Archive for October, 2023

Apple Browser Ban: expect EU legal wrangling

Whatever Apple’s real reason for requiring all iOS and iPad browsers to use its own WebKit engine (and therefore be little more than a branded whitelabelled Safari), they claim it’s done to protect customer privacy.

Two days ago, news of another serious WebKit vulnerability became public. Ars Technica quote researchers as saying

we demonstrate how Safari allows a malicious webpage to recover secrets from popular high-value targets, such as Gmail inbox content. Finally, we demonstrate the recovery of passwords, in case these are autofilled by credential managers.

and notes

While iLeakage works against Macs only when running Safari, iPhones and iPads can be attacked when running any browser because they’re all based on Apple’s WebKit browser engine.

So if the iOS WebKit monopoly is for your comfort and security™, it isn’t working very well; the iLeakage bug was disclosed to Apple more than a year ago in September 2022. Another effect of this rendering engine monopoly (AKA #appleBrowserBan) is to inhibit the utility of Web Apps on iOS, because WebKit doesn’t implement certain vital APIs, and users can’t use a different engine.

This had led to the EU’s Digital Markets Act requiring that companies it deems “gatekeepers” can no longer do this:

43: In particular, each browser is built on a web browser engine, which is responsible for key browser functionality such as speed, reliability and web compatibility. When gatekeepers operate and impose web browser engines, they are in a position to determine the functionality and standards that will apply not only to their own web browsers, but also to competing web browsers and, in turn, to web software applications. Gatekeepers should therefore not use their position to require their dependent business users to use any of the services provided together with, or in support of, core platform services by the gatekeeper itself as part of the provision of services or products by those business users.

In September, the EU announced Apple is a gatekeeper, and iOS is a Core Platform Service. The law will come into force in March 2024. We can expect Apple to attempt to wriggle out of anything other than malicious compliance via endless legal wrangling. Here’s a fascinating insight into the legal culture inside Apple, from an interview with Apple’s former General Counsel, Bruce Sewell:

At 28m19s, Sewell describes Apple legal:

with 600 people in my department it’s like a mid-sized law firm. But we still would spend, you know my budget was just shy of a billion dollars a year

At 37m22s, Sewell talks of a previous legal case:

If you can figure out how to get closer to a particular risk, but be prepared to manage it if it does go nuclear, then your company, think of it as a sailing metaphor, your company is able to sail closer to the wind than its competitors are. And that’s a real advantage … The reaction from Tim [Cook] was that’s the right choice. You made the best choice that you could with the information that you had. You didn’t know about these other things. Don’t let that scare you. I don’t want you to stop pushing the envelope because that’s why legal is an important function in the company.

Big Tech is already attempting to water down UK legislation. I don’t expect them to roll over in the much larger EU market.

(Last Updated on 2 November 2023)

Reading List 310