https://mirror.consumerrights.wiki/api.php?action=feedcontributions&feedformat=atom&user=KirbConsumer Rights Wiki - User contributions [en]2026-05-21T23:28:28ZUser contributionsMediaWiki 1.44.0https://mirror.consumerrights.wiki/index.php?title=Talk:Apple_App_Store&diff=42429Talk:Apple App Store2026-03-10T05:36:11Z<p>Kirb: /* See also */ Reply</p>
<hr />
<div>==See also==<br />
<br />
Is the self promotion allowed? [[User:Dosjdhdjdjdhdjdjdj|Dosjdhdjdjdhdjdjdj]] ([[User talk:Dosjdhdjdjdhdjdjdj|talk]]) 06:26, 19 February 2026 (UTC)<br />
<br />
:No issue with me if it's removed. This article was started before the wiki existed, and in general still needs tidying up into a format that properly suits the wiki. [[User:Kirb|kirb]] ([[User talk:Kirb|talk]]) 05:36, 10 March 2026 (UTC)</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=14039Apple App Store2025-05-01T08:41:36Z<p>Kirb: /* Epic Games */ Fix link to Epic article</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
'''[[Apple]]''' uses a range of technical measures to protect their App Store ecosystem and reduce consumer choice. These measures obscure the company's business intentions, creating roadblocks for app developers and users, while typically citing security reasons for their existence. This actively hurts the ability for lawmakers to advocate for the rights of consumers and businesses in Apple's ecosystem, and prevents apps from being as useful as their customers expect.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">{{Cite web |last=Roth |first=Emma |date=12 Aug 2024 |title=Patreon: adding Apple’s 30 percent tax is the price of staying in the App Store |url=https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> to booking a Zoom call with a local business,<ref name="facebook">{{Cite web |last=Paul |first=Katie |last2=Nellis |first2=Stephen |date=28 Aug 2020 |title=Exclusive: Facebook says Apple rejected its attempt to tell users about App Store fees |url=https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, a fee of between 15% and 30% of all revenue collected via the app. This is revenue that can be reinvested into the app, but instead must be earmarked for the platforms they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>{{Cite web |date=8 Mar 2022 |title=South Korea approves rules on app store law targeting Apple, Google |url=https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> Japan,<ref>{{Cite web |last=Sharwood |first=Simon |date=13 Jun 2024 |title=Japan forces Apple and Google to allow third-party app stores and payments |url=https://www.theregister.com/2024/06/13/japan_smartphone_software_law/ |url-status=live |access-date=16 Mar 2025 |website=[[The Register]]}}</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>{{Cite web |last=Competition and Markets Authority |date=4 Mar 2021 |title=Investigation into Apple AppStore |url=https://www.gov.uk/cma-cases/investigation-into-apple-appstore |url-status=live |access-date=16 Mar 2025 |website=[[gov.uk]]}}</ref> Australia,<ref>{{Cite web |date=28 Apr 2021 |title=Dominance of Apple and Google's app stores impacting competition and consumers |url=https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers |url-status=live |access-date=16 Mar 2025 |website=[[ACCC]]}}</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>{{Cite web |date=20 Nov 2024 |title=S.5364 - App Store Accountability Act |url=https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is |url-status=live |access-date=16 Mar 2025 |website=[[congress.gov]]}}</ref><ref name="doj">{{Cite web |last=Balsamo |first=Mike |last2=Liedtke |first2=Mike |last3=Whitehurst |first3=Lindsay |last4=Bajak |first4=Frank |date=21 Mar 2024 |title=Justice Department sues Apple, alleging it illegally monopolized the smartphone market |url=https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3 |url-status=live |access-date=16 Mar 2025 |website=[[APNews]]}}</ref><ref>{{Cite web |date=19 Feb 2021 |title=It’s time to free ourselves from ‘Big Tech’ monopoly |url=https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/ |url-status=live |access-date=16 Mar 2025 |website=[[Arizona Capitol Times]]}}</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Apr 2024 |title=Schiller doesn’t know whether the App Store is profitable; there are no minutes of meetings |url=https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/ |url-status=live |access-date=16 Mar 2025 |website=[[9to5Mac]]}}</ref><ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Jan 2025 |title=Apple denies App Store profit margin is 75% – claims to have no clue |url=https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/ |url-status=live |access-date=16 Mar 2025 |website=[[9t05Mac]]}}</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>{{Cite web |title=Eligibility |url=https://theapplewiki.com/wiki/Eligibility |url-status=live |access-date=16 Mar 2025 |website=[[The Apple Wiki]]}}</ref> misrepresenting/overstating risks, and using careful wording with commonly-understood terms to describe unreasonably difficult-to-use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since launching the iTunes Store in 2004. The launch of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires any purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>{{Cite web |last=Goode |first=Lauren |date=2 Sep 2016 |title=Apple’s new subscription offerings are now available to App Store developers |url=https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year.<ref>{{Cite web |last=Centers |first=Josh |date=18 Nov 2020 |title=Apple Drops App Store Commission to 15% for Small Developers |url=https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/ |access-date=16 Mar 2025 |website=[[TidBITS]]}}</ref> For developers above this threshold, and for cases excluded from this program such as for games, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily depend upon on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>{{Cite web |title=Pricing |url=https://stripe.com/it/pricing |url-status=live |access-date=16 Mar 2025 |website=[[Stripe]]}}</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Stripe has been used by businesses ranging from small online stores, to [[OpenAI]] for ChatGPT Plus. Competing payments services have similar or identical fees to Stripe. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>{{Cite web |date=1 Oct 2021 |title=Not a class ACT: the so-called App Association is simply an Apple Association and does NOT represent app developers' interests in fair distribution terms |url=http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref><ref>{{Cite web |date=19 Sep 2022 |title=Vast majority of ACT {{!}} The App Association's funding comes from Apple, former employees tell Bloomberg: astroturfing against app developers' interests |url=http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of April 2025.<br />
<br />
Despite criticism of Apple forcing their fee into transactions with small businesses and creators on [[#Patreon|Patreon]], [[#Facebook online events|Facebook]], and similar platforms, on 23 January 2025, Apple announced the Advanced Commerce API. It "support[s] developers' evolving business models - such as exceptionally large content catalogs, creator experiences, and subscriptions with optional add-ons".<ref>{{Cite web |date=23 Jan 2025 |title=Introducing the Advanced Commerce API |url=https://developer.apple.com/news/?id=yxy958ya |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> While positioned as a way for such businesses to save development time and avoid ongoing costs by building on top of Apple's mature payments platform, its use is in fact necessary for these businesses to work within the App Store guidelines, as seen in cases outlined below. The feature requires submitting a description of the app's business model to Apple for approval. This continues a trend of requiring Apple's consent to conduct business in a place users have been trained to expect it.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Epic Games===<br />
{{hatnote|See also: [[wikipedia:Epic Games v. Apple|Epic Games v. Apple]] and [[wikipedia:Epic Games v. Google|Epic Games v. Google]]}}<br />
<br />
[[Epic Games, Inc.]] is a video game developer and publisher, known for games such as [[Fortnite]] and [[Unreal Tournament]], the [[Unreal Engine]], and the [[Epic Games Store]].<br />
<br />
In 2018, Epic Games launched Fortnite on the iOS and Android platforms. The company made the unusual decision to not release the app on the [[Google Play Store]] - rather, it was made available as a standalone [[wikipedia:apk (file format)|Android app package]] file (.apk), which must be installed by following a series of manual steps.<ref>{{Cite web |last=Statt |first=Nick |date=3 Aug 2018 |title=Fortnite for Android will ditch Google Play Store for Epic’s website |url=https://www.theverge.com/2018/8/3/17645982/epic-games-fortnite-android-version-bypass-google-play-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The app was also released on the [[Samsung]] [[Samsung Galaxy Store|Galaxy Store]]. Google offered a $147 million deal for Epic Games to release Fortnite on the Play Store, which the company declined.<ref>{{Cite web |last=Robertson |first=Adi |date=9 Nov 2023 |title=Google offered Epic $147 million to launch Fortnite on the Play Store |url=https://www.theverge.com/2023/11/8/23953262/google-epic-fortnite-play-store-investment-antitrust-trial |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 22 April 2020, Fortnite was finally released on the Play Store.<ref>{{Cite web |last=Carpenter |first=Nicole |date=22 April 2020 |title=Fortnite available on the Google Play Store for the first time |url=https://www.polygon.com/2020/4/21/21229930/fortnite-available-on-google-play-android-mobile-devices |url-status=live |access-date=1 May 2025 |website=[[Polygon]]}}</ref> In a statement, the company explained:<br />
<br />
<blockquote><br />
After 18 months of operating Fortnite on Android outside of the Google Play Store, we've come to a basic realization: Google puts software downloadable outside of Google Play at a disadvantage, through technical and business measures such as scary, repetitive security pop-ups for downloaded and updated software, restrictive manufacturer and carrier agreements and dealings, Google public relations characterizing third party software sources as malware, and new efforts such as Google Play Protect to outright block software obtained outside the Google Play store.<br />
</blockquote><br />
<br />
On 13 August 2020, Epic Games launched a campaign against both Apple and Google's app store business practices. The company released app updates on both platforms, introducing a method for purchasing V-Bucks in-game currency at a 20% discount by directly transacting with Epic Games, against the developer rules of both platforms. The platforms responded by removing the game from their storefronts. Epic Games then filed civil antitrust lawsuits against both companies in the Northern District of California.<ref>{{Cite web |last=Statt |first=Nick |date=14 Aug 2020 |title=Epic Games is suing Apple |url=https://www.theverge.com/2020/8/13/21367963/epic-fortnite-legal-complaint-apple-ios-app-store-removal-injunctive-relief |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The campaign, branded "Free Fortnite", was later extended with lawsuits and complaints in Australia,<ref>{{Cite web |date=18 Nov 2020 |title=Epic Games extends its fight against Apple to Australia |url=https://www.epicgames.com/site/en-US/freefortnite-australia-press-release |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref>, the European Union,<ref>{{Cite web |date=17 Feb 2021 |title=Epic Game Files EU Antitrust Complaint Against Apple |url=https://www.epicgames.com/site/en-US/news/epic-games-files-eu-antitrust-complaint-against-apple |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref> and the United Kingdom.<ref>{{Cite web |date=30 Mar 2021 |title=Epic Games files complaint to support CMA Apple investigation |url=https://www.epicgames.com/site/en-US/news/epic-games-files-complaint-to-support-cma-apple-investigation |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref><br />
