Share this page!

Maybe Scrolly?
Open Web Advocacy Profile picture
Twitter logo
Jun 27 20 tweets 8 min read
Apple's claim is that it bans other browsers for security AND NOT because it's protecting its 70b of AppStore Revenue or 15b of Google Search Revenue in Safari.

The CMA says the ban not only doesn't protect security it could make it worse!

🧵 Lets dig in... A pie chart showing Browser Code Execution Vulnerabilities bA histogram of days from fix landed in public to fix shippedA graph showing browser code executions by vulnerabilities bA chart that compares updates between iOS vs Chrome on Andro
Apple in comments to the CMA makes the claims that it's able to address security issues quickly AND that Safari is more secure than Blink and Gecko. “... in Apple's opinion, WebKit offers a better level of s
But the statistics paint a different picture. Out of each of the three major browser engines, Safari has had the had highest number of Browser Code Execution Vulnerabilities. A pie chart showing Browser Code Execution Vulnerabilities b
If we break this down by year, you can see Safari has the highest number in every single year except one. A graph showing browser code executions by vulnerabilities b
If we look at how long it takes Apple to patch vulnerabilities the picture looks even worse. Firefox and Chrome/Edge are significantly better at patching their browser quickly. A histogram of days from fix landed in public to fix shipped
Note that this graph doesn't even include the time it takes the user to update the OS since Safari updates are tied to the operating system (an antiquated practice).
This means to update the browser, users have to update the entire operating system and this further delays patches reaching users. iOS users remain vulnerable to known bugs in Safari longer than users of alternative browsers on every other OS.
As @snd_wagenseil said if Apple isn't going to put in the work necessary to protect users then they should let others do so. "Chrome/Brave/Firefox are required to use the default W
Apple doesn't even apply all the patches to versions of the operating system that are still heavily used. When iOS 15 only had 0.93% of users installed, Apple wasn't applying all of those security patches to iOS 14.

Apple did not tell users that they remained insecure due to Apple’s failure to back-port fixes.Users were unable to choose alternative browsers. They were left insecure in every browser without warning, even though their browser may be “up to date”. @AndrewWrites's great point: “And that gets us back to the main problem with Apple's se
For example, Apple took 59 days to land a fix regarding a serious privacy flaw in WebKit’s IndexedDB implementation. Poor communication from Apple caused the FingerprintJS team to disclose the bug before a fix had reached users.

techcrunch.com/2022/01/26/app…
Spurred by the public disclosure, Apple quickly landed patches to address the issue, but it took an additional 10 days to package the OS update and ship it. Leaving the window of vulnerability open this far in the face of publicly disclosed issues does much to draw into
question Apple’s claims of protection. If users had credible alternative browsers available to them, they might have been able to better protect their privacy for the week and a half it took Apple to finally fix a long-disclosed issue.
To top all of that Apple appears to have a bad relationship with security experts. Perhaps they only like the marketing value of "security" and they want to discourage reports as it'll damage their carefully crafted image. "You have to have a healthy internal bug fixing mechan
Apple uses security as their primary excuse for the #AppleBrowserBan. Based on the available evidence the CMA found that the ban could potentially even harm security and we at OWA would argue there is compelling evidence that third party browsers would improve security. While security and privacy are key dimensions of quality for
The CMA even hired external security firm @ret2systems to analyze Apple's claims and they found "Allowing Blink and Gecko on iOS by dedicated browsers apps is highly unlikely to materially worsen security" All three main browser engines are very secure for the avera
The CMA found that based on security concerns the #AppleBrowserBan is not justified and note that

"Apple benefits financially from weakening competition in browsers via the browser engine ban"
If you're as angry as we are about Apple's anti-competitive practices which are both holding back the Web and Web Apps, YOU and YOUR COMPANY can do something about it.

👇 A few minutes to save the future of the web is worth it.

CMA = @CMAgovUK (Competition and Markets Authority) - The UK Regulator.

gov.uk/cma-cases/mobi…
Errata: This was attributed to @snd_wagenseil instead of the @alexstamos. Apologies 🙇‍♂️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Open Web Advocacy

Open Web Advocacy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(