Open Web Advocacy Profile picture
Developers fighting self-serving restrictions imposed on the web by tech giants. Help us end #AppleBrowserBan & make web apps 1st-class.

Jun 27, 2022, 20 tweets

Apple's claim is that it bans other browsers for security AND NOT because it's protecting its 70b of AppStore Revenue or 15b of Google Search Revenue in Safari.

The CMA says the ban not only doesn't protect security it could make it worse!

🧵 Lets dig in...

Apple in comments to the CMA makes the claims that it's able to address security issues quickly AND that Safari is more secure than Blink and Gecko.

But the statistics paint a different picture. Out of each of the three major browser engines, Safari has had the had highest number of Browser Code Execution Vulnerabilities.

If we break this down by year, you can see Safari has the highest number in every single year except one.

If we look at how long it takes Apple to patch vulnerabilities the picture looks even worse. Firefox and Chrome/Edge are significantly better at patching their browser quickly.

Note that this graph doesn't even include the time it takes the user to update the OS since Safari updates are tied to the operating system (an antiquated practice).

This means to update the browser, users have to update the entire operating system and this further delays patches reaching users. iOS users remain vulnerable to known bugs in Safari longer than users of alternative browsers on every other OS.

As @snd_wagenseil said if Apple isn't going to put in the work necessary to protect users then they should let others do so.

Apple doesn't even apply all the patches to versions of the operating system that are still heavily used. When iOS 15 only had 0.93% of users installed, Apple wasn't applying all of those security patches to iOS 14.

Apple did not tell users that they remained insecure due to Apple’s failure to back-port fixes.Users were unable to choose alternative browsers. They were left insecure in every browser without warning, even though their browser may be “up to date”. @AndrewWrites's great point:

For example, Apple took 59 days to land a fix regarding a serious privacy flaw in WebKit’s IndexedDB implementation. Poor communication from Apple caused the FingerprintJS team to disclose the bug before a fix had reached users.

techcrunch.com/2022/01/26/app…

Spurred by the public disclosure, Apple quickly landed patches to address the issue, but it took an additional 10 days to package the OS update and ship it. Leaving the window of vulnerability open this far in the face of publicly disclosed issues does much to draw into

question Apple’s claims of protection. If users had credible alternative browsers available to them, they might have been able to better protect their privacy for the week and a half it took Apple to finally fix a long-disclosed issue.

To top all of that Apple appears to have a bad relationship with security experts. Perhaps they only like the marketing value of "security" and they want to discourage reports as it'll damage their carefully crafted image.

Apple uses security as their primary excuse for the #AppleBrowserBan. Based on the available evidence the CMA found that the ban could potentially even harm security and we at OWA would argue there is compelling evidence that third party browsers would improve security.

The CMA even hired external security firm @ret2systems to analyze Apple's claims and they found "Allowing Blink and Gecko on iOS by dedicated browsers apps is highly unlikely to materially worsen security"

The CMA found that based on security concerns the #AppleBrowserBan is not justified and note that

"Apple benefits financially from weakening competition in browsers via the browser engine ban"

If you're as angry as we are about Apple's anti-competitive practices which are both holding back the Web and Web Apps, YOU and YOUR COMPANY can do something about it.

👇 A few minutes to save the future of the web is worth it.

CMA = @CMAgovUK (Competition and Markets Authority) - The UK Regulator.

gov.uk/cma-cases/mobi…

Errata: This was attributed to @snd_wagenseil instead of the @alexstamos. Apologies 🙇‍♂️

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling