Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Apple Pay works in non-Safari browsers in iOS 16 Beta 3
135 points by san_amiro on July 29, 2022 | hide | past | favorite | 112 comments
I was just poking around on a Shopify store on my Firefox browser and saw Apple Pay button showed up, first thought it's a front-end bug on the website but tapped on it and the widget slid up and you can legibly make the purchase!

Tried on Chrome too and it worked there too!

Tried a few other website and can confirm it works everywhere Apple Pay is offered. is it a feature? bug?

Wanna try it yourself? you can check this Stripe test page https://stripe.com/docs/stripe-js/elements/payment-request-b...

Haven't installed Beta 4 yet to see if it is still working.




Probably preparations due to the upcoming EU framework.

As a short summary, here are some of the new EU requirements on gatekeepers such as Apple.

Gatekeepers must:

- Allow users to install apps from third-party app stores and sideload directly from the internet.

- Allow developers to offer third-party payment systems in apps and promote offers outside the gatekeeper's platforms.

- Allow developers to integrate their apps and digital services directly with those belonging to a gatekeeper. This includes making messaging, voice-calling, and video-calling services interoperable with third-party services upon request.

- Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."

- Ensure that all apps are uninstallable and give users the ability to unsubscribe from core platform services under similar conditions to subscription.

- Give users the option to change the default voice assistant to a third-party option.

- Share data and metrics with developers and competitors, including marketing and advertising performance data.

Gatekeepers may no longer:

- Pre-install certain software applications and require users to use any important default software services such as web browsers.

- Require app developers to use certain services or frameworks, including browser engines, payment systems, and identity providers, to be listed in app stores.

- Give their own products, apps, or services preferential treatment or rank them higher than those of others.

- Reuse private data collected during a service for the purposes of another service.

- Establish unfair conditions for business users.


- Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."

Here comes the Meta App Store to bypass all iOS privacy protections :(

I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.


A better way to think of it, is:

Here comes F-Droid to further enhance iOS with privacy respecting applications


I really want f-droid to keep doing the good job and not buckle under some corporate bs pressure. It must remain independent.


Why would you download the Meta App store to begin with?


My gut feeling is that there's a nontrivial chance that the moment 3rd-party app stores are available on iOS, Meta will immediately move their apps to one to work around privacy limitations the App Store currently imposes on them.

I also strongly suspect that one of those apps would be WhatsApp, which is an app that a not-insignificant portion of the world uses to communicate. Unfortunately, I don't have a choice in what apps my family around the world uses, so I'm stuck with WhatsApp. The choice for me would either be to cut contact with dozens of family members, or enable the Meta App Store.

My hope is that if Apple is forced to allow 3rd-party app stores, they'll make it possible to even more strictly sandbox apps from those stores somehow.


Luckily that same legislation designates whatsapp as a gatekeepee and so they have to open up their api

whether they stonewall oss clients with attestation for 'security' remains to be seen


I share your concerns but the immediate response I have to them is "needs more regulation."

We shouldn't let Meta take advantage of regulations towards Apple. We should use it as an opportunity to write more regulation of both of these entities for the purpose of serving the end user.


More regulations to fix the regulations?


Yes, it's obvious that big tech has been insufficiently regulated.

What solutions do you propose?


The solution shouldn't be worse than the problem it's solving. The default position should be "do nothing."


What App Store privacy rules are you concerned about?


I'm not sure if this is exactly what you're asking about, but submitting an app to the App Store currently performs pretty stringent checks on things the app does — including automated scanning for usage of private system APIs and ensuring that apps include appropriate reasons for asking for access to private data (contacts, photos, location data, etc.).

Without certain forms of review, it's much easier for apps to exploit weaknesses (whether in the OS, frameworks, the user, etc.), and I can't imagine that Meta would self-regulate any more than they are forced to now. Their apps and SDKs already hoover up as much data as the system will silently allow, but I'd rather not be forced to expand my device to them, if possible.


Automated scanning is already accomplished outside the App Store on macOS via notarization.


Because the next time there's a virus going around, they're going to put the vaccine passport app you need to go to the store or take a train in the Meta app store.


Very happy to bet against you on that ;) Android has multiple app stores, but the kind of app you're describing doesn't require installing an alternative one.


You're suggesting the government would distribute their vaccine passport app exclusively through Meta? Why would they do that?


Corruption.

It's still a nonsensical fear, but that would be the reason.


> - Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."

> Here comes the Meta App Store to bypass all iOS privacy protections :(

> I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.

> - Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."

> Here comes the Meta App Store to bypass all iOS privacy protections :(

> I really like the idea of an eject button to run arbitrary code and operating systems on my pocket computer, but 99% of the time I want it to "just work." If I valued the former over the latter I would have bought an Android phone.

i value choice. no one is forcing you to download meta


Well, at least not until your employer/kids school/other entity you don't really have a choice about forces it down your throat.


I think this worry is overblown. We already have this on android, and FB/WhatsApp are still on the Google App Store. FB could start an alternative FB App Store tomorrow on android much more than they can on iOS and it’s been shown that nobody bothers.


I don’t think this means that the iOS permissions system doesn’t stay in place. This is basically “you can’t just allowlist certain phone features to your own software”


Proper Firefox HERE WE COME!!!!


> - Allow users to install apps from third-party app stores and sideload directly from the internet.

Any provisions to allow sideloading unsigned apps?

Because if you can sideload, but it still needs to be signed by Apple, the whole thing is largely moot.


Not entirely moot. This would be more or less equivalent to macOS's "Allow apps downloaded from App Store and identified developers". This allows people to publish software without abiding by the App Store's rules and review process, as well as the 30% cut on sales.

Perhaps it doesn't go as far as you'd like but it's not moot either.


It seems like every perceived problem these days is grounds for legislation. Let’s work on additive solutions as opposed to regulation.


What do you suggest?


Today's hardest problems require government action. Techno-optimism and the free market fairy will not save us.


Do you consider this particular example a hard problem? I'm sure I agree with your statement but we probably disagree on what constitutes a problem and whether that problem is "hard" and thus needs government intervention.


Does this mean I can finally have a browser running its own rendering engine that supports its own extensions in iOS?


> Allow users to install apps from third-party app stores and sideload directly from the internet.

Do third-party app stores have to pay fees to Apple for each purchase? Can they change the rate from the current 30%? That's what I'm wondering about.


Where will that leave US users?


My guess would be paying higher prices to pick up the slack for the missing EU users when the "gatekeepers" abandon or greatly shrink operations in the EU after evaluating the cost of compliance.


On the plus side, big opportunity for EU consumers to become familiar with Chinese phones and operating systems.


> On the plus side

I'm an European and I really don't consider this a plus.


This is really awesome. I'm sure there will be anecdotal refutations of this legislation on HN, but this is a great list of consumer rights to start with. Almost gives me a little bit of hope for a future of technology that isn't controlled by 3 or 4 companies.


i hadn't heard about this, that certainly sounds pretty good


I hate that you cant sideload today but its gonna lead to tons of malware


Alternatively we may end up with better app stores with far less malware and trash. As much as apple enthusiasts like to claim the app store is as good as it can get, there's a ton of room for improvement IMO. Just getting rid of the games that prey on children and addiction would be a good start.


It's about 100% more likely that it's going lead to every company that chafes under Apple's current "you have to ask permission before you can do that" rules to begin to only offer their apps outside the App Store.

Remember the original Android permission model of "an app gets every permission it wants or you can't install it"? That's where this is heading.


Android also lets you individually enable/disable permissions for apps you install. Yet companies haven't started moving to 3rd party app stores to circumvent this, like you are describing


I would think a permissions model is something that Apple would still be able to design and enforce through their control of the operating system?


Apple can’t stop malware on macOS

Google can’t stop malware on android

Microsoft can’t stop malware on android

What makes you think Apple will be able to stop malware on iOS?


Malware is definitely possible in various ways, but my understanding is the permission system is still robust. Unless you have given an app a particular permission, with a UI controlled by the operating system, it is unable to use operating system capabilities that are protected by that permission.

For example, the OS can enforce that an app can't use the camera without the user clicking "allow" on an OS-managed pop-up.


The permission and security systems will be circumvented by malware authors and unscrupulous developers, just like they are on macOS. Given the enormous amount of personal information on our mobile devices, this represents a particularly concerning potential regression in end user privacy and security.