<br />
On 11 September 2021, Judge Yvonne Gonzalez Rogers decided on the case. While the lawsuit against Apple failed on 9 of 10 counts, Rogers ruled against Apple's use of "anti-steering" - their strategies of preventing the user from being "steered" to a third-party storefront for payment processing, placing a permanent injunction on this behavior.<ref>{{Cite web |last=Brandon |first=Russell |date=11 Sep 2021 |title=Apple must allow other forms of in-app purchase, rules judge in Epic v. Apple |url=https://www.theverge.com/2021/9/10/22662320/epic-apple-ruling-injunction-judge-court-app-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> Despite the case mostly failing, the discovery process provided significant insight into Apple's decisions around App Store policies, including decisions made in major app review disputes, and in one case, executive Phil Schiller arguing to reduce the fee from 30%.<ref>{{Cite web |last=Gurman |first=Mark |date=4 May 2021 |title=Apple’s Schiller Floated Cutting App Store Fees a Decade Ago |url=https://www.bloomberg.com/news/articles/2021-05-03/apple-s-schiller-floated-cutting-app-store-fees-a-decade-ago |url-status=live |access-date=1 May 2025 |website=[[Bloomberg]]}}</ref><br />
<br />
Epic Games and Apple both appealed the decision. 35 state attorneys-general, the [[Electronic Frontier Foundation]] (EFF), [[Microsoft]], among others filed amicus briefs in support of Epic Games.<ref>{{Cite web |last=Peters |first=Jay |date=29 Jan 2022 |title=Epic largely lost to Apple, but 35 states are now backing its fight in a higher court |url=https://www.theverge.com/2022/1/28/22907106/epic-games-v-apple-amicus-briefs-states-eff-microsoft-appeal |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 11 December 2023, the jury in the case against Google decided on all 11 counts in favor of Epic Games.<ref>{{Cite web |last=Bensinger |first=Greg |last2=Scarcella |first2=Mike |date=13 Dec 2023 |title=Epic Games wins antitrust case against Google over Play app store |url=https://www.reuters.com/legal/google-epic-games-face-off-app-antitrust-trial-nears-end-2023-12-11/ |url-status=live |access-date=1 May 2025 |website=[[Reuters]]}}</ref><br />
<br />
On 1 May 2025, Rogers found that Apple willfully chose to not comply with the 2021 injunction, commenting "that it thought this court would tolerate such insubordination was a gross miscalculation".<ref>{{Cite web |last=Peters |first=Jay |date=1 May 2025 |title=A judge just blew up Apple’s control of the App Store |url=https://www.theverge.com/news/659246/apple-epic-app-store-judge-ruling-control |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>{{Cite web |date=14 Aug 2020 |title=Paid Online Events for Small Business Recovery |url=https://about.fb.com/news/2020/08/paid-online-events/ |url-status=live |access-date=16 Mar 2025 |website=[[Meta]]}}</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of the app on the App Store, the company announced that an update was rejected due to a complaint about the business model. The app did not intend to support in-app purchases - instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix, Inc.|Netflix]], whose app does not provide any way to purchase a subscription.<ref>{{Cite web |last=Kastrenakes |first=Jacob |date=17 Jun 2020 |title=Hey.com exec says Apple is acting like ‘gangsters,’ rejecting App Store updates and demanding cut of sales |url=https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>{{Cite web |date=12 Aug 2024 |title=Apple’s requirements are about to hit creators and fans on Patreon. Here’s what you need to know. |url=https://news.patreon.com/articles/understanding-apple-requirements-for-patreon |url-status=live |access-date=16 Mar 2025 |website=[[Patreon]]}}</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="400px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>{{Cite web |last=@jasminericegirl |date=9 Jun 2021 |title=#fuckapple, a thread<br />
I cofounded @fanhouseapp<br />
8 months ago to empower creators to monetize their content. We pay creators 90% of earnings. Now, Apple is threatening to remove Fanhouse from the app store unless we give them 30% of creator earnings. This is theft and exploitation. |url=https://x.com/jasminericegirl/status/1402691047940100100 |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>{{Cite web |last=@wongmjane |date=2 Sep 2021 |title=Each Super Follow is an In-App Purchase on the App Store, but because there are too many IAPs for the Twitter app, the App Store only shows 10 instead of the full list |url=https://x.com/wongmjane/status/1433372120080261120 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>{{Cite web |title=Notarizing macOS software before distribution |url=https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>{{Cite web |last=@mysk_co |date=28 Jun 2024 |title=iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens: |url=https://x.com/mysk_co/status/1806638308455256242 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>{{Cite web |title=App Review Guidelines |url=https://developer.apple.com/app-store/review/guidelines/#2.5.6 |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing.<ref>{{Cite web |title=Mozilla says Apple’s new browser rules are ‘as painful as possible’ for Firefox<br />
|url=https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref><br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>{{Cite web |last=Bohn |first=Dleter |date=15 Feb 2012 |title=iOS apps and the address book: who has your data, and how they’re getting it |url=https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>{{Cite web |last=@whitehatguy |date=12 Jun 2017 |title=Impact of iOS 11 no longer providing shared cookies between Safari, Safari View Controller instances |url=https://github.com/openid/AppAuth-iOS/issues/120 |url-status=live |access-date=16 Mar 2025 |website=[[GitHub]]}}</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*Posts written by an author of this article:<br />
**[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
**[https://adamdemasi.com/2024/04/20/ios-eligibility.html How I tricked iOS into giving me EU DMA features]<br />
**[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4's eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple App Store]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=14027Apple App Store2025-05-01T05:14:33Z<p>Kirb: /* Epic Games */ Typo</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
'''[[Apple]]''' uses a range of technical measures to protect their App Store ecosystem and reduce consumer choice. These measures obscure the company's business intentions, creating roadblocks for app developers and users, while typically citing security reasons for their existence. This actively hurts the ability for lawmakers to advocate for the rights of consumers and businesses in Apple's ecosystem, and prevents apps from being as useful as their customers expect.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">{{Cite web |last=Roth |first=Emma |date=12 Aug 2024 |title=Patreon: adding Apple’s 30 percent tax is the price of staying in the App Store |url=https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> to booking a Zoom call with a local business,<ref name="facebook">{{Cite web |last=Paul |first=Katie |last2=Nellis |first2=Stephen |date=28 Aug 2020 |title=Exclusive: Facebook says Apple rejected its attempt to tell users about App Store fees |url=https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, a fee of between 15% and 30% of all revenue collected via the app. This is revenue that can be reinvested into the app, but instead must be earmarked for the platforms they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>{{Cite web |date=8 Mar 2022 |title=South Korea approves rules on app store law targeting Apple, Google |url=https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> Japan,<ref>{{Cite web |last=Sharwood |first=Simon |date=13 Jun 2024 |title=Japan forces Apple and Google to allow third-party app stores and payments |url=https://www.theregister.com/2024/06/13/japan_smartphone_software_law/ |url-status=live |access-date=16 Mar 2025 |website=[[The Register]]}}</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>{{Cite web |last=Competition and Markets Authority |date=4 Mar 2021 |title=Investigation into Apple AppStore |url=https://www.gov.uk/cma-cases/investigation-into-apple-appstore |url-status=live |access-date=16 Mar 2025 |website=[[gov.uk]]}}</ref> Australia,<ref>{{Cite web |date=28 Apr 2021 |title=Dominance of Apple and Google's app stores impacting competition and consumers |url=https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers |url-status=live |access-date=16 Mar 2025 |website=[[ACCC]]}}</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>{{Cite web |date=20 Nov 2024 |title=S.5364 - App Store Accountability Act |url=https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is |url-status=live |access-date=16 Mar 2025 |website=[[congress.gov]]}}</ref><ref name="doj">{{Cite web |last=Balsamo |first=Mike |last2=Liedtke |first2=Mike |last3=Whitehurst |first3=Lindsay |last4=Bajak |first4=Frank |date=21 Mar 2024 |title=Justice Department sues Apple, alleging it illegally monopolized the smartphone market |url=https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3 |url-status=live |access-date=16 Mar 2025 |website=[[APNews]]}}</ref><ref>{{Cite web |date=19 Feb 2021 |title=It’s time to free ourselves from ‘Big Tech’ monopoly |url=https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/ |url-status=live |access-date=16 Mar 2025 |website=[[Arizona Capitol Times]]}}</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Apr 2024 |title=Schiller doesn’t know whether the App Store is profitable; there are no minutes of meetings |url=https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/ |url-status=live |access-date=16 Mar 2025 |website=[[9to5Mac]]}}</ref><ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Jan 2025 |title=Apple denies App Store profit margin is 75% – claims to have no clue |url=https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/ |url-status=live |access-date=16 Mar 2025 |website=[[9t05Mac]]}}</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>{{Cite web |title=Eligibility |url=https://theapplewiki.com/wiki/Eligibility |url-status=live |access-date=16 Mar 2025 |website=[[The Apple Wiki]]}}</ref> misrepresenting/overstating risks, and using careful wording with commonly-understood terms to describe unreasonably difficult-to-use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since launching the iTunes Store in 2004. The launch of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires any purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>{{Cite web |last=Goode |first=Lauren |date=2 Sep 2016 |title=Apple’s new subscription offerings are now available to App Store developers |url=https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year.<ref>{{Cite web |last=Centers |first=Josh |date=18 Nov 2020 |title=Apple Drops App Store Commission to 15% for Small Developers |url=https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/ |access-date=16 Mar 2025 |website=[[TidBITS]]}}</ref> For developers above this threshold, and for cases excluded from this program such as for games, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily depend upon on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>{{Cite web |title=Pricing |url=https://stripe.com/it/pricing |url-status=live |access-date=16 Mar 2025 |website=[[Stripe]]}}</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Stripe has been used by businesses ranging from small online stores, to [[OpenAI]] for ChatGPT Plus. Competing payments services have similar or identical fees to Stripe. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>{{Cite web |date=1 Oct 2021 |title=Not a class ACT: the so-called App Association is simply an Apple Association and does NOT represent app developers' interests in fair distribution terms |url=http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref><ref>{{Cite web |date=19 Sep 2022 |title=Vast majority of ACT {{!}} The App Association's funding comes from Apple, former employees tell Bloomberg: astroturfing against app developers' interests |url=http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of April 2025.<br />
