
Apple’s Dev Agreement Means No EFF Mobile App for iOS - sinak
https://www.eff.org/deeplinks/2014/12/sorry-iphone-users-apples-dev-agreement-means-no-eff-mobile-app-iphone
======
pseudometa
This comes across as though they never intended to make an app for the app
store and all along just wanted to call out apple on their term sheet. It is
purely a moral stance. Which is fine, but the article is slanted differently.

~~~
serve_yay
Yeah, I would be more interested to read an examination of why they are OK
with publishing on the Google Play store. You would have to be nuts to expect
the EFF to think Apple's dev agreement is peachy-keen.

~~~
declan
Isn't one big difference that Google doesn't attempt to prohibit you from
installing apps from other sources, which EFF also pointed out?

I just took a quick look at the Google Play Developer Distribution Agreement,
the Google Play Developer Program Policies, and the Android SDK license -- but
it looks like some other differences are:

* Unlike Apple, Google doesn't seem to limit developers' ability to make certain "public statements."

* Unlike Apple, Google doesn't seem to restrict jailbreaking or "enabling others to do so." The "Security Features" language in section 6 seems to come closest but isn't, IMHO, equivalent.

* Unlike Apple, Google doesn't insist on being able to "revoke the digital certificate of any of Your Applications at any time." (Section 7.2 of the Google Play Developer Distribution Agreement does say your app can be removed from the store, but the list of reasons is rather short and includes copyright, porn, malware, viruses...)

That was just a quick look, so I may have missed some things and would welcome
correction. I should add that I'm developing
[http://recent.io/](http://recent.io/) for both Android and iOS, so to the
extent Apple _is_ more restrictive, it's not a deal-killer for my purposes.

PS: EFF's Android app is on the Play Store here:
[https://play.google.com/store/apps/details?id=org.eff.action...](https://play.google.com/store/apps/details?id=org.eff.actioncenter)

------
sinak
For any other non-profits or companies who might need a similar app to notify
users, both the app (Cordova + Ionic) and the APNS/GCM push notification
server are open source and available here:

[https://github.com/EFForg/pushserver](https://github.com/EFForg/pushserver)

[https://github.com/EFForg/actioncenter-
mobile](https://github.com/EFForg/actioncenter-mobile)

If you're an Android user, consider downloading the app. Its really, really
simple - it just sends you a push notification if there's an action EFF needs
your help with - but we hope to improve it over time.

[https://play.google.com/store/apps/details?id=org.eff.action...](https://play.google.com/store/apps/details?id=org.eff.actioncenter)

~~~
jerleth
Honestly, the play store is not any better than the apple app store.

I myself never agreed to the play store's license agreement and use my android
phone without it.

If you really care about privacy, consider hosting your apps apk yourself or
post it to a store that really respects its users privacy, like f-droid
instead of supporting the play store. If your app is opensource like you
state, f-droid should host it.

Take care, Martin

~~~
jshevek
I agree with your sentiments about privacy and f-droid, but must nit-pick your
statement:

> Honestly, the play store is not any better than the apple app store.

Both stores fail at certain criteria, but by other criteria the Google Play
store is actually far, far better than the app store.

------
jewel
Does anyone know if the Google Play Store agreement or the Amazon App Store
agreement contain similar terms?

I'd love to see Apple open things up a bit. My personal pet peeve is that it's
nearly impossible to use LGPL libraries in iOS apps due to some of the terms.

~~~
comex
The Play Store agreement has a very similar clause which applies to all apps
plus the store itself (haven't checked the Amazon one). The Android SDK
agreement also has one, which may or may not be preempted by whatever parts of
it are available under open source licenses (depending on your interpretation
of "require"), but definitely applies to anything closed source (e.g. the new
Java compilers, if I remember correctly). So basically the EFF is full of
shit.

> Security Features. You may not attempt to, nor assist, authorise or
> encourage others to circumvent, disable or defeat any of the security
> features or components, such as digital rights management software or
> encryption, that protect, obfuscate or otherwise restrict access to any
> Content or Google Play.

\- [https://play.google.com/intl/en_us/about/play-
terms.html](https://play.google.com/intl/en_us/about/play-terms.html)

> 3.3 You may not use the SDK for any purpose not expressly permitted by this
> License Agreement. Except to the extent required by applicable third party
> licenses, you may not: (a) copy (except for backup purposes), modify, adapt,
> redistribute, decompile, reverse engineer, disassemble, or create derivative
> works of the SDK or any part of the SDK; ...

\-
[https://developer.android.com/sdk/terms.html](https://developer.android.com/sdk/terms.html)

~~~
yincrash
It doesn't require that you put DRM in your app. The iOS one does (which is
part of the build / submission process).

~~~
MCRed
You can call it DRM but what it really is, is security. Apps are signed,
preventing the running of unauthorized code, which keeps malware off the
platform.

If google really doesn't have this, then it's a shame, but it would explain
why there's so much malware on android.

EFF's position across this article is supporting malware, and preventing
malware is the clear cause and reasons for all the things the EFF opposes.

~~~
comex
Android encourages users to stick to the Play Store, but has an escape hatch
for users who don't want to. If Apple had such a policy, it might increase the
presence of malware, but only for users who explicitly decided to circumvent
the normal distribution process.

Most Android malware is distributed on the Play Store; the reasons it is
prevalent include the lack of review process and the Android permission
system, both of which are orthogonal to the ability to circumvent the store.

~~~
cpncrunch
I think Apple's policy is mainly aimed at preventing competing app stores. You
see them having a conniption every time someone submits an app that includes
an alternate app store. And while I don't particularly like their policy, they
have every right to implement it in order to protect their revenue.

~~~
jshevek
> I think Apple's policy is mainly aimed at preventing competing app stores.

Yes. Malware is the boogey man which apple uses to justify this.

------
suyash
Good job EFF exposing blanket agreement and requirements Apple makes
developers sign. We need more of these come into lime light so developers can
fight back against big corporations.

~~~
MCRed
Nothing being exposed there, all those terms were well known, and when you cut
thru the dishonest spin of the EFF, actually perfectly reasonable and designed
to protect consumers.

~~~
ferrari8608
Could you elaborate on the "dishonest spin" part? I've always been under the
impression that the EFF were the ones trying to protect consumers, so you have
me curious.

~~~
MCRed
Sure thing, I'll illustrate point by point.

1\. Public Statements, reason for this is that many people have tried to
publish various forms of malware, and then when apple rejected the app, they
cried fowl and pretended like Apple was being unreasonable in its reviews. In
fact, this is the PRIMARY reason that people think that Apple is strict in
what it will let in the App Store. EFF is misrepresenting what the agreement
says here, putting spin on it.

Revers Engineering-- The claim that this covers legal reverse engineering is
created from whole cloth by the EFF, the section does not refer to types of
reverse engineering, merely protects apples rights regarding such. Thus EFF is
straight up lying.

App Store Only: Apple provides the SDK for free, and part of the deal is that
it is to be used for deploying apps for iOS on the app store only. (This is
not the case with the Mac SDK) Charactersizing Lydia as a "competing app
store" is straight up dishonest. IT requires jailbreaking devices, which
results in greatly reduced reliability and is bad for consumers, opening them
up to malware, yet the EFF is effectively endorsing exposing consumers to
malware here.

"No Tinkering" \- Obviously, Apple doesn't want people circumventing their
protections against malware and getting malware past the review process.

"Apple owns security" \-- A profoundly dishonest comment given that Apple has
done so much to protect security that a governor is trying to get a law passed
that will let the government snoop again. The EFF apparently doesn't care
about his, but uses the fact that you can't use a security bug claim to
circumnavigate the review process to pretend like Apple leaves people exposed.
Another straight up lie.

Kill your App-- yes, if malware gets in there, it can be shut down. Ignoring
the reasoning for this puts a hard, dishonest spin, in fact as far as I'm
concerned, makes it a lie.

This is also true of google's store. So, given that the EFF is publishing on
android, they obviously don't care about this too much... yet they put it in
here to bash Apple, making them both hypocrites and liars.

" and we certainly will not wrap our app in DRM."

DRM that signs the app to prevent it from being tampered with, which keeps the
users data secure.

So the EFF here is rejecting keeping users data secure.

They care more about grandstanding than integrity and protecting consumers.

~~~
MichaelGG
So basically, you can be draconian in managing how a user uses their app, in
the name of "malware". Sorta like how content filters on "extremist material"
and "child pornography".

User wants a legal porn app? Nope, but it's OK cause you didn't get malware.
Ditto for any kind of app that Apple doesn't feel fits their brand.

There's nothing wrong with having explicit, manual, escape hatches. In your
haste to hold Apple up as the great wall against malware, you forget they've
completely taken away choice from the user. Considering it's the Electronic
_Freedom_ Foundation, that seems like a legitimate thing to complain about.

~~~
userbinator
It's the Electronic _Frontier_ Foundation, as their banner proudly says, but
you're right that the spin here is on security.

The sentiment these days with regards to restricting user freedom seems to be
not "think of the children", but "think of the security." I'm guessing it
reaches a wider audience: the rhetoric is basically "who _doesn 't_ want to be
secure?" ...everyone who doesn't want their devices secured _against_ them.

------
WhitneyLand
The EFF dev said its a Cordova app, so why not just throw up the HTML mobile
site for iOS users? You could still notify via sms, email, etc.

~~~
windsurfer
You can see the site here: [https://github.com/EFForg/actioncenter-
mobile/tree/master/ww...](https://github.com/EFForg/actioncenter-
mobile/tree/master/www)

Since the app is basically only for notifications, it's useless as a web site.
If you want sign up for email notifications, go to
[https://act.eff.org/](https://act.eff.org/)

------
shmerl
They can use Cydia I guess. But this may be more an attempt to simply bring
attention to how sickening Apple's developer agreement is. Which is a good
thing to do anyway.

~~~
jshevek
I'd rather see them not use Cydia.

While I'm glad that Cydia exists, for those individuals who love iOS and
i-things but wish to step outside of apple's total control, it seems less
professional to me to release an app whose usage specifically requires 100% of
the users to violate the agreements they made with the manufacturer.

~~~
shmerl
Not if that agreement is taking away their rights. Violating such agreement
(or assuming users violated it) shouldn't be viewed as unprofessional. Not any
more unprofessional at least than expecting Applet to violate users' rights
when Apple make such agreement.

------
dmishe
I don't understand the purpose of the app, the one on play store looks like a
one button subscription frontend. How is it better then their website, email,
twitter?

~~~
MBCook
They can release a press release to complain about Apple policies and get
hits/donations?

------
jasonjei
I think it would be really effective and tongue-in-cheek if EFF released their
app on Cydia.

------
gnu8
Apple needs to remove each of these requirements. None of them serve any
justifiable purpose, they only immorally and antisocially serve Apple's
avarice.

------
eridius
I don't understand their position on DRM here. It makes no sense. The EFF is
complaining that the DRM required by the App Store is onerous and puts
restrictions on what users can do with their app, and says "we want them to be
broadly available to others to use, adapt, and customize".

But that's nonsense. If the EFF hands me a binary for an app, it hardly
matters whether it's DRM'd or not as long as I can still run it. The extreme
minority of people are capable of doing anything remotely interesting with a
binary without access to source code. If the EFF wants people to be able to
adapt and customize their app, all they have to do is release it under a
permissive open-source license.

In fact, if this really was a purely moral stance, they could have developed
the application and released the source without ever publishing it to the App
Store, thus allowing users to compile and use the application themselves. But
they didn't do that. Instead, this seems to just be a flimsy excuse for the
EFF to make a bunch of noise about Apple in order to drum up some PR.

~~~
fpgeek
If the EFF didn't develop the application and release the source, what exactly
is this: [https://github.com/EFForg/actioncenter-
mobile](https://github.com/EFForg/actioncenter-mobile)

And quoting from the README: "Although it works on both iOS and Android, the
app is only targeting Android as of today. If you need to deploy to iOS as
well, please check out the Ionic docs or contact the project maintainer for
help."

What more do you want?

~~~
eridius
If that actually works on iOS then why didn't they talk about it in the
article? It would have been much better PR for them to say that they have a
functioning app and the source is available.

My expectation from that README is that Ionic (which I've never heard of
before) supports iOS but that the app itself has not actually been configured
for or tested with iOS.

~~~
sinak
We did most of the development and testing, but didn't get it 100% production
ready after we decided we wouldn't release the app.

Since the main functionality of the app is the push notification service,
having users compile their own apps wouldn't really be very helpful. Users
need to subscribe to our push notification channel via APNS, and they can't do
that if they're compiling themselves.

We could have ignored that and built our own, less-than-realtime push service,
but even still, having users compile their own apps means that our users have
to pay the $99 and sign the developer agreements instead of us, and I don't
think that's a very reasonable request.

I think the best solution is for us to release on the Cydia marketplace, and I
think it's pretty likely we'll do that.

~~~
eridius
Cydia requires jail breaking and that's a decidedly user-hostile thing to
suggest, especially when it comes from a respected name like the EFF.
Jailbreaking disables crucial security measures on iOS, and many things people
like to install after jailbreaking destabilize the OS (granted, you can
jailbreak without installing those hacks). It's not a coincidence that every
time there has been news of malware affecting iOS, it only affected jail
broken devices.

All in all, I would vastly prefer that the EFF not encourage users to
jailbreak.

~~~
shittyanalogy
The EFF fought for our right to jailbreak:
[https://www.eff.org/deeplinks/2009/02/apple-says-
jailbreakin...](https://www.eff.org/deeplinks/2009/02/apple-says-jailbreaking-
illegal)

What are you getting worked up over? A digital rights organization expressing
their digital rights? Sometimes freedom comes with greater responsibility and
a slight inconvenience. I'd rather have that responsibility and inconvenience
than just not care.

~~~
eridius
The right to jailbreak, and the recommendation to jailbreak, are two
completely different things.

I absolutely support the _right_ to jailbreak your device. But I would never
agree to actually jailbreak my own device, and I strongly encourage others to
avoid it as well.

The issue here isn't that the EFF is expressing their rights. It's the fact
that if the EFF releases an iOS app exclusively on Cydia then they're
endorsing jailbreaking and encouraging people who don't know any better that
they should do this. I would imagine there would be some pretty negative
things said about the EFF if they released a Windows application that required
users to disable all anti-virus software. That's basically what endorsing
jailbreaking is, for iOS.

------
parrots
People are still complaining about section 8 - the remote kill switch? I
remember only one instance of an app remotely killed, and that was malware.

Even apps that enabled tethering, emulating, or are otherwise against the
rules but make it through review have been simply pulled for sale, never
terminated using this capability. I think Apple has proved they're using this
responsibly after 6 years.

~~~
chii
i dont really care that they've been using it responsibly so far - there isn't
a guarantee that abuse won't happen.

------
saganus
0 downloads. I guess I'll have to be the first. Edit: Now that I think about
it, it said 1-5 installs, so most likely not the first.

~~~
libraryatnight
Looks like I'm number 2 :) It seems a very simple app indeed, but useful.

------
eridius
> Kill Your App Any Time

I'm rather shocked to see the EFF linking to the horribly wrong old Telegraph
article about Steve Jobs purportedly confirming that there was a kill-switch
that would remove apps from iPhones. At least as of the time that was written,
that was not true. The referenced "line of secret code" (hyperlink is broken),
IIRC, was actually referring to a CoreLocation blacklist, not an application
blacklist, with the intended usage being to be able to disable GPS
functionality in certain regions if local governments demanded it, and that
blacklist never actually ended up being used and was removed entirely in a
future OS update.

~~~
Karunamon
So wait, does Apple have or do they not have not the same kind of kill switch
functionality (read: either remote uninstall, or cert revocation -> app no
longer runs) that Google definitely has and has demonstrated on a few malware
apps?

Example: [http://www.engadget.com/2011/03/06/google-flips-android-
kill...](http://www.engadget.com/2011/03/06/google-flips-android-kill-switch-
destroys-a-batch-of-malicious/)

This article makes direct reference to such a function:
[http://www.businessinsider.com/brazil-orders-apple-to-use-
ip...](http://www.businessinsider.com/brazil-orders-apple-to-use-iphone-app-
kill-switch-2014-8)

~~~
eridius
Apple has never demonstrated such a capability, and has never confirmed it
either. Pretty much everyone claiming they have it (including the linked
Business Insider article) sources back to the same thing in 2008 which was the
CoreLocation blacklist I referenced. To the best of my knowledge, in 2008,
Apple had no way to remotely delete an app from a device. And I'm not aware of
them ever gaining that ability.

What Apple can do is remove an app from the store, preventing anyone from
installing it. But as far as I'm aware no certificate revocation is checked
after the app has been successfully installed.

~~~
Karunamon
So some further Googling. Steve Jobs himself, quoted in WSJ:

(Google SB121842341491928977 to avoid the wall)

 _Apple raised hackles in computer-privacy and security circles when an
independent engineer (NB: the wrong one you were talking about) discovered
code inside the iPhone that suggested iPhones routinely check an Apple Web
site that could, in theory trigger the removal of the undesirable software
from the devices.

Mr. Jobs confirmed such a capability exists, but argued that Apple needs it in
case it inadvertently allows a malicious program -- one that stole users'
personal data, for example -- to be distributed to iPhones through the App
Store. "Hopefully we never have to pull that lever, but we would be
irresponsible not to have a lever like that to pull," he says._

You don't get too much more clear than a quote from the then-CEO.

~~~
eridius
I've seen his response a million times but I've never seen anyone quote the
actual question he was responding to. And I have it on extremely good
authority (sorry, anecdotal, but the best I can do) that the blacklist under
discussion was the CoreLocation blacklist I described.

My best guess is Steve was asked about the blacklist, didn't have any direct
knowledge of what he was being asked about, so simply assumed that it was in
fact an app blacklist as everyone else did, and came up with what was probably
the best response he could under the circumstances.

------
csense
I've never understood why either users or developers put up with all of
Apple's crap.

~~~
k-mcgrady
Because it works. I have never wanted to do anything on my iPhone that I can't
and as a developer I've only had one rejection that annoyed me and in
hindsight I understand the rejection. I've also used Android devices a lot (I
own two, and develop for the platform) and I hate it. Really hate it. Waiting
for OS updates, lots of crashing, things in different places depending on the
OEM. Not to mention how slow some devices are. The S3 Mini is horrible to use,
I don't see how anyone could feel comfortable putting it to market.

In short, the crap either doesn't effect most people, or creates a better
experience. The only people who seem to really complain about it don't use the
platform anyway.

------
thought_alarm
EFF have a lot of time on their hands, apparently.

~~~
newaccountfool
Surely this is exactly the kind of thing the EFF should be doing?

~~~
MCRed
No, the EFF Should not be writing articles full of lies attacking the company
that has consistently defended consumer rights and supporting the company that
has consistently violated them.

~~~
MichaelGG
Apple defends my consumer rights? Please tell me how I can make the hardware
I've purchased run the way _I_ want it to run.

~~~
jshevek
Don't you see? Since we are all so very scared of malware, apple is our very
best friend. This is the beginning and the end of the conversation on
'consumer rights'. If you disagree, then you support malware. Shame on you.

------
higherpurpose
> Ban on Reverse Engineering: Section 2.6 prohibits any reverse engineering
> (including the kinds of reverse engineering for interoperability that courts
> have recognized as a fair use under copyright law), as well as anything that
> would "enable others" to reverse engineer, the software development kit
> (SDK) or iPhone OS.

Wow. EFF should sue Apple over that alone. Private companies aren't supposed
to "contract-out" your rights. This will be an easy win for EFF.

~~~
MCRed
The case would be thrown out because the provision says nothing of the kind,
and in fact, this statement here by the EFF is defamation and when Apple
countersued they'd win.

Apple doesn't respond to critics like this, so the EFF knows it can get away
with these kinds of lies.

It's just unfortunate that you and others believe them, and those who point
them out are silenced here on HN.

~~~
zerocrates
Well, the agreement does say

 _You may not and You agree not to, or to enable others to, copy (except as
expressly permitted under this Agreement), decompile, reverse engineer,
disassemble, attempt to derive the source code of, modify, decrypt, or create
derivative works of the Apple Software or any services provided by the Apple
Software or otherwise provided hereunder, or any part thereof (except as and
only to the extent any foregoing restriction is prohibited by applicable law
or to the extent as may be permitted by licensing terms governing use of open-
sourced components or sample code included with the Apple Software)._

EFF is definitely oversimplifying and spinning a little, but that's certainly
a restriction on reverse engineering "of the kind" that they describe in their
post. Spin or not, it's hardly a baldfaced "lie."

(That said, you're right to respond that EFF couldn't sue over that provision
- people contract away their rights to do things they otherwise could all the
time.)

