Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

tbh, I thought the summary in techcrunch was much easier to read and concise.

>Browsers also could install web apps on the system without a user’s awareness and consent.

Couldn't this be entirely solved with an OS permission-like prompt "are you sure you want [progressive web app name] added to home screen?"



I guess that's why they say that "would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps"


Well, this is just 'we don't want to do it because our market projections steer us in a different direction, but we really don't have any solid arguments so here is some blah our marketing & legal came up with'.

3 trillion company can implement this without breaking a sweat properly if they cared, what are they trying to say here - 'we are incompetent'? Not buying that for a second, we know they can deliver.


More like "that pesky eu is forcing us to behave like a normal company and we don't like that. Let's punish the users in hopes they'll revolt"


Personally, I'm not concerned with the costs of an EU mandate on Apple for interoperability but that could just be me.


You've not been asked to be concerned. Apple is saying what their reasoning is, and you can believe it or not, but you don't have to feel pitty for them.


Apple is just playing pr games trying to get their cult followers to rage against the DMA which apple hates having to follow. So yes, people are being asked.


So, as an abusive stepparent, you run the "Spy on Me" PWA on your stepdaughter's phone, and click the permission dialog, and she's none the wiser. Do you think that's great?

Apple does not.


If you're an abusive step-parent with access to your daughter's phone, you can already install "Spy on Me" software in the form of regular apps, a PWA changes nothing here.


Sure you can but Apple has at least a prayer and a hope of catching those apps in App review to protect users.

And if they don't, they have at least a chance of circling back and catching them later.

They want that.

With apps that they cannot review such as PWA apps, they have no such ability.


True, but in the regular app case apple gets its cut.


You can already do that with apps


But Apple can take those apps out of the App Store.


Sounds like the type of dialogue message I got sick of in Android


You don't want random processes firing off permissions prompts, you want them to remain meaningful to users on a platform else they'll get prompt fatigue. Think of all the prompts users see and just press 'ok' to.


Heard. But we're going to entirely eliminate all PWAs because there might be an additional prompt added? Seems excessive/specious to me.


It's not one additional prompt, it's a class of prompts that could be exploited over and over again. A single site could trigger hundreds by sites popping up in the background each which trigger it, and then the user's home screen is full of fake PWAs with names like 'save money' 'in debt?' 'casino cash bucks' etc. Next you're developing mitigations, spam cleanup, etc. We've gone through this kind of thing before.


If that's a real potential problem, why doesn't this already happen on Android?

Why would this be exploited on the relatively small marketshare platform that is iOS, when in all those years this year not been a problem on the dominant platform?

Because it's not a real problem.


You mean like this? https://www.tomsguide.com/news/hackers-are-using-a-new-trick...

This stuff is part of the reason people commit to the Apple ecosystem despite its shortcomings.

While Android dominates globally, iOS has nearly 60% market share in the US and some other countries.


i don't think that's right, i think apple dominates the US because they're genius at marketing and design. you don't have to build something more secure, you just have to convince people you did


I'm not especially aware of this particular thing, but sending an SMS with a link to a web page that asks to install a PWA seems to me like it would work on any platform that allows PWAs, irrespective of whether PWAs are restricted to one rendering engine or not, and totally unrelated to the exploit outlined in the post I was responding to (about a somewhat unclear process to me, that would open sites in the background, sending prompts to the user and somehow automatically installing many different PWAs this way).

What we are talking about is specifically targeted at the EU where iOS represents about 30% of users, and doesn't apply to the US. So it's unlikely that scammers would just hold off from exploiting Android and wait for the EU to force iOS to allow different browsers, and only then exploit this class of vulnerability.


That was in response to your statement that “in all those years this year not been a problem on the dominant platform”. It has. The exploit in the news article is only possible because of the way Android lets websites initiate a PWA install, with a prompt that looks like a normal app install, lacking any warning about unsecure sources.

Android was also infamous for causing users to develop permission-blindness and just accept everything, later replaced by every app havinf an extensive permission list that everyone just shrugs and accepts as normal.


The user would get rid of the app/browser that is doing this, no? The same way they would have to for any malicious app that persistently requests a special permission?


Yeah ideally. Given there are nearly 1.5 billion active iPhones tho, a lot (100s of millions) of users aren't going to understand the relationship between the prompts and the browser and/or know (/know how) to uninstall the browser and/or have desire to do it at the moment they experience the problem, especially if the browser has other qualities they like. Many more would just blame it on themselves, ignore the problem, etc. These users may make up a plurality or majority of iOS users, and have a totally different experience from a technical user working on a desktop OS (HN crowd).


I'm guessing you've never had to clean up a relative's Windows machine. I wish I could say the same.


Are you sure we can't have additional plugin toolbars for Safari? Maybe have one or two that tell us that we can get paid to surf the Web, and a couple of others that definitely don't show popups?


"Yes, allow install (this time)" / "No, don't allow install (this time)" / "No, and never prompt me again"?

iOS has been doing something very similar and it's arguably worked pretty well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: