Apple is to remove the ability to install home screen web apps from iPhones and iPads in Europe when iOS 17.4 is released, saying it’s too difficult to keep offering the feature under the European Union’s new Digital Markets Act (DMA). Apple is required to comply with the law by March 6.
Apple said the change is necessitated by a requirement to let developers “use alternative browser engines—other than WebKit—for dedicated browser apps and apps providing in-app browsing experiences in the EU.”
Apple explained its stance in a developer Q&A under the heading, “Why don’t users in the EU have access to Home Screen web apps?” It says:
Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
It will still be possible to add website bookmarks to iPhone and iPad home screens, but those bookmarks would take the user to the web browser instead of a separate web app.
The Digital Markets Act targets “gatekeepers” of certain technologies such as operating systems, browsers, and search engines. It requires gatekeepers to let third parties interoperate with the gatekeepers’ own services, and prohibits them from favoring their own services at the expense of competitors.
Allowing home screen web apps with Safari but not third-party browser engines might cause Apple to violate the rules.
Apple warns of “malicious web apps”
As Apple explains, iOS “has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.”
Apple said it won’t be able to guarantee this isolation once alternative browser engines are supported.
“Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent,” Apple says.
Despite the change, Apple said that “EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality.”
One browser-related change will be immediately obvious to EU users once they install the new iOS version.
“When users in the EU first open Safari on iOS 17.4, they’ll be prompted to choose their default browser and presented with a list of the main web browsers available in their market to select as their default browser,” Apple says.
Apple said it had to prepare carefully for the requirement to let developers use alternative browser engines because browser engines “are constantly exposed to untrusted and potentially malicious content and have visibility into sensitive user data,” making them “one of the most common attack vectors for malicious actors.”
Apple said it is requiring developers who use alternative browser engines to meet certain security standards:
To help keep users safe online, Apple will only authorize developers to implement alternative browser engines after meeting specific criteria and committing to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities. Apple will provide authorized developers of dedicated browser apps access to security mitigations and capabilities to enable them to build secure browser engines, and access features like passkeys for secure user login, multiprocess system capabilities to improve security and stability, web content sandboxes that combat evolving security threats, and more.
Overall, Apple said its DMA preparations have involved “an enormous amount of engineering work to add new functionality and capabilities for developers and users in the European Union—including more than 600 new APIs and a wide range of developer tools.”
