Hacker News new | past | comments | ask | show | jobs | submit login

Apple's answers repeatedly suggest that the reason they require third-party browsers to use WebKit and JavaScriptCore is for privacy and security:

> It is not our experience that competing web browsers have typically offered enhanced privacy or security that would protect users as adequately as our WebKit protections.

Google pioneered the out-of-process architecture that Safari now uses, developed the Safe Browsing program that Safari also uses, drove the adoption of HTTPS, put pressure on misbehaving certificate authorities and shepherded certificate pinning and then Certificate Transparency, and found many vulnerabilities in WebKit through security research that Apple was not itself doing.

Moreover, on the desktop, Chrome and Firefox both have automatic update channels that allow them to push out security fixes much more rapidly than Apple's heavy OS updates. (On iOS, they would be limited by Apple's App Store approval process.)

All this to say, I'm skeptical of the suggestion that a Blink-powered Chrome for iOS would not "protect users as adequately as our WebKit protections."

One thing to note: JavaScriptCore has special powers on iOS in that it can allocate new blocks of executable memory during just-in-time compilation, greatly improving its performance. A third-party JavaScript engine would be much slower without this ability, but granting the capability to third-party engines would jeopardize the security architecture of iOS.




Apple is plainly saying that they are best positioned to protect iOS users privacy and security. One way they do that is by not allowing any app to use anything other than WebKit. If there's a flaw in some alternative browser that iOS app developers now have a dependency on, Apple would be unable to do anything about it other than wait for that other browser vendor to ship an update.

>All this to say, I'm skeptical of the suggestion that a Blink-powered Chrome for iOS would not "protect users as adequately as our WebKit protections."

Maybe Google is excellent at updating their browser to address security issues, but Apple's concern isn't purely security. It's also privacy. And Safari's track record on privacy technologies is longer and better than everyone.

Furthermore, Apple sells integrated products. They don't sell operating systems, browsers, app stores, and NFC chips. They sell a finished good that incorporates all of those things and more. They take end to end responsibility for their products and it would be frankly uncharacteristic of Apple to have any other position than extreme self-reliance.


> Apple sells integrated products. They don't sell operating systems, browsers, app stores, and NFC chips. They sell a finished good

Microsoft didn't sell IE either, it too was once part of a package called Windows.


There's an important distinction though. Windows is a de facto monopoly in the sense that almost every PC built has Windows installed on it, but not all PCs built are by Microsoft.

Apple has always maintained that the physical object is tied to its software and vice versa, on the other hand. They have no interest in running on the vast majority of mobile devices (android handsets control the majority of smartphone market share by a wide margin). The only exception to this is when Apple is selling services, in which case they let you run iTunes on Windows and Apple Music on Android. It's not like you can install macOS or iOS in any supported method on a non-Apple product.


This is an irrelevant argument in a perspective of monopoly and its market definition. Even Apple itself gives a list of competing web browsers in the iOS ecosystem to refute App Store monopoly arguments, but this also strongly suggests that iOS and Safari are separate products and browsers in iOS itself is a competing market.

The only possible argument is that iOS is not in a dominant position in the smartphone market thus Apple cannot exercise monopolistic powers. But people doesn't change their phone because of web browser engine since its prohibitively expensive for this purpose. The result is that an Android phone doesn't work as an alternative for iPhone, thus iOS can be defined as a sole market for browser products (in terms of monopoly of course). This could've been solved if Apple allowed installation of other OS in iPhone, but they've made their choice a long time ago.


The key difference being that Microsoft was found to have market dominance and using that position anticompetitvely.


This. It wasn’t Microsoft having a “monopoly” (quotes because they weren’t by definition a monopoly), but then being anticompetitive.


> Furthermore, Apple sells integrated products. They don't sell operating systems, browsers, app stores, and NFC chips.

Well, yes, that is the battlefield here: should the market in software, services, and media exist, or should consumers have to pick which vertical silo to use and then be unable to switch without prohibitive re-purchasing and setup costs?


The iPhone is a PDA is a toaster. Splitting the software from the hardware is like splitting the coils from the chrome.

The consumer just wants perfectly consistently browned toast, while not dying from electrical shock or setting her house on fire. She’s not really buying a toaster, she’s buying no-hassle toast.

If you allow that’s what an iPhone is, rather than a general personal computing device, Apple’s stance makes more sense.


> The iPhone is a PDA is a toaster. Splitting the software from the hardware is like splitting the coils from the chrome. The consumer just wants perfectly consistently browned toast, while not dying from electrical shock or setting her house on fire. She’s not really buying a toaster, she’s buying no-hassle toast.

> If you allow that’s what an iPhone is, rather than a general personal computing device, Apple’s stance makes more sense.

But the iPhone is _not_ a toaster. To characterize the consumer wants around an iPhone and its variable uses as akin to the near uniform customer expectation to have a toaster that doesn't burn their house down while doing its job is hard for me to accept.

If a customer is really seeking "no hassle toast" when buying a toaster, what is the customer buying in an iPhone? No-hassle phone?

If so, are we construing "giving the consumer the option of installing software on their own device" as a hassle? With something like a phone, I believe users have come to expect the ability to install software of their choosing on the device, which is very different from expectations of software installation for something like a toaster.


User experience is vastly better in the vertical silo of Apple for 99% of my family members, especially the older ones and those who aren’t as versed in English or messing with their devices.

I have a mid 90s uneducated great grandmother who grew up and still is in a rural village in a poor country able to contact all of her great grandchildren and video chat with them for the past 7 years.


> If there's a flaw in some alternative browser that iOS app developers now have a dependency on, Apple would be unable to do anything about it other than wait for that other browser vendor to ship an update.

they could fix the bug iOS that allowed an app to escape it's sandbox. Exactly the same as every other OS including MacOS

one interpretation is they are claiming the are incompetent at securing iOS but somehow competent at securing Safari. Those seem like opposing statements. Either they are competent at both and so 3rd party browsers are fine or they are competent at neither and we need access to more competent browser teams.

I would like to believe they are competent and that their excuses are untrue. Otherwise we should go back to the world of no Firefox or Chrome because that same argument would apply to MacOS and Windows


> Safari's track record on privacy technologies is longer and better than everyone

Uhh... Mozilla Firefox anybody? If Apple cares about privacy so much then why don't they allow ad blockers on safari? I mean, even the Brave browser on iOS is better then Safari at blocking trackers and advertisements. Firefox also tells me how many trackers they have blocked and also give me the option to completely opt out of any telemetry data collection.


There is a content blocker API that has been available for a few years on both macOS and iOS, and there are third-party ad blockers that use it. 1Blocker is a popular one.

The design is more performant than holding each load up on a traditional browser extension's decision, and does not permit the content blocker to track your browsing history and then upload it somewhere.

It also conveniently allows Apple to get away with not providing a more flexible browser extension API while supporting the most common use case.

https://webkit.org/blog/3476/content-blockers-first-look/


Apple has had a content blocking framework on iOS for years that not only works with Safari, but also works with embedded web views that use the SafariViewController.


> why don't they allow ad blockers on safari?

They do. I am running Crystal right now on mobile Safari. I also have ad blockers on desktop Safari as well.


Safari has its problems: https://github.com/el1t/uBlock-Safari/issues/158

Though you can get some ad blockers which do less.


They do.


> Safari's track record on privacy technologies is longer and better than everyone.

Certainly I would say Apple is doing better on privacy than Google, but when it comes to the browser specifically, I don't think they're doing significantly better.

Google, for instance, pioneered Incognito mode (edit: nope, Safari beat them). They developed and deployed their privacy-preserving telemetry tool RAPPOR in Chrome a few years before Apple adopted the technology for anything. Chrome allowed you to configure DuckDuckGo as your default search engine pretty much from the beginning (as long as you did it manually), whereas Safari took years to allow it.

Safari has been slowly shutting out many forms of third-party extensions which are frequently for ad and tracker blocking. (To be fair Apple has a design that reduces the amount of trust you need to put in an ad blocker to see your browsing behavior, but it is far more limited, and likely sees far lower adoption.)

I do think Apple is prioritizing privacy-protecting features higher than Google is, so it would not surprise me to see Safari come ahead with features like Intelligent Tracking Prevention which conflict with Google's business interests.


I think there's an excellent case for Safari. It had private browsing in 2005, before Chrome even existed. It was the first to block third party cookies by default, and today only Chrome still allows them. It added DDG as an option in 2014, while Chrome added it only this year.


> It had private browsing in 2005

I stand corrected.

