Apple has decided to remove Progressive web apps from iOS in EU. If you have a business in the EU or serve EU users via Web App/PWA, we must hear from you in the next 48 hours!

  • bloodfart@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    28
    ·
    10 months ago

    They’re removing pwa from the desktop, not stopping them from functioning entirely.

    You can still have a cobbled together insecure piece of trash but you gotta go to its url in the browser instead of clicking the app.

    Hell, you can still have a shortcut to it on the desktop.

    • dan@upvote.au
      link
      fedilink
      arrow-up
      18
      ·
      10 months ago

      insecure piece of trash

      Websites are more tightly sandboxed and more secure than native apps.

      you gotta go to its url in the browser instead of clicking the app.

      PWAs are more than just an app icon. “PWA” also means usage of particular APIs such as allowing the web app to work offline.

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        10 months ago

        I’m not gonna get into a back and forth over pwa security. It’s worth noting that offline pwa hasn’t worked on iOS for at least a year and two major versions of the os.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          4
          ·
          10 months ago

          PWAs has a bunch of other features too. Either way apple should fix the offline part instead of being assholes.

          • bloodfart@lemmy.ml
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            10 months ago

            I’m of the opposite opinion. The offline part doesn’t work because ios deletes web data after a week. So the pwa will work if you’re just out of range but isn’t a replacement for an actual factual app store thing.

            Once the eu ruling that lets other browser engines into the os takes effect, there will be nothing stopping pwa developers from bundling their own versions of chrome or Mozilla in their pwas and doing all kinds of stuff that was gated off before because the pwa had to work within the safari sandbox.

            How often will an os update have to be pushed just to keep the various privacy checks and whatnot on ios current with third party browsers?

            Apples gonna have to put pwas in Users Chosen Browser jail to be able to keep em on the platform at all.

            Tbh, I’d take pick your own browser but lose pwas any day.

            • lud@lemm.ee
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              10 months ago

              Just don’t delete web data for PWAs then.

              It’s ludicrous that Apple is always “I know better so I will take away this feature or never implement it in the first place”

              • bloodfart@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                10 months ago

                Okay, now you have a separate cache that defeats the os’ cache rotation policies and all that entails.

                I genuinely don’t like apple or google or any company but the position they’ve taken of breaking the new hotness fast and dirty skirt the rules development process in the name of keeping things normal is about the most correct decision any company can possibly make.

                You can be upset that it breaks stuff you use or that they’re making money but if I had control over a bigass platform like ios and wanted to maintain security while implementing a bunch of legally mandated changes it’s exactly what I’d do.

                • lud@lemm.ee
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  10 months ago

                  No, they could solve this “problem” if they wanted too.

                  They just want to be assholes like usual.

                  • bloodfart@lemmy.ml
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    10 months ago

                    What’s a good solution that preserves cache rotation but doesn’t require the developer to make a “real” app and offer it through official channels?

                    I can’t think of one.

                    there’s another post in this thread comparing pwas to flash. I think I it’s an apt comparison. Both were able to exist because of a bunch of little insecure ideas that became nooks and crannies of the browser as a platform. Spackling up those problems broke flash and eventually it died. Users expecting secure browsers will eventually kill pwas and then someone will come up with a new way to get hooks into the browser and build programs that don’t rely on users installing them on the os itself and that’ll take off and we’ll be in the same boat again.

                    Of course if things keep going the way they’re going, rendering engines will be so deeply embedded in the operating system that insecure applications running in the browser will be an even more serious risk than it is now.

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        4
        ·
        10 months ago

        How is a piece of software that runs in the browser instead of directly in the os, uses a million little libraries and became popular as a way to avoid scrutiny on the distribution platform less secure than a website?

        Let’s assume you have great answers for all that and I’m made to look like a fool: when someone goes to a website, their guard is up. When they click on an app their guard is down.

        If nothing else pwas bypass user distrust of weird crap on the internet and that’s a bad thing

          • bloodfart@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            I mean, you can come up with attacks that exploit a users behavior when they think they’re being careful but just consider the propensity to allow camera or location access in browser versus in app: when it’s in browser the phone request says “this website wants to use your location” and gives you the option. When it’s in app the phone (at least used to, I don’t think I have any pwas anymore) says “app_name wants to use your location”.

            Everyone trusts the app more. We all see that some website wants to track us and think “yeah right, and then bundle that and sell it!” But for better or worse we trust the applications more. It’s not reflective of actual secure procedures but it’s how people act.

            You made another comment about how specifically the webkit jail is very secure. It’s pretty good. That security is exactly why apples trying to tighten up the leash on pwas. One of the only reasons they’ve been able to keep em in and still say “oh we’re so secure” is because they know what the os will allow and what the browser will allow and what’s allowed to be on the os.

            This is all happening right after the eu said they gotta allow other browser engines so that’s one of the three legs of that security structure. I think a lot of what we’re seeing is in preparation for pwas to try and start bundling browser engines or targeting the behavior of non webkit engines (not even in like a security targeting way, like build targeting). Once that happens it doesn’t matter how perfectly the security structures of ios and webkit link up, the leaks between ios and gecko or chromium are the new top priority.

            Another concerning aspect about having pwas on other engines is how deeply security practices are integrated into ios. It’s got a bunch of little screens and settings and doohickies and gewgaws meant to make otherwise hard to comprehend security ideas not just easy to understand but easy to address.

            How can those user facing controls and whatnot be kept up to date in the face of more browser engines far outside the control of the developers making them?

            We do everything over the web nowadays and I’m not so sure the second biggest target needs to get exposed more.

            • sjstulga@fosstodon.org
              link
              fedilink
              arrow-up
              1
              ·
              10 months ago

              @bloodfart

              I’ve read through your comments and it seems like your primary concerns are:

              1. you believe users “trust” apps and “distrust” websites, and PWAs trick a user into a false sense of trust, and the user’s personal feelings are somehow relevant to the security of the software

              2. you believe that it is possible to bundle a browser engine, customized by the PWA developer, that will be installed with the PWA and the PWA will run inside of

              I’m going to need a source on 2

              • bloodfart@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                10 months ago

                If you don’t think users are part of the security equation I don’t know what to tell you.

                I’ll try to dig up a source for the second thing tomorrow morning when I’m in front of a computer. Four years or so when I dipped my toes into what was then a new technology to see what it’s all about that was the example in the site I looked at to learn how it worked and how to translate an interactive website into an offline pwa.

                As you can imagine I found that repulsive and dropped it like a bad habit. Seeing a multitude of pwas on every android device all doing out of band alerts and notifications just made me more opposed to them in general.

                Looking into the state of pwas today it really seems like the best support is through chromium/blink. Do you think once apple gets ahold of allowing other rendering engines they’ll allow them back on or what?

                • sjstulga@fosstodon.org
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  10 months ago

                  @bloodfart

                  I could be wrong, but I think you are simply mistaken because there should be absolutely no possible way for the PWA to install a browser engine onto your device? The user can first install the browsers of their choice, separately, and then install PWAs using that browser.

                  That would be a huge concern and really contradict the entire point and purpose behind PWAs as I understand them… I’ve been searching but can’t find anything like what you say. I’d love to see your source

                  • bloodfart@lemmy.ml
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    10 months ago

                    I dug up my old development backups from that time and I had it backwards, the advice was to read user agent strings and link directly to the version of the browser your pwa was designed for if you saw they weren’t running the “right” one and were worried about it breaking.

                    So I was mistaken but the reality was weirdly still bad.

                    I don’t know if that’s still commonplace. Right now it seems like a lot of pwas target chrome because it’s the most popular browser.