
Apple to start requiring written consent for third party API usage in apps - samcat116
https://9to5mac.com/2020/08/27/apple-rejects-watch-for-tesla-app-as-it-starts-requiring-written-consent-for-third-party-api-use/
======
willio58
You have to feel for the developer here, they knew they were taking a risk in
using an unauthorized API, but they went for it anyway and now they are facing
the music.

I understand Apple's position here, especially with APIs that control
vehicles. It's just a sad fact that Tesla hasn't provided a safe public API to
control their cars.

~~~
dylan604
> to control their cars.

This sentence scars the bejeebus out of me to think this could even be a
thing. If you mean to control things like entertainment system, then maybe i'm
okay with that. But I would not consider that controlling the car

~~~
vaidhy
IIRC, GMC was hacked using an exploit in their Bluetooth stack in the
entertainment system through which they got access to OBD controller. All
parts of the car are more interconnected than what people generally think.
From a security standpoint, remote opens up a wide attack surface.

~~~
tinus_hn
Allowing the API to exist but not allowing people to use it does not close
that attack surface.

------
vaxman
What would motivate Apple to interfere in a third-party relationship business
between the Developer and Tesla (as if that is not a trade violation)? Aren’t
Apple Developers requires to indemnify Apple against all claims related to
their apps?

~~~
coldtea
> _What would motivate Apple to interfere in a third-party relationship
> business between the Developer and Tesla_

Who guarantees there even is a "third-party relationship business between the
Developer and Tesla"?

Should Apple let any app that claims to have one or be officially sanctioned
or whatever dupe customers?

~~~
sthnblllII
In contract law, “third party” is a term of art meaning a party which is not a
party to the contract. So the fact that Tesla is not a party to the
developer’s agreement with Apple makes it a third party.

~~~
coldtea
> _In contract law, “third party” is a term of art_

Next thing you'll tell me there's a Sanity Clause, with little elves helping
him, etc.

Yeah, I know. My question is: "who guaranteers that the app maker has any
agreement with Tesla"?

One could release an app claiming so, without Tesla approval, and do shady
stuff -- where Apple gets part of the blame from customers.

------
arielm
This isn’t really new.

Historically Apple has always required consent for using such APIs and in many
cases that’s a result of the API owner complaining.

I came across a remote control app getting rejected months ago for using an
unofficial TV API.

------
dgellow
A workaround would be to implement your own backend that forward requests to
the unofficial 3rd party API.

Or would Apple also block such a thing?

~~~
akmarinov
I think that's the case already? He's communicating with some unauthorized API
that's hosted on a third party.

Apple's argument is that they know that there's no official API so his can't
be legal.

~~~
dzhiurgis
"I'm accessing API of RealSweetSolutions GMBH as far as I know. It is
impossible for me to know their relationship with Apple".

~~~
dgellow
Sure, that's what I thought too, but at the end of the day it is a judgement
call from Apple, if they think you're hiding your use of unofficial APIs, I
guess they will also deny your updates...

So much power in a company is really scary IMHO.

------
htunnicliff
Since the app in question here allows users to send commands to their Tesla
vehicles, it seems like Apple’s decision could be connected to their deeper
integration with vehicles through Car Key ([https://support.apple.com/en-
us/HT211234](https://support.apple.com/en-us/HT211234)).

------
exabrial
After reading, this seems_very common_ and it seems like an odd app you single
out... After reading about commenter about Apple having a competing technology
(Car Key), this makes a lot more sense why Apple is singling this person out.

------
user5994461
Doesn't seem legal in France, where there is the right to reverse engineer
APIs for interoperability.

------
dmitriid
The title should be updated with "written consent for usage of _unofficial_
third-party APIs"

------
zwily
I’d like to see what happens if someone like IFTTT is forced to do this...

~~~
dhosek
IFTTT uses officially supported APIs though. They had to remove some Facebook
integration functionality when Facebook deprecated the APIs that they were
using.

------
mensetmanusman
Is there room here for an official intermediary? e.g. a device with a public
API that your watch could connect to, and that could interface with other open
APIs?

------
walterbell
Isn't this similar to the Oracle-Google API dispute that has gone to the US
Supreme Court?

EU has already ruled that APIs are not subject to copyright,
[https://econsultancy.com/will-the-oracle-google-lawsuit-
kill...](https://econsultancy.com/will-the-oracle-google-lawsuit-kill-the-
api/)

~~~
easton
But in that case nobody was accessing a service. If I use Tesla’s
servers/service without permission in my app, then they could legally
terminate my access (or, perhaps try to get it taken off the App Store). If I
simply reimplement the Tesla service myself (even though that’d be useless
with a production car unless you rewrote the telemetry stuff), they can’t sue
me under the Oracle-Google decision, as I understand it.