<br />
Despite criticism of Apple forcing their fee into transactions with small businesses and creators on [[#Patreon|Patreon]], [[#Facebook online events|Facebook]], and similar platforms, on 23 January 2025, Apple announced the Advanced Commerce API. It "support[s] developers' evolving business models - such as exceptionally large content catalogs, creator experiences, and subscriptions with optional add-ons".<ref>{{Cite web |date=23 Jan 2025 |title=Introducing the Advanced Commerce API |url=https://developer.apple.com/news/?id=yxy958ya |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> While positioned as a way for such businesses to save development time and avoid ongoing costs by building on top of Apple's mature payments platform, its use is in fact necessary for these businesses to work within the App Store guidelines, as seen in cases outlined below. The feature requires submitting a description of the app's business model to Apple for approval. This continues a trend of requiring Apple's consent to conduct business in a place users have been trained to expect it.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Epic Games===<br />
{{hatnote|See also: [[wikipedia:Epic Games v. Apple|Epic Games v. Apple]] and [[wikipedia:Epic Games v. Google|Epic Games v. Google]]}}<br />
<br />
[[Epic Games]] is a video game developer and publisher, known for games such as [[Fortnite]] and [[Unreal Tournament]], the [[Unreal Engine]], and the [[Epic Games Store]].<br />
<br />
In 2018, Epic Games launched Fortnite on the iOS and Android platforms. The company made the unusual decision to not release the app on the [[Google Play Store]] - rather, it was made available as a standalone [[wikipedia:apk (file format)|Android app package]] file (.apk), which must be installed by following a series of manual steps.<ref>{{Cite web |last=Statt |first=Nick |date=3 Aug 2018 |title=Fortnite for Android will ditch Google Play Store for Epic’s website |url=https://www.theverge.com/2018/8/3/17645982/epic-games-fortnite-android-version-bypass-google-play-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The app was also released on the [[Samsung]] [[Samsung Galaxy Store|Galaxy Store]]. Google offered a $147 million deal for Epic Games to release Fortnite on the Play Store, which the company declined.<ref>{{Cite web |last=Robertson |first=Adi |date=9 Nov 2023 |title=Google offered Epic $147 million to launch Fortnite on the Play Store |url=https://www.theverge.com/2023/11/8/23953262/google-epic-fortnite-play-store-investment-antitrust-trial |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 22 April 2020, Fortnite was finally released on the Play Store.<ref>{{Cite web |last=Carpenter |first=Nicole |date=22 April 2020 |title=Fortnite available on the Google Play Store for the first time |url=https://www.polygon.com/2020/4/21/21229930/fortnite-available-on-google-play-android-mobile-devices |url-status=live |access-date=1 May 2025 |website=[[Polygon]]}}</ref> In a statement, the company explained:<br />
<br />
<blockquote><br />
After 18 months of operating Fortnite on Android outside of the Google Play Store, we've come to a basic realization: Google puts software downloadable outside of Google Play at a disadvantage, through technical and business measures such as scary, repetitive security pop-ups for downloaded and updated software, restrictive manufacturer and carrier agreements and dealings, Google public relations characterizing third party software sources as malware, and new efforts such as Google Play Protect to outright block software obtained outside the Google Play store.<br />
</blockquote><br />
<br />
On 13 August 2020, Epic Games launched a campaign against both Apple and Google's app store business practices. The company released app updates on both platforms, introducing a method for purchasing V-Bucks in-game currency at a 20% discount by directly transacting with Epic Games, against the developer rules of both platforms. The platforms responded by removing the game from their storefronts. Epic Games then filed civil antitrust lawsuits against both companies in the Northern District of California.<ref>{{Cite web |last=Statt |first=Nick |date=14 Aug 2020 |title=Epic Games is suing Apple |url=https://www.theverge.com/2020/8/13/21367963/epic-fortnite-legal-complaint-apple-ios-app-store-removal-injunctive-relief |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The campaign, branded "Free Fortnite", was later extended with lawsuits and complaints in Australia,<ref>{{Cite web |date=18 Nov 2020 |title=Epic Games extends its fight against Apple to Australia |url=https://www.epicgames.com/site/en-US/freefortnite-australia-press-release |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref>, the European Union,<ref>{{Cite web |date=17 Feb 2021 |title=Epic Game Files EU Antitrust Complaint Against Apple |url=https://www.epicgames.com/site/en-US/news/epic-games-files-eu-antitrust-complaint-against-apple |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref> and the United Kingdom.<ref>{{Cite web |date=30 Mar 2021 |title=Epic Games files complaint to support CMA Apple investigation |url=https://www.epicgames.com/site/en-US/news/epic-games-files-complaint-to-support-cma-apple-investigation |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref><br />
<br />
On 11 September 2021, Judge Yvonne Gonzalez Rogers decided on the case. While the lawsuit against Apple failed on 9 of 10 counts, Rogers ruled against Apple's use of "anti-steering" - their strategies of preventing the user from being "steered" to a third-party storefront for payment processing, placing a permanent injunction on this behavior.<ref>{{Cite web |last=Brandon |first=Russell |date=11 Sep 2021 |title=Apple must allow other forms of in-app purchase, rules judge in Epic v. Apple |url=https://www.theverge.com/2021/9/10/22662320/epic-apple-ruling-injunction-judge-court-app-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> Despite the case mostly failing, the discovery process provided significant insight into Apple's decisions around App Store policies, including decisions made in major app review disputes, and in one case, executive Phil Schiller arguing to reduce the fee from 30%.<ref>{{Cite web |last=Gurman |first=Mark |date=4 May 2021 |title=Apple’s Schiller Floated Cutting App Store Fees a Decade Ago |url=https://www.bloomberg.com/news/articles/2021-05-03/apple-s-schiller-floated-cutting-app-store-fees-a-decade-ago |url-status=live |access-date=1 May 2025 |website=[[Bloomberg]]}}</ref><br />
<br />
Epic Games and Apple both appealed the decision. 35 state attorneys-general, the [[Electronic Frontier Foundation]] (EFF), [[Microsoft]], among others filed amicus briefs in support of Epic Games.<ref>{{Cite web |last=Peters |first=Jay |date=29 Jan 2022 |title=Epic largely lost to Apple, but 35 states are now backing its fight in a higher court |url=https://www.theverge.com/2022/1/28/22907106/epic-games-v-apple-amicus-briefs-states-eff-microsoft-appeal |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 11 December 2023, the jury in the case against Google decided on all 11 counts in favor of Epic Games.<ref>{{Cite web |last=Bensinger |first=Greg |last2=Scarcella |first2=Mike |date=13 Dec 2023 |title=Epic Games wins antitrust case against Google over Play app store |url=https://www.reuters.com/legal/google-epic-games-face-off-app-antitrust-trial-nears-end-2023-12-11/ |url-status=live |access-date=1 May 2025 |website=[[Reuters]]}}</ref><br />
<br />
On 1 May 2025, Rogers found that Apple willfully chose to not comply with the 2021 injunction, commenting "that it thought this court would tolerate such insubordination was a gross miscalculation".<ref>{{Cite web |last=Peters |first=Jay |date=1 May 2025 |title=A judge just blew up Apple’s control of the App Store |url=https://www.theverge.com/news/659246/apple-epic-app-store-judge-ruling-control |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>{{Cite web |date=14 Aug 2020 |title=Paid Online Events for Small Business Recovery |url=https://about.fb.com/news/2020/08/paid-online-events/ |url-status=live |access-date=16 Mar 2025 |website=[[Meta]]}}</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of the app on the App Store, the company announced that an update was rejected due to a complaint about the business model. The app did not intend to support in-app purchases - instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix, Inc.|Netflix]], whose app does not provide any way to purchase a subscription.<ref>{{Cite web |last=Kastrenakes |first=Jacob |date=17 Jun 2020 |title=Hey.com exec says Apple is acting like ‘gangsters,’ rejecting App Store updates and demanding cut of sales |url=https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>{{Cite web |date=12 Aug 2024 |title=Apple’s requirements are about to hit creators and fans on Patreon. Here’s what you need to know. |url=https://news.patreon.com/articles/understanding-apple-requirements-for-patreon |url-status=live |access-date=16 Mar 2025 |website=[[Patreon]]}}</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="400px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>{{Cite web |last=@jasminericegirl |date=9 Jun 2021 |title=#fuckapple, a thread<br />
I cofounded @fanhouseapp<br />
8 months ago to empower creators to monetize their content. We pay creators 90% of earnings. Now, Apple is threatening to remove Fanhouse from the app store unless we give them 30% of creator earnings. This is theft and exploitation. |url=https://x.com/jasminericegirl/status/1402691047940100100 |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>{{Cite web |last=@wongmjane |date=2 Sep 2021 |title=Each Super Follow is an In-App Purchase on the App Store, but because there are too many IAPs for the Twitter app, the App Store only shows 10 instead of the full list |url=https://x.com/wongmjane/status/1433372120080261120 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>{{Cite web |title=Notarizing macOS software before distribution |url=https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>{{Cite web |last=@mysk_co |date=28 Jun 2024 |title=iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens: |url=https://x.com/mysk_co/status/1806638308455256242 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>{{Cite web |title=App Review Guidelines |url=https://developer.apple.com/app-store/review/guidelines/#2.5.6 |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing.<ref>{{Cite web |title=Mozilla says Apple’s new browser rules are ‘as painful as possible’ for Firefox<br />
|url=https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref><br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>{{Cite web |last=Bohn |first=Dleter |date=15 Feb 2012 |title=iOS apps and the address book: who has your data, and how they’re getting it |url=https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>{{Cite web |last=@whitehatguy |date=12 Jun 2017 |title=Impact of iOS 11 no longer providing shared cookies between Safari, Safari View Controller instances |url=https://github.com/openid/AppAuth-iOS/issues/120 |url-status=live |access-date=16 Mar 2025 |website=[[GitHub]]}}</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*Posts written by an author of this article:<br />
**[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
**[https://adamdemasi.com/2024/04/20/ios-eligibility.html How I tricked iOS into giving me EU DMA features]<br />
**[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4's eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple App Store]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=14026Apple App Store2025-05-01T05:12:42Z<p>Kirb: Epic Games, clearer wording</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
'''[[Apple]]''' uses a range of technical measures to protect their App Store ecosystem and reduce consumer choice. These measures obscure the company's business intentions, creating roadblocks for app developers and users, while typically citing security reasons for their existence. This actively hurts the ability for lawmakers to advocate for the rights of consumers and businesses in Apple's ecosystem, and prevents apps from being as useful as their customers expect.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">{{Cite web |last=Roth |first=Emma |date=12 Aug 2024 |title=Patreon: adding Apple’s 30 percent tax is the price of staying in the App Store |url=https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> to booking a Zoom call with a local business,<ref name="facebook">{{Cite web |last=Paul |first=Katie |last2=Nellis |first2=Stephen |date=28 Aug 2020 |title=Exclusive: Facebook says Apple rejected its attempt to tell users about App Store fees |url=https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, a fee of between 15% and 30% of all revenue collected via the app. This is revenue that can be reinvested into the app, but instead must be earmarked for the platforms they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>{{Cite web |date=8 Mar 2022 |title=South Korea approves rules on app store law targeting Apple, Google |url=https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/ |url-status=live |access-date=16 Mar 2025 |website=[[Reuters]]}}</ref> Japan,<ref>{{Cite web |last=Sharwood |first=Simon |date=13 Jun 2024 |title=Japan forces Apple and Google to allow third-party app stores and payments |url=https://www.theregister.com/2024/06/13/japan_smartphone_software_law/ |url-status=live |access-date=16 Mar 2025 |website=[[The Register]]}}</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>{{Cite web |last=Competition and Markets Authority |date=4 Mar 2021 |title=Investigation into Apple AppStore |url=https://www.gov.uk/cma-cases/investigation-into-apple-appstore |url-status=live |access-date=16 Mar 2025 |website=[[gov.uk]]}}</ref> Australia,<ref>{{Cite web |date=28 Apr 2021 |title=Dominance of Apple and Google's app stores impacting competition and consumers |url=https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers |url-status=live |access-date=16 Mar 2025 |website=[[ACCC]]}}</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>{{Cite web |date=20 Nov 2024 |title=S.5364 - App Store Accountability Act |url=https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is |url-status=live |access-date=16 Mar 2025 |website=[[congress.gov]]}}</ref><ref name="doj">{{Cite web |last=Balsamo |first=Mike |last2=Liedtke |first2=Mike |last3=Whitehurst |first3=Lindsay |last4=Bajak |first4=Frank |date=21 Mar 2024 |title=Justice Department sues Apple, alleging it illegally monopolized the smartphone market |url=https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3 |url-status=live |access-date=16 Mar 2025 |website=[[APNews]]}}</ref><ref>{{Cite web |date=19 Feb 2021 |title=It’s time to free ourselves from ‘Big Tech’ monopoly |url=https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/ |url-status=live |access-date=16 Mar 2025 |website=[[Arizona Capitol Times]]}}</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Apr 2024 |title=Schiller doesn’t know whether the App Store is profitable; there are no minutes of meetings |url=https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/ |url-status=live |access-date=16 Mar 2025 |website=[[9to5Mac]]}}</ref><ref>{{Cite web |last=Lovejoy |first=Ben |date=17 Jan 2025 |title=Apple denies App Store profit margin is 75% – claims to have no clue |url=https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/ |url-status=live |access-date=16 Mar 2025 |website=[[9t05Mac]]}}</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>{{Cite web |title=Eligibility |url=https://theapplewiki.com/wiki/Eligibility |url-status=live |access-date=16 Mar 2025 |website=[[The Apple Wiki]]}}</ref> misrepresenting/overstating risks, and using careful wording with commonly-understood terms to describe unreasonably difficult-to-use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since launching the iTunes Store in 2004. The launch of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires any purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>{{Cite web |last=Goode |first=Lauren |date=2 Sep 2016 |title=Apple’s new subscription offerings are now available to App Store developers |url=https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year.<ref>{{Cite web |last=Centers |first=Josh |date=18 Nov 2020 |title=Apple Drops App Store Commission to 15% for Small Developers |url=https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/ |access-date=16 Mar 2025 |website=[[TidBITS]]}}</ref> For developers above this threshold, and for cases excluded from this program such as for games, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily depend upon on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>{{Cite web |title=Pricing |url=https://stripe.com/it/pricing |url-status=live |access-date=16 Mar 2025 |website=[[Stripe]]}}</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Stripe has been used by businesses ranging from small online stores, to [[OpenAI]] for ChatGPT Plus. Competing payments services have similar or identical fees to Stripe. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>{{Cite web |date=1 Oct 2021 |title=Not a class ACT: the so-called App Association is simply an Apple Association and does NOT represent app developers' interests in fair distribution terms |url=http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref><ref>{{Cite web |date=19 Sep 2022 |title=Vast majority of ACT {{!}} The App Association's funding comes from Apple, former employees tell Bloomberg: astroturfing against app developers' interests |url=http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html |url-status=live |access-date=16 Mar 2025 |website=[[FOSS Patents]]}}</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of April 2025.<br />
