Apple has decided to remove Progressive web apps from iOS in EU. If you have a business in the EU or serve EU users via Web App/PWA, we must hear from you in the next 48 hours!
I’m using Android but I can give you a few personal examples on why I still prefer mobile websites to apps.
The place where I take weather has a shitty app full of ads and always sending notifications. They don’t have PWA offered on their site but just going through a browser instead of the app is significantly better.
YouTube’s app is also full of ads. So I use the mobile website in Firefox with uBlock Origin.
Again with awful apps full of ads. Twitter is also much more tolerable through the mobile website. There’s no autoplay on FF and again, ads blocked.
I still use IRC and my client is web based, so that I can see pictures and videos in my chats. The web based IRC client (The Lounge) offers PWA and it’s very nice to have the thing in a “clean” browser.
Again, I don’t use Apple for reasons like this, but Firefox is already pretty bad with PWA and having those possibilities mangled or removed wouldn’t be acceptable to me.
Maybe you don’t use a browser on mobile and just do everything through terrible apps. Maybe most people do the same. But if you don’t use it, why do you care if those using it want to retain the possibility to do so?
I personally don’t watch TV so nobody watches TV anymore, right?
Interesting. I do visit a few websites regularly but I guess I’ve always just kept the tabs open in Safari and called it a day. (And Safari just stays in permanent Privacy mode so that as much tracking data is flushed as possible each time I close a tab.)
For YouTube, I’ve found NewPipe (and probably others) offers a much better experience than YouTube in the web.
The real reason I want PWAs to be a thing is because I don’t want to always use iOS and Android, and PWAs allow me to use an alternative. I really want to use a Linux phone like Pinephone, and PWAs will be a big part of that transition. PWAs are the only truly cross-platform development option, so they offer value to web devs as well as users.
How is a piece of software that runs in the browser instead of directly in the os, uses a million little libraries and became popular as a way to avoid scrutiny on the distribution platform less secure than a website?
Let’s assume you have great answers for all that and I’m made to look like a fool: when someone goes to a website, their guard is up. When they click on an app their guard is down.
If nothing else pwas bypass user distrust of weird crap on the internet and that’s a bad thing
I mean, you can come up with attacks that exploit a users behavior when they think they’re being careful but just consider the propensity to allow camera or location access in browser versus in app: when it’s in browser the phone request says “this website wants to use your location” and gives you the option. When it’s in app the phone (at least used to, I don’t think I have any pwas anymore) says “app_name wants to use your location”.
Everyone trusts the app more. We all see that some website wants to track us and think “yeah right, and then bundle that and sell it!” But for better or worse we trust the applications more. It’s not reflective of actual secure procedures but it’s how people act.
You made another comment about how specifically the webkit jail is very secure. It’s pretty good. That security is exactly why apples trying to tighten up the leash on pwas. One of the only reasons they’ve been able to keep em in and still say “oh we’re so secure” is because they know what the os will allow and what the browser will allow and what’s allowed to be on the os.
This is all happening right after the eu said they gotta allow other browser engines so that’s one of the three legs of that security structure. I think a lot of what we’re seeing is in preparation for pwas to try and start bundling browser engines or targeting the behavior of non webkit engines (not even in like a security targeting way, like build targeting). Once that happens it doesn’t matter how perfectly the security structures of ios and webkit link up, the leaks between ios and gecko or chromium are the new top priority.
Another concerning aspect about having pwas on other engines is how deeply security practices are integrated into ios. It’s got a bunch of little screens and settings and doohickies and gewgaws meant to make otherwise hard to comprehend security ideas not just easy to understand but easy to address.
How can those user facing controls and whatnot be kept up to date in the face of more browser engines far outside the control of the developers making them?
We do everything over the web nowadays and I’m not so sure the second biggest target needs to get exposed more.
I've read through your comments and it seems like your primary concerns are:
you believe users "trust" apps and "distrust" websites, and PWAs trick a user into a false sense of trust, and the user's personal feelings are somehow relevant to the security of the software
you believe that it is possible to bundle a browser engine, customized by the PWA developer, that will be installed with the PWA and the PWA will run inside of
If you don’t think users are part of the security equation I don’t know what to tell you.
I’ll try to dig up a source for the second thing tomorrow morning when I’m in front of a computer. Four years or so when I dipped my toes into what was then a new technology to see what it’s all about that was the example in the site I looked at to learn how it worked and how to translate an interactive website into an offline pwa.