> It added DDG as an option in 2014, while Chrome added it only this year.

There's a nuance here. Apple's list of search engines comes from a cryptographically signed file which only they can modify. Chrome allowed you to manually configure DDG, but omitted it from the pre-configured list of search engines that included Bing and Yahoo!.


Interestingly, the ability to add a new search engine has been removed from Safari with the deprecation of legacy extensions.


It's true that you couldn't add it as an option to the fixed list, but in practice there were extensions that enabled it.

https://news.ycombinator.com/item?id=3770958 is a fun trip down memory lane.


>It was the first to block third party cookies by default

Which led to the FTC collecting a scalp for it.

https://www.ftc.gov/news-events/press-releases/2012/08/googl...


Should mention that that’s Google paying a fine, not Apple. Your wording makes it sound like it’s the latter.


I agree that Chrome would protect users' security (privacy is a different issue). But that's one browser, not an arbitrary browser. Could you allow Chrome without allowing other browsers with lesser pedigree?

Keep in mind that several of Congress' questions are asking whether Apple provides privileged access to favored partners.


> Could you allow Chrome without allowing other browsers with lesser pedigree?

Sure, you could have security auditing standards required for apps with certain functionality, including browsers, and apply them in a neutral manner across vendors. That might structurally favor larger firms, but wouldn't favor partners.


I read Apple's responses as "We want to protect the reputation of a brand of device which is marketed as user friendly, secure and private". If they open up the device to allowing anyone to deploy buggy software on, there will be a greater incidence of headlines similar to "iPhones with XYZ browser can be hacked!!", impacting the overall brand reputation for Apple products.


It’s not like one of Chrome’s updates completely hosed Macs....

https://support.google.com/chrome/thread/15235262?hl=en


what is your point? Apple's own bugs deleted entire hard drives.

https://www.wired.com/2001/11/glitch-in-itunes-deletes-drive...


Wow. From 2001?


It hosed macs that had SIP disabled and /var world-writable. Not that that's an excuse, but few machines were affected by this.


The point being that users can’t just trust apps from reputable sources. Even if not being purposefully malicious, third parties get sloppy.


I'm fairly sure Apple's security spin comes exclusively from the fact that apps on the App Store cannot dynamically allocate executable memory.


I think you got that backwards.

apple is blocking exec flag on mmap'ed blocks because of security concerns.

Malware _relies_ on that ability to avoid static analysis.


Is that not what I said?


The way you phrased it can be interpreted as the inability to allocate executable memory is for unrelated reasons but is being “spun” as a security plus post-hoc, rather than the conscious consequence of a decision to prioritize security.

The block on allocating executing memory flows from the security concern, rather than security “spin” flowing from the allocation restriction.


The risk should be up to the consumer to take imho.


That worked so well for Android and Windows....


I mean, it did? Right now on Android or Windows, you have multiple different high-quality browsers you can pick from (Chrome, Firefox, Opera, Brave, etc), and because they all have to compete with each other, they're continually improving the user experience. In particular, Firefox and Brave have been able to add improved privacy protections by modifying the rendering engine, which isn't possible on iOS.


I’m more replying to the entire notion that the user should be able to determine whether they are using secure software instead of the operating system enforcing it.

How will the user know whether software is secure?

But you actually trust Google to protect people’s privacy?


Seems to be working for MacOS


Only because hardly anyone bothers to write malware for the Mac.


This also renders iOS devices useless for even basic browsing after the OS updates ends. Where as, a 7 year old Android device which hasn't received any OS updates can still use latest Firefox with regular updates.


This is a outright lie by Apple. They know other entities are capable of browser security. See:

https://www.cbsnews.com/news/google-iphone-hack-discovered-m...


How in the world can an opinion be a lie?

They didn't objectively state that other entities aren't capable of it. They literally said they felt those companies wouldn't protect their users as well as them.


> It is not our experience that competing web browsers have typically offered enhanced privacy or security that would protect users as adequately as our WebKit protections.

Per the article I shared, there ARE competitors to Apple that rival their privacy and security skills. Those competitors have helped Apple improve. It is an outright lie for Apple to say "it is not our experience..."

I get that my argument is mostly pedantic, but even as an "opinion" it only holds if Apple is delusional.


Google has proven that they cannot maintain even a MacOS browser by hosing Macs via their update mechanism.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: