
How Apple is bullying small developers - syn-mcj
https://twitter.com/SynMcJ/status/1294471641527799809
======
tylerhou
This is a non-story.

In most cases, there is no point asking for a phone number as 2FA if the user
chooses Sign in with Apple (SIWA).

SIWA requires access to the device. App credentials are usually persisted per
device, so 2FA doesn't really help if your device is stolen as the attacker
would have app access anyway (if they were able to unlock the device). Even
for non-Apple-device sign ins such as on Android or Windows, SIWA requires
device access to generate a password, which requires 2FA on the Apple account
[1].

Uber is allowed to ask for a phone number because a driver legitimately may
need to contact a customer to arrange pickup. But in this case, Apple does not
think that this app requires a phone number, and is thus protecting the
privacy of its customers.

There are other issues I have with Apple's ecosystem/the App Store, but this
is not one of them.

EDIT: After posting this comment OP has written in another comment that their
app requires a phone number to arrange delivery. This information was not in
the original tweet. In that case, I think this is likely a misunderstanding
between the App Store reviewers and OP about how the phone number would be
used, and I would need to see further discussion between those two before
declaring Apple a bully in this case.

[1] [https://support.apple.com/en-us/HT204397](https://support.apple.com/en-
us/HT204397)

~~~
syn-mcj
We ask phone number for the same reason as Uber does - our masters need to
contact the user to be able to deliver the service. Explaining this to Apple
took a week of back and forth, and only lasted for one submission.

~~~
tylerhou
What does the sign in flow look like? Does the phone number screen clearly
inform the user that their phone number will only be used to arrange delivery?

~~~
syn-mcj
It says "We need your phone number for our masters to be able to contact you".

Would you recommend to make it more clear in some way?

~~~
tylerhou
Note that I don't have much experience working with Apple's approval process,
and am just speaking as a layuser here.

In that sentence, "contact" can mean many different things. Will you contact
me by text for non-urgent things like billing or promotions? As a user, I
don't want to give up my phone number for promotions. And since the request is
right after the sign-in flow, I think it's reasonable Apple thinks "contact"
can also mean 2FA.

I would put more precise language, such as: "Our masters may need to contact
you in order to arrange delivery of X service."

Also, the fact that Apple did approve your app already is further evidence
that this is just a misunderstanding, likely because your copy is not 100%
clear.

(Sidenote: This is not important, but personally, the term "master" makes me
uncomfortable. I personally would not call people "masters," but I also don't
know your target market, so the term may be more appropriate in that context.)

~~~
syn-mcj
Thanks for the advice. Yes, our target market isn't english speaking, so some
things might be a result of a bad translation.

------
echelon
Next up for Apple: making you sign over rights to your source code.

I'm only half kidding.

This is egregious and exactly what Stallman warned us about. (I know he's done
some terrible things that make him no longer worthy of being our role model,
but he was exactly right about this.)

Pretty soon we won't own any of our devices. We'll rent them.

We won't own our data. We'll license it.

We won't be free to conduct business. We'll be given a revocable visa.

~~~
scarface74
My phone number and email address is not _your_ data. I don’t want every
random developer to have my email address. SIWA, gives me control over who has
my email address and I can block developers who either spam me or sell the
anonymized email address that I give them.

~~~
echelon
Do you block Apple marketing emails?

It seems like you can sign up with a fake email or simply block the emails you
don't like. This is such a non-issue. Yet what Apple has done poses an
existential threat to many small operations.

Apple has a kill switch on small companies' customer lists. They're inserting
themselves into every transaction as a middle man.

Do something Apple doesn't like? You just lost all of your customers. You no
longer own that relationship anymore. Apple turned you into a sharecropper.

Congress and the DOJ need to do the following to counteract this obscene
anticompetitive behavior:

1\. Pass legislation describing "generic purpose computers" and require that
they allow installation of any software by the user.

2\. Break up Apple into hardware and software+services divisions and prevent
them from dealing exclusively with one another.

~~~
mcphage
> They're inserting themselves into every transaction as a middle man.

They’re not inserting themselves into every transaction. Instead, they’re
allowing users who don’t want to have a direct relationship with every app on
their phone, to substitute their pre-existing relationship with Apple instead.

~~~
echelon
While protecting consumers is noble, Apple isn't the company to do this.
They're strong-arming every "business partner" on the app store while
simultaneously strangling them for 30% of their income and forcing them to
dance to the fiddle. To top it off, they cut off the business relationship
these companies have with customers.

Apple is evil.