As you can imagine I found that repulsive and dropped it like a bad habit. Seeing a multitude of pwas on every android device all doing out of band alerts and notifications just made me more opposed to them in general.
Looking into the state of pwas today it really seems like the best support is through chromium/blink. Do you think once apple gets ahold of allowing other rendering engines they’ll allow them back on or what?
I could be wrong, but I think you are simply mistaken because there should be absolutely no possible way for the PWA to install a browser engine onto your device? The user can first install the browsers of their choice, separately, and then install PWAs using that browser.
That would be a huge concern and really contradict the entire point and purpose behind PWAs as I understand them... I've been searching but can't find anything like what you say. I'd love to see your source
I dug up my old development backups from that time and I had it backwards, the advice was to read user agent strings and link directly to the version of the browser your pwa was designed for if you saw they weren’t running the “right” one and were worried about it breaking.
So I was mistaken but the reality was weirdly still bad.
I don’t know if that’s still commonplace. Right now it seems like a lot of pwas target chrome because it’s the most popular browser.
@kilgore_trout@bloodfart apple wants people to jump through THEIR hoops to run anything on their phone, so they can get a 30% cut of the money. That's why they're so rich. PWAs bypass that. Apple would kill off web browsers too if they had the power - just like they did kill off Flash, which made the web too powerful for Apple at the time, giving not enough incentive to install their walled garden apps.
I’m not gonna get into a back and forth over pwa security. It’s worth noting that offline pwa hasn’t worked on iOS for at least a year and two major versions of the os.
I’m of the opposite opinion. The offline part doesn’t work because ios deletes web data after a week. So the pwa will work if you’re just out of range but isn’t a replacement for an actual factual app store thing.
Once the eu ruling that lets other browser engines into the os takes effect, there will be nothing stopping pwa developers from bundling their own versions of chrome or Mozilla in their pwas and doing all kinds of stuff that was gated off before because the pwa had to work within the safari sandbox.
How often will an os update have to be pushed just to keep the various privacy checks and whatnot on ios current with third party browsers?
Apples gonna have to put pwas in Users Chosen Browser jail to be able to keep em on the platform at all.
Tbh, I’d take pick your own browser but lose pwas any day.
Okay, now you have a separate cache that defeats the os’ cache rotation policies and all that entails.
I genuinely don’t like apple or google or any company but the position they’ve taken of breaking the new hotness fast and dirty skirt the rules development process in the name of keeping things normal is about the most correct decision any company can possibly make.
You can be upset that it breaks stuff you use or that they’re making money but if I had control over a bigass platform like ios and wanted to maintain security while implementing a bunch of legally mandated changes it’s exactly what I’d do.
What’s a good solution that preserves cache rotation but doesn’t require the developer to make a “real” app and offer it through official channels?
I can’t think of one.
there’s another post in this thread comparing pwas to flash. I think I it’s an apt comparison. Both were able to exist because of a bunch of little insecure ideas that became nooks and crannies of the browser as a platform. Spackling up those problems broke flash and eventually it died. Users expecting secure browsers will eventually kill pwas and then someone will come up with a new way to get hooks into the browser and build programs that don’t rely on users installing them on the os itself and that’ll take off and we’ll be in the same boat again.
Of course if things keep going the way they’re going, rendering engines will be so deeply embedded in the operating system that insecure applications running in the browser will be an even more serious risk than it is now.
One of the reasons it’s a good idea to clear the web cache is to prevent a few kinds of tracking and fingerprinting. That’s much more important on mobile than on a laptop or pc because phones go more places and can return and store information used to infer identities and locations very easily.
There’s a lot of good reasons but that’s just what popped into my head waiting in line.
Name resolution too. Can’t believe I forgot that.
There’s no limit to what browsers you can use on osx so pwa developers will just send over the payload that includes a custom version of chromium that they know to work with their package when someone with a safari/osx user agent tries to dl it.
If that sounds bad to you, it is.
There’s nothing but webkit on ios so pwas can’t do what they do on the desktop to avoid how the browser treats their data (and how the browser might work with the os to keep them from accessing other system files or doing weird crap).
Me: pwas are insecure and generally a bad idea. It’s easy to believe that apple is breaking the stuff that makes them possible in order to enhance security and I think it’s a good thing.
You: well they work fine on famously secure and privacy respecting platform android, did you ever think of that?
In all seriousness I do think pwas are gonna be put in users choice of browser jail on all platforms including the desktop eventually and as different aspects of their operation start making the news in bad ways they’ll get pruned away. Apple is ahead of the curve on this one.
I’m not sure if pwas will continue to exist once the stuff that allows them to function the way they do is taken away. Once you take away persistent cache, notifications, unique browser engines and probably some other stuff I’m forgetting they start to look a lot less enticing when compared to just having a website or making an application that’s distributed through normal channels.
Users should be allowed to use whatever they want and not be restricted by an asshole company that “respects privacy” when in reality it’s just about control.
That sounds a lot like the old windows 95 and dos days where the expectation was that the os would never stand in the way of even the most obviously malicious software.
I don’t want to go back to those days and even the most freedom loving environments have dropped support for operations like direct memory mapped io and more pertinent to the topic of our discussion, web technologies like flash and inline pdf rendering.
I get that it feels like someone is trying to take something away from you, but you gotta recognize that the thing they’re taking away is basically a gun pointed at your own foot.
I run a lot of systems that allow you to screw up, but I don’t have any complaints about one that doesn’t, especially when it’s on mobile: a platform with a much higher risk, reward for compromise, higher user trust and higher level of obfuscation regarding what’s happening under the hood.
It’s weird then that Firefox on the desktop doesn’t support them.
Just think on why that might be. Why both Mozilla and Apple would be opposed to something that Google is in favor of.
I mean, if pwas are no big deal then surely a platform other than chromium and android combined would be gladly embracing this new technology.
I’m really not trying to argue from a position of aged authority, but pwas are bad. I know because every time some way to make a webpage just like a program and also escape the browser has come up it’s been bad.
And when you look at it as a power struggle between big corporations pwas are being pushed by Google, the bad one.
I know that’s not convincing so let me ask you this: what would be? What would convince you that despite Apple being your enemy, pwas are bad?
Why both Mozilla and Apple would be opposed to something that Google is in favor of.
We don’t know Mozilla’s stance on it. (If you know, please link a source) Maybe they just won’t bother unless a full spec is out, who knows. And Apple isn’t opposed since they support it. They just don’t want anyone else to support it so they shut it down in the EU.
I mean, if pwas are no big deal then surely a platform other than chromium and android combined would be gladly embracing this new technology.
What platform? Chromium is extremely dominating and Firefox (and* derivatives) are pretty much their only competitor and Firefox just happens to lack much support (they support some stuff though).
Considering how big chromium is there is really no space for anyone else to actively not support it because they are so insignificant that it doesn’t matter.
Windows, Linux, macOS, iOS (Non EU) supports PWAs. What more do you want?
I know because every time some way to make a webpage just like a program and also escape the browser has come up it’s been bad.
I don’t understand what you are trying to say here.
What would convince you that despite Apple being your enemy, pwas are bad?
I dunno, facts? If they dropped PWAs in the rest of the world as well then it would still be an asshole thing to do (if their app store and ecosystem remains locked down) but it would come across as equally petty.
People should be allowed to use PWAs if they do damn well please. But no, Apple wants their “core platform fee” bullshit so they shut down PWAs in the EU.
Apple has always been incredibly anti-competitive (No I,m not saying Google is good either, but maybe better) which destroys any trust in cases like this:
It’s interesting that I’m not supposed to infer the Mozilla groups stance on pwas, but also not supposed to believe what Apple has directly stated.
I mean, the only thing Apple is preventing is the installation of pwas directly to the desktop, notifications and the use of persistent cache past a week, right?
You can still do a link on the desktop to an online pwa just like a link to some website.
And that’s only if the pwa is t distributed through their app store. Afaik if the developer goes through that channel of distribution they get to store data persistently (this is the running offline everyone’s up in arms about), use notifications, etc.
Personally I hate pwas and hope they go away, but even if you like them, surely these small constraints which are in line with other platforms won’t be a problem.
I don’t see any reason not to believe what apple says about needing to be safe with other browser engines since they gotta allow them in the eu. I mean, let’s give a real uncharitable look at ios security: maybe the vaunted secure platform is filled with undocumented flaws covered up by heavy integration between the rendering engine and the os. Maybe ios + safari sucks and they need to cover up as much of it as possible so the new browser engines don’t expose users to security vulnerabilities.
I don’t understand the question. Mozilla, or Firefox rather supports pwa on android, they dropped it from desktop Firefox for reasons that aren’t clear to me. I’m not sure how it would play out on iOS. I guess we’ll find out here soon enough.
Add comment