on. This requires continuous work to keep it running and they're entitled to be paid for their work.

And again, nobody has to buy their products, you can buy other products and install whatever software you want on those, and do whatever you want there. Android has a bigger marketshare and some people still use Nokia or Blackberry.

---

A digital marketplace consists of everyone that participates in the digital economy not just Apple. All the websites, service providers, apps, hardware manufacturers, users, companies, and their interactions.

You keep comparing appliances to general-purpose devices. You also act like the "accept to continue" legalese actually matters to anyone but the legal department that wrote it. Please stop.

When someone buys a car, they usually don't expect to run third-party software on it. They use it to get to places. They expect to use the built-in entertainment system to listen to music and maybe use CarPlay or Android Auto, and that's it.

When someone buys a smartphone, they expect to be able to install apps on it. That's the smartphone thing, that's what sets it apart from dumbphones. Third-party apps are what sells smartphones.

> Apple devices are successful because they provide a great value.

Uh sorry??? It may have been true 10 years ago, but an iPhone costs around $1000 now. That's outrageously expensive for what it is. You can say that about midrange Android phones, but definitely not about iPhones. You pay this much and still don't get to actually own the damn thing.

> for example they didn't allow apps to run continuously in the background so that users can have all day battery life

How is that related to the app store? Android does that as well. An app only gets to run in the background if it starts a "foreground service" which shows a persistent notification.

Sandboxing apps and enforcing their behavior does not require limiting what the user can do with their own device.

> This requires continuous work to keep it running

It absolutely does not. If iOS stopped getting updated 5 years ago, no one would've noticed. It's been a finished, feature-complete product for a long time.