Like on Windows, macOS and Android it’ll be crucial for users to avoid installing executables from the web. and like Android, users also have to be trained to only install apps from ethical software repositories that respect user privacy and security. This is the best case scenario for privacy/security, and essentially the status quo for Android.

For better or for worse, the days of iOS users installing any and all available applications without worrying about malware is over. Users will get more freedom, but they’ll have to take more responsibility when vetting and running third party apps. I don’t know how a notoriously novice user base will react to that, but we shall see.


Mac OS, like all traditional desktop operating systems, gives almost all permissions to every process running as the user. This is a very difficult environment to defend!

It's also very different from how iOS and Android heavily restrict what each app can do, hiding most things you might want to do behind permissions. Installing an app is not quite as safe as visiting a web page, but it's very nearly so if you don't agree to any permissions requests.

The most common way for malware to abuse the permissions system is to ask for permissions to do something plausible, or even implausible, and then abuse those permissions to do other things that the user wasn't expecting. For example, a speed dialer might ask for permission to read your contacts, which is quite reasonable for a speed dialer, but then exfiltrate and sell them.


The same way that Google prevents malware from existing outside of the Google Play Store?


Children and addiction are your two problems with the App Store? How exactly do think a third-party free-for-all set of app stores is going to do better?


I think niche app stores will be able to engage is much stricter moderation. For example, a kids only store could focus on knowing their developers and forbidding in app purchases.


It sounds like you envision a world of many different walled gardens, instead of the single Apple-policed walled garden.

I can see how that would be attractive in some ways. On the other hand, parent's aren't necessarily smarter than anyone else.

"Install this rando app store and get 12¢ off your next gas fill-up!"


Remember Facebook offering people a few bucks to MITM their entire phone? Oh wait, that was on the official App store! And they didn't even ban them!


>Remember Facebook offering people a few bucks to MITM their entire phone? Oh wait, that was on the official App store! And they didn't even ban them!

No, companies can apply for their own app signing key that allows them to create apps for their own in-house-only uses that completely bypass the App Store.

Facebook used that enterprise signing key to install spyware on user's devices. This had nothing to do with the App Store, and Apple did revoke their signing key as a warning shot.

>“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization,” the spokesperson said. “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

https://www.cnbc.com/2019/01/30/apple-says-facebook-violated...


Please read carefully what you wrote.

> that completely bypass the App Store [..] Apple did revoke their signing key

Do you see it yet? There is no "bypassing the App Store". At the end of the day, the root of trust comes back to Apple.

And, of course, they "revoked" it meaning they waited for a week or so and then Facebook had all their enterprise apps back. This isn't the treatment in store for you if you attempted this.


Sorry, but bypassing the App Store and it's associated review process is exactly what Enterprise signing certificates do allow.

Those apps are not distributed through the App Store.

>Oh wait, that was on the official App store!

Do you see it yet? :oP


Alternatively, Apple will loosen restrictions on what App Store (tm) apps can do to prevent profitable apps (for Apple) from moving to alternate app stores.

But, you know, I can just not install those app stores so it totally won't affect me, right? Thanks guys! /s


Does Android have a malware problem with sideloading? The majority of users don't know how to sideload and don't do it. Technical users hopefully know what they're doing. In any event, if you google "android malware" most of the results are apps that slipped into the app store:

https://www.tomsguide.com/news/malware-hits-10-million-andro...


Non-Safari browsers on iOS are still Safari's rendering engine, aren't they?

I just wish it'd work on Firefox on my Mac. If not that, I'd love a popup that told me the page supports Apple Pay, so I can checkout with Safari instead.


I have a Firefox extension that does this, but it only works on some sites and it's very much not complete. https://github.com/mike-u/firefox-apple-pay


"SO post trying to accomplish this" is mine, lol.


Well hey, thanks for doing half the work for me.


Thank you for picking up the rest!


I wish Firefox on the Mac supported Keychain. Chrome does.


This is not a new API AFAIK. The Payment API[0] has been around for a while. MDN's got the full skinny [1].

[0]: https://webkit.org/blog/8182/introducing-the-payment-request...

[1]: https://developer.mozilla.org/en-US/docs/Web/API/Payment_Req...


I have 15.6 stable installed and when opening the Stripe test page I receive an error in Firefox (“Either your browser does not support the Payment Request API, or you do not have a saved payment method.”)


iOS 16 beta apparently provides the framework updates necessary for third-party iOS App Store browsers to use it. So you won’t be able to use it on 15.X unless they backport, which is unlikely.


Stripe's demo doesn't work on desktop Firefox, either.

> Either your browser does not support the Payment Request API, or you do not have a saved payment method. To try out the Payment Request Button live demo, switch to one of the supported browsers below, and make sure you have a saved payment method.


Desktop Firefox doesn’t use the Apple WebKit engine on the backend, so that’s up to the Firefox Desktop team to implement on their own (and tie into the OS native if available, which I suspect depends on you running the latest macOS beta, assuming they’re working on it yet).

EDIT: Which they’re not, per above.


Apple Pay does not work in non-Safari WebKit browsers on macOS as of Ventura beta 4.


Firefox doesn't implement Payment Request, so no Payment Request based payment methods would work.


It's implemented but off by default; there's a `dom.payments.request.enabled` feature flag, but it doesn't make the Stripe demo work.


The API isn't new but being able to use it in 3rd party browsers on iOS is.


Is this intended for actual non-Safari browsers like actual Chrome or Firefox on iOS or just what there is now where Chrome and Firefox on top of the same WebKit engine as Safari?


Everything is still Safari underneath. That’s probably never changing as long as Apple has a say (that new EU law may force it).

But this would mean you could use ApplePay from the current FireFox app.


Letting all browsers with a Safari engine use all the features of Safari-Safari fed be a way to nudge users to keep using Safari browsers instead of other browser engines, when that EU law forces Apple to open up the platform. The other browsers could be forever behind is iOS features. However that's going to make the browser experience closer to native.


I'm glad Apple is opening up features for other browsers to use on iOS, but I don't understand how this nudges users? As soon as it is permitted, Firefox, Chrome, etc will switch from their WebKit based implementations to using their own engines.


I might be wrong but if the upgrade from Chrome-Safari to Chrome-Chrome means that users lose Apple Pay inside the browser, something they just got used to have, maybe they switch to Safari-Safari to keep the feature.


You mean everything is WebKit underneath. Safari and Chrome on iOS are very different browsers.


No, I believe they meant Safari underneath, which is often used as shorthand for the specific rendering engine based on WebKit that powers Safari on iOS and comes with its own quirks. Chrome does not use the same engine on any other platform as it has deviated significantly.

The section on “Apple’s Open Source Claim” in this blog post [1] goes into a lot more detail on the relationship between Safari, WebKit, and the Chrome/Chromium rendering engine.

[1] https://infrequently.org/2021/08/webkit-ios-deep-dive/


Apple Pay has been supported in WebKit’s web view (which every browser uses) for a while now, but with some conditions. The biggest obstacle was that an app couldn’t inject any JavaScript code of its own into websites. I wonder if they removed this safeguard.


They must have removed that: if you're building your own browser you definitely want to be able to inject JavaScript code, because one of your few options for differentiating yourself on iOS is supporting browser features that Apple hasn't prioritized implementing yet. Both Chrome and Firefox do this by injecting polyfills.


You're probably right but it's not like Apple wouldn't take the chance to kill that off if they thought they could get away with it


https://github.com/WebKit/WebKit/commit/aa041a623cf40c0d2f17...


It does not seem to be the case on macOS.


No it doesn't, because there is no such thing as a non-safari browser on iOS.

Firefox, Chrome, anything Apple will allow is just Safari in a different costume.


Except they use their own browser features, sync, telemetry, privacy practices, business model etc...


All of those things are ancillary except for privacy (even though privacy capability is closely tied to the browser engine these days). It's like saying it must be a Cadillac... "but I can choose the seat colours and stereo so that counts for something!" - i mean sure if you value the stereo that much but you have no choice over the things that makes it what it is, the engine.


DeLorean DMC-12 and Renault 25 share the same engine. By your analogy these would basically be the same cars. Which of course is apsurd.

Engine just makes the car move, everything else defines it. Same with browsers on iOS. Also saying Chrome and Safari on iOS are same browsers because they share WebKit is like saying Edge and Vivaldi are same browsers because they share Blink (they share much more, but still they are very different).


