
Apple rejects Puffin Browser on iOS - pingyen
https://www.facebook.com/puffinbrowser/posts/2265008763525404
======
rgovostes
This whole post is manipulative bullshit.

> Apple, concerned about the rising competition, decided to sabotage Puffin in
> order to protect the billions of dollars of search revenue from Google.

Settings → Safari → Search Engine → Yahoo/Bing/DuckDuckGo. There, look, no
Google.

The next sentence:

> Puffin releases were rejected citing app review guideline 2.5.6: "Apps that
> browse the web must use the appropriate WebKit framework and WebKit
> Javascript."

Setting aside whether that is a good rule or not, it has nothing whatsoever to
do with the previous claim.

~~~
lesiva
I can see why they're concerned that they can't update the app, but they're
playing in a walled garden and they knew that from the get-go.

I think this is a pretty weak complaint and it lacks any real substance.

~~~
candiodari
That's the thing I miss most about Microsoft's dominance though : no walled
garden.

Now apple has a heavy handed walled garden, and Google has a heavy-handed one
(chrome/chromeos) and a "light" one, in android. All ... well, suck.

~~~
tonyedgecombe
If Microsoft thought they could get away with a walled garden then they would
do it in a flash.

~~~
tapoxi
They're trying that with Windows 10 S.

~~~
candiodari
Sort of.

[https://docs.microsoft.com/en-us/windows/application-
managem...](https://docs.microsoft.com/en-us/windows/application-
management/sideload-apps-in-windows-10)

So it's similar to Google's Android, although with the caveat that it's much
easier for companies to have sideloaded company apps.

------
vosper
Full text from their Facebook post, so you don't have to go to FB

"Many of you have asked why we haven’t updated our iOS app and we’re finally
ready to share our story – Puffin is a victim of Apple's abuse.

In 2010 we brought our cloud-based Puffin browser to iOS, allowing iPhone
users to enjoy the wicked fast speed, frugal data usage, and extreme virus
protection available through server-side rendering.

But, Apple has now decided to reject our app, claiming it violates its
guidelines. For seven years, Puffin has been approved with no mention of this
violation. But now that Puffin has grown to almost 100 million active loyal
users, such as yourself, Apple wants to sabotage Puffin in order to protect
the billions of dollars of search revenue from it receives Google.

It’s time to call out the #BadApple and if you agree, feel free to share your
comments via the hashtag. For our full story, please visit us on Medium:
[http://bit.ly/2BsLqI2"](http://bit.ly/2BsLqI2")

------
firloop
Apple's App Review guidelines used to say something along the lines of "If you
have a problem, trashing us in the press never helps." I'm not trying to place
judgment on Puffin, but this seems to be the wrong strategy. False negative
App Store rejections are typically due to a misunderstanding than a nebulous
"corporate greed" angle... or sometimes they were even (at least sort of)
justified in the first place [0].

See also: when Rollout got rejected, their open letter [1] didn't help them
either.

[0]: [https://9to5mac.com/2016/10/10/apple-dash-removal-from-
app-s...](https://9to5mac.com/2016/10/10/apple-dash-removal-from-app-store)

[1]: [https://rollout.io/blog/open-letter-to-apple-secure-
javascri...](https://rollout.io/blog/open-letter-to-apple-secure-javascript-
injection-ios/)

~~~
lern_too_spel
From the Medium post:

Puffin releases were rejected citing app review guideline 2.5.6: “Apps that
browse the web must use the appropriate WebKit framework and WebKit
Javascript.” Our server-side web browser is based on Chromium instead of
Apple’s WebKit, therefore, Puffin is rejected.

We disputed and escalated but Apple insisted it has jurisdiction over our
server-side technology.

~~~
eridius
Seems like a pretty clear violation of the rules. Trying to find a loophole
doesn't work, the rules aren't an Ethereum smart contract, they're actually
subject to human judgement.

~~~
im3w1l
I thought the stated reasoning for the rules was that Apple for safety reasons
didn't want apps downloading and running code (javascript in this case).
Clearly that justification doesn't apply if the code runs on a server and not
the device.

------
pier25
I’ve never understood why Apple doesn’t allow other browser engines on iOS.

It seems a really ridiculous policy that doesn’t really benefit anyone.

~~~
kitsunesoba
Locking out other engines does a few things:

\- Ensures a minimum level of battery performance for users browsing the web.
Chrome and Firefox for macOS are notoriously hard on your battery and iOS
versions would likely have the same issue.

\- Reduces the number of vulnerabilities present on the platform.

\- In the event that a bad vuln _does_ crop up, Apple can and will scramble
out a WebKit patch to fix it, quickly protecting all users, even those using
browsers by small/independent developers. This would be impossible if said
indie devs were using Blink or Gecko or something instead.

These problems could be worked around if alternate engines were bundled with
the OS as part of a partnership with Google and Mozilla, but such a scenario
seems unlikely at best.

~~~
pier25
1) Users have the choice in other types of apps such as PDF renderers and game
engines in matters of performance and battery life. Why not browsers?

2) Game engines are very low level and Apple doesn't have a problem with UE or
Unity. Maybe the problem is the iOS sandbox would not work with JS engines?

3) I don't buy the security argument. Google and Mozilla are very diligent
with updates, even more so than the Webkit team. It could be argued that the
Android approach of unbundling components from the OS is actually better in
terms of security.

------
phobius
Is it not possible there's just a security violation they need to sort out?

Am unfamiliar with Puffin, but the post leaping straight to "it's a
conspiracy!" without indicating what the stated rationale for rejection was
appears a bit off.

(I'd I'm normally first in line to attribute things to corporate greed)

~~~
b4lancesh33t
Their medium article explains the reason apple rejected them. They use
chromium on their servers to render pages. Apple wants them to use webkit.

~~~
pier25
If this is really the case it’s nonsense that an iOS policy would extend into
your servers too.

~~~
martin_bech
The problem isnt that its serverside, its thats a different renderingengine,
and therefor visually could/is rendering differently than safari/webkit.

~~~
hungerstrike
Who cares?

There are tons of games in the App Store with custom user interfaces that
don’t match anything from Apple.

~~~
martin_bech
Thats not the issue, the issue is that cnn or whatever.com might render
differently or not at all if viewed in one browser, instead of the other. I
dont know the internals of puffin, but security and js attack vector, might be
different as well.

~~~
hungerstrike
You said "and therefor visually could/is rendering differently than
safari/webkit"

You didn't say anything about security, but there is no security problem
either.

The client side wouldn't be evaluating JavaScript outside of Apple's JS engine
so there is no security risk whatsoever.

------
trynumber9
for those who don't like to visit Facebook [https://hackernoon.com/its-time-
to-bringappletojustice-cf12c...](https://hackernoon.com/its-time-to-
bringappletojustice-cf12ce860932)

~~~
pilif
_> Puffin is a victim of Apple’s abuse. Puffin is a server-based web browser
where web browser sessions are executed on the cloud servers_

You and me know to not use something like this for any kind of sensitive site.
But the common iOS user doesn’t know this. Apple is protecting their users and
their platform.

It’s 2018. making a web browser where all traffic goes through the browser
makers server, being unencrypted and then reencrypted is not acceptable any
more (I would argue it never was, but then, back in the days of 9600 bits/s it
was more excusable)

~~~
joshuaturner
Especially when you read their privacy policy, realize they're a Chinese
company, and see this: "However, be aware of the possibility of surveillance
by intelligence agencies in your home country and our home country."

~~~
pingyen
Puffin is not a Chinese company.

~~~
ac29
They are based in Taiwan based on their job postings [0]. Whether or not
Taiwan is technically part of China is up for debate, but the two are
defintiely linked.

[0] [https://www.cloudmosa.com/jobs/](https://www.cloudmosa.com/jobs/)

------
Dim0N
From their Facebook page:

>Not seeing any documentation on https and puffin. If I log in using puffin,
can your servers see my password?

Their answer:

>Yes. Puffin server will see your password even for HTTPS. The browser is
physically running on the server. The closest analogy to Puffin is RDP (remote
desktop).

Am I reading this right? Who in their right mind would use this shit?

~~~
piva00
This by itself is a good enough reason for Apple to reject the app on grounds
of protecting customer privacy.

Liking it or not, of the major tech companies Apple has had a track record of
caring about its users' privacy. I remember Tim Cook mentioning that as a
basic value for him personally.

------
scarface74
Let's look at the statement on its merits.

1\. If Apple was so concerned about protecting its search ad revenue from
Google, why would it offer a method to install third party content blockers?

2\. Puffin offers "extreme virus protection"? Apple banned "virus protection"
programs in the App Store a year or two ago because they were all scams.

------
debt
Puffin circumvents Apple’s ability to block ads which other app developers
provide at a premium on the App Store.

It also circumvents all the parental controls provide by Safari.

It’s a great idea but it Likely needs to incorporate the settings on the
phone.

------
ec109685
Such an icky product, man in the middle’ing every page you visit.

------
QML
This might seem like a random question, but does Webkit partition their
browser into a kernel and a render engine like Chromium does?

------
anilshanbhag
The bigger problem with iOS is that its a complete lock-in. Even if users want
the app, Puffin is unable to distribute its app to users since Apple doesn't
approve it.

This doesn't happen on Android, if you don't like Play Store, you can still
distribute apk and ask the user to download & install.

People may spin it any way they want but this is corporate greed !