~~~
scarface74
If users want a “relationship” with you, as part of SIWA they have the option
to give you their real address. If they didn’t, obviously they didn’t want you
to have their real email address.

Your other option is not to have any social login and use your own sign up
process.

Apple is no more your partner than the wolf is partnering with the sheep.

“Strangling them with 30%”? Did you ever try to get a physical product in
retail?

------
pwinnski
This doesn't seem much like bullying. If you support third-party logins, one
of them must be Apple's. And yeah, requiring two-factor auth in addition to
that seems broken.

I mean, yeah, it's extra work for you as a developer, but as a user, I only
want to use login with Apple, and if you ask for my phone number in addition,
it's a delete for you.

~~~
syn-mcj
It's not a two-factor auth, we ask phone number confirmation because our
masters need to contact you to deliver our service. If there is no phone
number, our app is useless for you. So it's perfectly fine for us if you want
to delete the app instead of giving up your number, and it seems like a better
solution for privacy concerned people.

On the other hand, if we allow to login but only request phone number later,
this will seem somewhat deceiving to the user. Like we pretended that he can
use the app while keeping his info private, while in the end it ends up that
he cannot.

~~~
pwinnski
That absolutely makes sense! It's a shame Apple misunderstood why you are
asking for the number. I wonder if the messaging in that area could be
improved? Or maybe the reviewer just wasn't paying attention.

~~~
syn-mcj
Yes, I got some ideas from this thread on how to improve the messaging. We'll
see.

------
komocode
Title is clickbait and not very objective. Apple isn't "bullying". It sounds
like reviewer was convinced a phone number was not needed. That's why you
simply reply back to the reviewer or get it appealed.

Reviewers aren't 100% perfect. I've had apps that violated rules pass the
review only to be rejected a few updates later. One app I had forced users to
use their birthday (at the client's request) as the password. 1.0.0 passed the
review, but 1.0.1 was rejected because birthday is not an acceptable form of a
password.

Apple could absolutely do better with reviewers, but it's likely they had to
lower the quality of reviews in some way to reduce the amount of time it takes
to review an app (from 5-7 days to 24 hours). Regardless, I rather take the 24
hour app review time since any rejection can be quickly re-assessed again.

~~~
syn-mcj
I would not be complaining online if simply replying back would work. This is
the second time we got rejected for that reason. Last time it took a week of
back and forth trying to convince reviewers that we need phone number and it
doesn't make sense to ask for it later somewhere.

We did get approved eventually, only to get rejected again for the same reason
on the next update.

~~~
komocode
Judging from the screenshots in your tweet, your first rejection was failing
to follow the rules that stated if you have a third party sign in, you're
supposed to use Sign In with Apple too. That's not on Apple.

Regardless, I don't see how this is Apple trying to "bully" small developers.
They're trying to enforce guidelines. That's all.

~~~
syn-mcj
All of my screenshots are from the second round we went through after trying
to remove apple login entirely.

They bully small developers, because big companies like Uber or Grab have the
same functionality with zero problems. While when we try to explain that we
use phone number for the same reason, Apple insists that we change how our app
looks and works.

~~~
komocode
How do you know Uber and Grab? (Grubhub?) were never rejected? You're assuming
they passed every single review which I think it's highly unlikely.

Considering 40% of all submissions in the past week (shown on Apple's website)
get rejected, it's entirely possible they were rejected using phone number
input and after explaining to Apple their purpose, they were finally accepted.
You're bound to get 1 or 2 apps erroneously rejected considering they go
through 100k submissions every week.

It also says the app store team takes 1000 calls every week to discuss the
rejections. It's not just you or small devs.

~~~
syn-mcj
Fair enough, although I don't see why the constant rejection and need to
explain the same thing to Apple again and again seem like a normal thing to
us. Their review process is too rigid and their control over your app updates
is too tight, which is why they are now getting bunch of other problems with
companies like Epic.

Speaking of Epic, maybe you're right and it's not just small developers.

------
scarface74
I’ve read the Tweet and the comments here from the author. I still don’t know
what the app does.

I wouldn’t be surprised if they couldn’t explain to Apple why they needed the
phone number.