You can pull my analogy to pieces all you want, but it doesn't change the fact that you are using apple-webkit, when you use any browser on iOS, not gecko, not blink... and unlike a car, the browser engine makes up 99% of what the browser does. but if you want to argue that bookmark syncing and shit is a significant feature, i mean sure whatever, i think you need to open your eyes.


So Edge and Vivaldi are same browsers, just 1% different?


Correct, as Apple forces all 3rd party browsers to use their rendering engine.

It's like using a winforms webbrowser control in .NET and giving the window a title with your own brand name.


yes.


Brave and Edge is not Chrome.


Brave and Edge can compile the Chromium code base with any changes they want, including adding or removing features. On iOS that is not something alternative browsers are able to do.


it doesn't matter what it's called, the underlying engine of any "browser" app available on iOS is apple-webkit. Because you aren't allowed browser engines on iOS, Apple rules, it's all a bunch of skins. Apple are so good at selling the lie of diversity that hardly anyone seems to notice this seemingly obvious truth... you aren't allowed to chose a browser on iOS.


This is good news, I hope they make it available in all “In App Browsers” (IABs) too, along with all saved payment cards in your key chain.

As a data point from an online retailer, we kept seeing a significantly high (I think it was something ridiculous like 30%) drop out at the check out payment screen for all Facebook/Instagram ad customers.

What was happening was they were clicking on ads, coming to our site, going to purchase and then when they reached payment didn’t have access to Apple Pay or there saved card details. The in app browsers have an “open in Safari” button, they were clicking that - so they could use their prefers payment method - and loosing their session and shopping cart. It was catastrophic!

We ultimate fixed the issue with a warning message to customers who are within an IAB.

IABs are bad for advertisers, they only serve to keep users within the social media app.

Anyone with the Beta, I would love to know if either Apple Pay or key chain saved cards are available now in social media IABs.


> The in app browsers have an “open in Safari” button, they were clicking that - so they could use their prefers payment method - and loosing their session and shopping cart. It was catastrophic!

This is one of the few instances in which Android went to some lengths to provide a good UX. An IAB can transition into the real thing without even re-rendering or blinking - and it has all the user data of the main browser.


That's not quite right. A real in-app browser on Android, like Facebook's, has fully independent state. But Android also supports a feature called Custom Tabs, where you can have something that looks an acts a lot like an in-app browser but is actually your default browser under the hood. The embedding app gives up some control over it, and can't for example, inject custom JavaScript, but in exchange it shares state with the default browser.

More: https://developer.chrome.com/docs/android/custom-tabs/


I am using the beta, and I was able to make a purchase with Apple Pay via something resembling an IAB.


As far as I know there are no non-Safari browsers on iOS yet.


Every non-Safari browesr on iOS is a non-Safari browser :) You probably meant no non-WebKit browsers on iOS.


Do you know if extensions work, too? That was the big thing keeping me off Firefox on iOS, and thus, Firefox on Mac.

I want something that syncs to all my devices and supports extensions on all my devices.

TBH not allowing safari extensions to work in non-safari browsers felt almost anticompetitive, but I do recognize that there are some UI challenges to solve. Apple Pay was the other big feature I was missing out on.


I have the beta on an iPad and no sign of extensions. Another pain point for me is that the system password manager doesn't work as well as it does with Safari (and sometimes not at all), and that does not seem to have improved either.


There is no "non-Safari" browser on iOS. It's all a skin over WebKit.


I hope support for this ends up in Mac browsers. It’s really frustrating to get through a car pieces and realize the site probably supports Apple Pay but you can’t use it because you’re looking at the site outside of Safari


Has anyone ever managed to get Apple Pay working in non-Safari app on macOS?


It's supported on macOS - I know of a couple of desktop apps that use it. If you were running a Catalyst app on Mac that used Apple Pay it would work also. If you run into trouble you find me on Twitter (@nickjshearer) or the Apple Dev Forums.


Have never seen it anywhere else. I wish it worked in Firefox!


"non-Safari browsers" I thought all iOS browsers are technically Safari based?


I wish firefox on ios supported the hide my email feature that you get in safari.


just test with orion browser on iphone 13 with ios16beta4 and works


Confirmed.


Please let this mean Apple will embrace TWAs in the app store




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: