Apple Demotes Progressive Web Apps to Bookmarks for E.U. Users in iOS 17.4 ⇥ manton.org
James Moore, Open Web Advocacy:
We have been alerted that Apple has broken Web App (PWA) support in the EU via iOS 17.4 Beta. Sites installed to the homescreen failed to launch in their own top-level activities, opening in Safari instead. This demotes Web Apps from first-class citizens in the OS to mere shortcuts. Developers confirmed the bug did not occur outside the EU.
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
Apple had two years or so to prepare for the DMA, but they “had to” to remove the feature entirely (and throw away user data) rather than give the third-party API parity with what Safari can do. I find the privacy argument totally unconvincing because the alternative they chose is to put all the sites in the same browser. If you’re concerned about buggy data isolation or permissions, isn’t this even worse?
Apple repeatedly talks about these “600 new APIs” as if it is a favor to developers, but it was Apple’s choice to handle it this way. For example, to comply with the DMA’s requirements on sideloading or marketplaces, Apple could’ve chosen a system similar to installing apps from TestFlight. This would require zero new APIs for developers, just as TestFlight itself has no new APIs when building a beta version of your app.
Apple created the new APIs — a significant number in MarketplaceKit alone — so that they would have control over distribution. By both reviewing marketplaces and requiring that marketplaces use new APIs to install apps, Apple can track app install numbers, allowing them to invoice developers the new €0.50 Core Technology Fee. The new APIs help Apple, not developers.
Apple has long promoted web apps as an open and free — as in speech — alternative to the more restrictive policies of the App Store. No matter why Apple made this decision, it is trading the inherently competitive web for third-party browser engines and app distribution for reasons that, as Reece explains, are difficult to believe.
To be clear, web apps will still work in the E.U. because, well, they are websites. But the gulf between them and native apps will be wider than it is elsewhere since none of the six hundred new APIs are for making Progressive Web Apps work with third-party browser engines.