Apple will allow iOS app downloads directly from websites in the EU

[creat0r]

Summary

Apple plans to allow some developers to distribute their iOS apps directly from websites in EU countries. However, developers must follow Apple's strict rules and meet notarization requirements to protect the integrity of the platform. Users must approve the developer in the settings of their iPhone and a system window will display information that the developer has submitted to Apple for review. Only major developers who meet specific criteria, including one million first annual installations in the EU, will be able to use this distribution method.

 

Quotes

Quote

"The ability for developers to bring their apps directly to iPhone users in the EU without having to go through the App Store or another third-party store will be useful for some willing to put up with the tight restrictions. There’s some obvious friction for end users, but with some third-party stores requiring fees, this allows iOS developers to avoid stores altogether if they’re willing to host their apps directly and abide by Apple’s rules and policies." - Tom Warren, The Verge.

 

My thoughts

The fact that this is limited to only big major developers is such a shame, since this means that the ability to distribute iOS apps via websites will not available for 99% of all developers. Also, it's worth discussing if most users will even care to go trough the hoops of approving developers from websites just to avoid the App Store. Once again, Apple has made the option of distributing and downloading from outside of the App Store such a painful process for both developers and consumers that I doubt that the DMA (Digital Markets Act) from the European Unionen will have much effect at all in the end.

 

Sources

https://www.theverge.com/2024/3/12/24098334/apple-ios-web-distribution-eu-app-store-changes 

[Blasty Blosty]

16 minutes ago, creat0r said:

Apple's strict rules

I assume this is regarding security? One of the reasons I use iPhones are for security and not being able to download untrustworthy random apps on my phone

[RejZoR]

9 minutes ago, Blasty Blosty said:

I assume this is regarding security? One of the reasons I use iPhones are for security and not being able to download untrustworthy random apps on my phone

I mean, Samsung has Auto Blocker which blocks everything non authorized and official. If you want pure security you can enable it and it will refuse to allow any sideloading entirely. But you can also choose not to if you want to sideload. Why can't Apple just do that instead of being always so stupidly pedantic about "their ways"?

[Senzelian]

12 minutes ago, Blasty Blosty said:

I assume this is regarding security?

No, it's about money. It's always about money.

[Blasty Blosty]

3 minutes ago, RejZoR said:

I mean, Samsung has Auto Blocker which blocks everything non authorized and official. If you want pure security you can enable it and it will refuse to allow any sideloading entirely. But you can also choose not to if you want to sideload. Why can't Apple just do that instead of being always so stupidly pedantic about "their ways"?

This will probably be the route they end up taking, both sides of the argument are happy

 

3 minutes ago, Senzelian said:

No, it's about money. It's always about money.

lol expected

[BrandonTech.05]

Apple only want money out of this. It's the reason why they want people to stay in their store and it's the reason the 3rd parties have to pay fees. They put in all this effort for legislation and it is pretty much useless. 

[thevictor390]

The fact that Apple has to authorize developers at all means little has changed. The point isn't the literal app store, it's the control they have over the market.

[Zando_]

1 hour ago, RejZoR said:

Why can't Apple just do that instead of being always so stupidly pedantic about "their ways"?

As noted, money.

 

It works out well for the willing Apple consumer (me and my extended family). I like 'em because they just work, I recommend them to tech-illiterate family members (the type who fall for the browser freezing "call MS support" scam ads) because they cannot fuck them up much by themselves. 

[Ydfhlx]

Another joke. Dev needs to meet criteria and still apple needs to approve what you want to download.

 

The whole point of avoiding app store is to avoid this bullshit. Make the user type "Yes I am aware this may be virus" and let them install anything.

[Kisai]

2 hours ago, Ydfhlx said:

Another joke. Dev needs to meet criteria and still apple needs to approve what you want to download.

 

The whole point of avoiding app store is to avoid this bullshit. Make the user type "Yes I am aware this may be virus" and let them install anything.

Because of social engineering.

 

You know how many people are stupid enough to get phished for things like fortnite vbucks? Phishing sites are never detected by AV products until it's too late. The same will happen with apps, because it happens right now on other platforms.

 

Having apple "approve" things removes that window of opportunity. We know they don't check enough for submarine  code, which is how Epic got in trouble in the first place.

[leadeater]

7 hours ago, creat0r said:

Only major developers who meet specific criteria, including one million first annual installations in the EU, will be able to use this distribution method.

So if you have a new app or are a new company to iOS but still globally large you can't choose this method without first getting 1 million installs? Seems like unnecessary hoop jumping. Different requirements or more flexibility would make much more practical sense, which wasn't going to happen.

[Monkey Dust]

To be fair, one of the reasons you recommend iPhone to ageing relatives is that it's quite hard to screw up. If they could start downloading apps from links in malicious messages & emails, it would undermine iPhone as the 'safe' option. 

 

Yes, Apple are restricting it for revenue reasons, not customer friendly ones. But all big companies, and most small ones, put profit ahead of customers interests. That's capitalism.

 

 

[Biohazard777]

1 hour ago, Monkey Dust said:

To be fair, one of the reasons you recommend iPhone to ageing relatives is that it's quite hard to screw up. If they could start downloading apps from links in malicious messages & emails, it would undermine iPhone as the 'safe' option. 

How about they put the option to allow sideloading, but disable it by default and bury it deep inside the settings?
Heck, they can even add a requirement to solve 10  captchas in order toggle sideloading on... that should keep elderly relatives from accidentally enabling it. 

 

3 hours ago, Kisai said:

Having apple "approve" things removes that window of opportunity. We know they don't check enough for submarine  code, which is how Epic got in trouble in the first place.

Your 2nd sentence invalidates the 1st one.

 

Also, if you meant the window being "phishing" (impersonating another app)

Followed by:
https://techcrunch.com/2023/06/07/apple-updates-its-app-store-rules-to-crackdown-on-clones/
They sure are doing a great job of stopping such apps from entering their walled garden. 

 

Edited March 14 by Biohazard777

[RejZoR]

6 hours ago, Monkey Dust said:

To be fair, one of the reasons you recommend iPhone to ageing relatives is that it's quite hard to screw up. If they could start downloading apps from links in malicious messages & emails, it would undermine iPhone as the 'safe' option. 

 

Yes, Apple are restricting it for revenue reasons, not customer friendly ones. But all big companies, and most small ones, put profit ahead of customers interests. That's capitalism.

 

 

If you turn on Auto Blocker on Samsung, I very much doubt any non techy person would be able to find its setting and disable it, even though it doesn't even have a lock option for the setting.

[williamcll]

Would this work under a VPN?

[Lunar River]

9 hours ago, Monkey Dust said:

To be fair, one of the reasons you recommend iPhone to ageing relatives is that it's quite hard to screw up. If they could start downloading apps from links in malicious messages & emails, it would undermine iPhone as the 'safe' option. 

so where is this problem on android?

 

If Apple devices can only be secured by the requirement of downloading apps through the approved app store, then it's not actually secure at all.

[Sauron]

17 hours ago, Blasty Blosty said:

I assume this is regarding security? One of the reasons I use iPhones are for security and not being able to download untrustworthy random apps on my phone

Partially, but given recent developments their rules seem to be "we must like you personally and you must not in any way prevent us from making money". Despite the propaganda their security checks have never been very good, even within the app store... if you obfuscate your hidden API calls your app will just breeze through the filter with apple being none the wiser.

11 hours ago, Kisai said:

Because of social engineering.

 

You know how many people are stupid enough to get phished for things like fortnite vbucks? Phishing sites are never detected by AV products until it's too late. The same will happen with apps, because it happens right now on other platforms.

 

Having apple "approve" things removes that window of opportunity. We know they don't check enough for submarine  code, which is how Epic got in trouble in the first place.

Or they could just make this opt-out with a big ol' warning that disabling the restrictions exposes you to risk. As you mentioned, idiots will get phished and scammed anyway through regular old websites.

 

Or, they could have a collective verification system that doesn't entirely depend on Apple's interested opinion, and their mediocre security checks, determine whether an app should be allowed.

10 hours ago, Monkey Dust said:

Yes, Apple are restricting it for revenue reasons, not customer friendly ones. But all big companies, and most small ones, put profit ahead of customers interests. That's capitalism.

Except here it's also an abuse of monopoly power. As an app developer you can either play ball with them and accept any condition they impose or lose what, a third of your potential market? That's mob level behavior.

[hishnash]

32 minutes ago, Sauron said:

Except here it's also an abuse of monopoly power. As an app developer you can either play ball with them and accept any condition they impose or lose what, a third of your potential market? That's mob level behavior.

The thing is unless forced a publicly traded company in a position with 1/3 of the market your always going to get this unless you either have a shareholder vote that highlights this is not the wishes of the sharehole=ders or you have legation that makes the share holders choice between operating in the market or not.   

Cutting of the companies largest revenue growth vector without direction from the share holders is not something any CEO is going to do unless forced by external (legal) messes. The CEO is responsible for the investments of share holders of the company not the small companies.it crushes. 

[hishnash]

36 minutes ago, Sauron said:

Or, they could have a collective verification system that doesn't entirely depend on Apple's interested opinion, and their mediocre security checks, determine whether an app should be allowed.

Scanning for known malware signatures is not example `opinion` based.  And the law explicitly lets the platform owners do this, even lets them retroactivity revoke applicant certificates if later on it is found to be infected. 

 

 

38 minutes ago, Sauron said:

"we must like you personally and you must not in any way prevent us from making money"

"Good standanding" is not about if apple like you, under the EU laws that does not matter. But what does matter is if you are known to be a spam producers or to be re-publishing pirated software...  What you cant just do is spin up a quick and dirty account and then go and pirate all the popular games with cracks that give people insight gems (once they give you thier CC number) and publish these on your website.  

 

40 minutes ago, Sauron said:

if you obfuscate your hidden API calls your app will just breeze through the filter with apple being none the wiser.

Notarisation does not check for the use of private apis, (that is a seperate check) what it checks for is signatures of known malware. And it does detect this. 

Using private apis is not a security risk it is a stability risk as these private apis well be changed without notice and your app will break.  The sandbox wraps your application proses this includes all dylibs it loads including all the private apis within them.  

[hishnash]

15 hours ago, Ydfhlx said:

Another joke. Dev needs to meet criteria and still apple needs to approve what you want to download.

 

The whole point of avoiding app store is to avoid this bullshit. Make the user type "Yes I am aware this may be virus" and let them install anything.

So the approval needed is 2 fold. (and well within the DMA rules)
 
1) the app passes a malware scan... 
2) The apps description matches at least somewhat to what it is. (this description that is checked by a human is also shown to the user when they inthrall the app by the OS) 
3) The HW entiments the app uses are justified and have clear reasons when promoting the user for access.  Eg a game wanting to inthrall a root cerficate and setup a VPN whenever you open it might stuggle.

But the review does not look at the app content, eg you can have a porn app, a gambling app etc.  Apples that are directly clearly illegal activity (if you wanted to create an app for buying class A drugs and it was clearly not a joke app but a real service) apple would not only be required to block it but would also likely be required to report you to the police.  In addition clear blatant piracy were you take an existing app, do a small modification to the binary and re-sign it as yours will be detected and block. 

 

The avoiding the App Store is avoiding all the other rules, stuff about content like porn etc, and all the constraints of the pricing model... for example the pricing model floatplane use on the web would not be possible/easy to do on iOS (Floatplane would need to issue an app update every time they added a streamer to let users have multiple seperate subscriptions active at once, and it would get very difficult to manage as the platform grows). 

[Kisai]

11 hours ago, Biohazard777 said:

How about they put the option to allow sideloading, but disable it by default and bury it deep inside the settings?
Heck, they can even add a requirement to solve 10  captchas in order toggle sideloading on... that should keep elderly relatives from accidentally enabling it. 

No, cause a determined scammer will tell you how to do it. You don't want it as a first leaf option in an options menu, but you do want it buried under a "expert developer options" menu that includes things like USB accessories authorization and certification revocations. Putting a message in here "not to change functionality here unless you are developing software or hardware for the iPhone, Apple is not responsible for damage to your device from changing these options."

 

 

11 hours ago, Biohazard777 said:

Your 2nd sentence invalidates the 1st one.

No it doesn't. Much of the malware domains last less than 24 hours. Getting your app approved takes longer than 1 day, last I checked it could take like a week.

 

 

11 hours ago, Biohazard777 said:

Also, if you meant the window being "phishing" (impersonating another app)

Followed by:
https://techcrunch.com/2023/06/07/apple-updates-its-app-store-rules-to-crackdown-on-clones/
They sure are doing a great job of stopping such apps from entering their walled garden. 

 

No, that's a different problem, where the app is legitimate, but it's just wrapping a webview over another product, and we've seen this kind of software product counterfeiting before with most GPL software in some shape. Every "THING TO MP4" application and website is simply wrapping FFMPEG. If it does the thing it says it does, even if the software is violating a license, it's not Apple, Google, Microsoft, Steam, etc's problem. That problem is between the software developer and the GPL software. Someone has to go reverse engineer it to find out if it contains code from the GPL software, or has wrapped it as an external program and is simply not following the license to include source code.

 

 

And that is what emulators fall under. They are a program that requires unlicensed copies of other software to operate.

 

[Ydfhlx]

1 hour ago, hishnash said:

So the approval needed is 2 fold. (and well within the DMA rules)
 
1) the app passes a malware scan... 
2) The apps description matches at least somewhat to what it is. (this description that is checked by a human is also shown to the user when they inthrall the app by the OS) 
3) The HW entiments the app uses are justified and have clear reasons when promoting the user for access.  Eg a game wanting to inthrall a root cerficate and setup a VPN whenever you open it might stuggle.

But the review does not look at the app content, eg you can have a porn app, a gambling app etc.  Apples that are directly clearly illegal activity (if you wanted to create an app for buying class A drugs and it was clearly not a joke app but a real service) apple would not only be required to block it but would also likely be required to report you to the police.  In addition clear blatant piracy were you take an existing app, do a small modification to the binary and re-sign it as yours will be detected and block. 

 

The avoiding the App Store is avoiding all the other rules, stuff about content like porn etc, and all the constraints of the pricing model... for example the pricing model floatplane use on the web would not be possible/easy to do on iOS (Floatplane would need to issue an app update every time they added a streamer to let users have multiple seperate subscriptions active at once, and it would get very difficult to manage as the platform grows). 

The issue is I don't trust Apple at all. They recently terminated Epic's dev account because of mean tweets lmao.

 

As a sidenote, there are porn apps in app store already: reddit.

[Sauron]

3 hours ago, hishnash said:

The thing is unless forced a publicly traded company in a position with 1/3 of the market your always going to get this unless you either have a shareholder vote that highlights this is not the wishes of the sharehole=ders or you have legation that makes the share holders choice between operating in the market or not.   

Which is why I want them to be forced.

3 hours ago, hishnash said:

Scanning for known malware signatures is not example `opinion` based.

That's not their criterion, and their scans as mentioned do not work very well.

3 hours ago, hishnash said:

"Good standanding" is not about if apple like you, under the EU laws that does not matter. But what does matter is if you are known to be a spam producers or to be re-publishing pirated software...  What you cant just do is spin up a quick and dirty account and then go and pirate all the popular games with cracks that give people insight gems (once they give you thier CC number) and publish these on your website.  

Yes, that's how the law should work. Instead Apple blacklists developers based on whether they abide by their own, non legally mandated, terms of service.

3 hours ago, hishnash said:

Using private apis is not a security risk it is a stability risk as these private apis well be changed without notice and your app will break.  The sandbox wraps your application proses this includes all dylibs it loads including all the private apis within them.  

It's absolutely a security risk because those APIs give you access to operating system functions that a non-root app should not have, at least not without explicit user consent. This has been used in the past to bypass iOS' privacy guards and sandboxing, for example. Not to mention this means that any obfuscated code, even malicious code, will not be detected.

[Obioban]

On 3/13/2024 at 11:21 AM, RejZoR said:

Why can't Apple just do that instead of being always so stupidly pedantic about "their ways"?

https://hardcoresoftware.learningbyshipping.com/p/215-building-under-regulation

[hishnash]

7 hours ago, Ydfhlx said:

The issue is I don't trust Apple at all. They recently terminated Epic's dev account because of mean tweets lmao.

 

As seen with Epic a simple email to the EU can correct these things.    The law around what apple can do (once the EU ask them why they did something) is very very limited.  They can ban you if you are breaking the law, or harming people through breaking the law but otherwise they cant do anything.  So its not a big deal, you don't need to hire a legal team and sue apple for this either.

As to Reddit and being a porn app, yes there is porn there but that is just like a web browser etc, when you first open the app the first thing you see (by default) is not porn. You need to actively look for it within the app that is very differnt so say PornHub making an app as the only content of the app would be porn.