Apple says it can’t secure home-screen web apps with third-party browser engines.
Apple is removing the ability to install home screen web apps from iPhones and iPads in Europe when iOS 17.4 comes out, saying it’s too hard to keep offering the feature under the European Union’s new Digital Markets Act (DMA). Apple is required to comply with the law by March 6.
Apple said the change is necessitated by a requirement to let developers “use alternative browser engines—other than WebKit—for dedicated browser apps and apps providing in-app browsing experiences in the EU.” Apple explained its stance in a developer Q&A under the heading, “Why don’t users in the EU have access to Home Screen web apps?” It says:
Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
It will still be possible to add website bookmarks to iPhone and iPad home screens, but those bookmarks would take the user to the web browser instead of a separate web app. The change was recently rolled out to beta versions of iOS 17.4.
The Digital Markets Act targets “gatekeepers” of certain technologies such as operating systems, browsers, and search engines. It requires gatekeepers to let third parties interoperate with the gatekeepers’ own services, and prohibits them from favoring their own services at the expense of competitors. As 9to5Mac notes, allowing home screen web apps with Safari but not third-party browser engines might cause Apple to violate the rules.
Apple warns of “malicious web apps”
As Apple explains, iOS “has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.”Advertisement
Apple said it won’t be able to guarantee this isolation once alternative browser engines are supported. “Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent,” Apple’s FAQ said.
Despite the change, Apple said that “EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality.”
Apple previously announced that its DMA compliance will bring sideloading to Europe, allowing developers to offer iOS apps from stores other than Apple’s official App Store.
Browser choice, security requirements
One browser-related change will be immediately obvious to EU users once they install the new iOS version. “When users in the EU first open Safari on iOS 17.4, they’ll be prompted to choose their default browser and presented with a list of the main web browsers available in their market to select as their default browser,” Apple’s developer FAQ said.
Apple said it had to prepare carefully for the requirement to let developers use alternative browser engines because browser engines “are constantly exposed to untrusted and potentially malicious content and have visibility into sensitive user data,” making them “one of the most common attack vectors for malicious actors.”
Apple said it is requiring developers who use alternative browser engines to meet certain security standards:
To help keep users safe online, Apple will only authorize developers to implement alternative browser engines after meeting specific criteria and committing to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities. Apple will provide authorized developers of dedicated browser apps access to security mitigations and capabilities to enable them to build secure browser engines, and access features like passkeys for secure user login, multiprocess system capabilities to improve security and stability, web content sandboxes that combat evolving security threats, and more.
Overall, Apple said its DMA preparations have involved “an enormous amount of engineering work to add new functionality and capabilities for developers and users in the European Union—including more than 600 new APIs and a wide range of developer tools.”