<br />
Despite criticism of Apple forcing their fee into transactions with small businesses and creators on [[#Patreon|Patreon]], [[#Facebook online events|Facebook]], and similar platforms, on 23 January 2025, Apple announced the Advanced Commerce API. It "support[s] developers' evolving business models - such as exceptionally large content catalogs, creator experiences, and subscriptions with optional add-ons".<ref>{{Cite web |date=23 Jan 2025 |title=Introducing the Advanced Commerce API |url=https://developer.apple.com/news/?id=yxy958ya |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> While positioned as a way for such businesses to save development time and avoid ongoing costs by building on top of Apple's mature payments platform, its use is in fact necessary for these businesses to work within the App Store guidelines, as seen in cases outlined below. The feature requires submitting a description of the app's business model to Apple for approval. This continues a trend of requiring Apple's consent to conduct business in a place users have been trained to expect it.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Epic Games===<br />
{{hatnote|See also: [[wikipedia:Epic Games v. Apple|Epic Games v. Apple]] and [[wikipedia:Epic Games v. Google|Epic Games v. Google]]}}<br />
<br />
[[Epic Games]] is a video game developer and publisher, known for games such as [[Fortnite]] and [[Unreal Tournament]], the [[Unreal Engine]], and the [[Epic Games Store]].<br />
<br />
In 2018, Epic Games launched Fortnite on the iOS and Android platforms. The company made the unusual decision to not release the app on the [[Google Play Store]] - rather, it was made available as a standalone [[wikipedia:apk (file format)|Android app package]] file (.apk), which must be installed by following a series of manual steps.<ref>{{Cite web |last=Statt |first=Nick |date=3 Aug 2018 |title=Fortnite for Android will ditch Google Play Store for Epic’s website |url=https://www.theverge.com/2018/8/3/17645982/epic-games-fortnite-android-version-bypass-google-play-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The app was also released on the [[Samsung]] [[Samsung Galaxy Store|Galaxy Store]]. Google offered a $147 million deal for Epic Games to release Fortnite on the Play Store, which the company declined.<ref>{{Cite web |last=Robertson |first=Adi |date=9 Nov 2023 |title=Google offered Epic $147 million to launch Fortnite on the Play Store |url=https://www.theverge.com/2023/11/8/23953262/google-epic-fortnite-play-store-investment-antitrust-trial |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 22 April 2020, Fortnite was finally released on the Play Store.<ref>{{Cite web |last=Carpenter |first=Nicole |date=22 April 2020 |title=Fortnite available on the Google Play Store for the first time |url=https://www.polygon.com/2020/4/21/21229930/fortnite-available-on-google-play-android-mobile-devices |url-status=live |access-date=1 May 2025 |website=[[Polygon]]}}</ref> In a statement, the company explained:<br />
<br />
<blockquote><br />
After 18 months of operating Fortnite on Android outside of the Google Play Store, we've come to a basic realization: Google puts software downloadable outside of Google Play at a disadvantage, through technical and business measures such as scary, repetitive security pop-ups for downloaded and updated software, restrictive manufacturer and carrier agreements and dealings, Google public relations characterizing third party software sources as malware, and new efforts such as Google Play Protect to outright block software obtained outside the Google Play store.<br />
</blockquote><br />
<br />
On 13 August 2020, Epic Games launched a campaign against both Apple and Google's app store business practices. The company released app updates on both platforms, introducing a method for purchasing V-Bucks in-game currency at a 20% discount by directly transacting with Epic Games, against the developer rules of both platforms. The platforms responded by removing the game from their storefronts. Epic Games then filed civil antitrust lawsuits against both companies in the Northern District of California.<ref>{{Cite web |last=Statt |first=Nick |date=14 Aug 2020 |title=Epic Games is suing Apple |url=https://www.theverge.com/2020/8/13/21367963/epic-fortnite-legal-complaint-apple-ios-app-store-removal-injunctive-relief |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> The campaign, branded "Free Fortnite", was later extended with lawsuits and complaints in Australia,<ref>{{Cite web |date=18 Nov 2020 |title=Epic Games extends its fight against Apple to Australia |url=https://www.epicgames.com/site/en-US/freefortnite-australia-press-release |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref>, the European Union,<ref>{{Cite web |date=17 Feb 2021 |title=Epic Game Files EU Antitrust Complaint Against Apple |url=https://www.epicgames.com/site/en-US/news/epic-games-files-eu-antitrust-complaint-against-apple |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref> and the United Kingdom.<ref>{{Cite web |date=30 Mar 2021 |title=Epic Games files complaint to support CMA Apple investigation |url=https://www.epicgames.com/site/en-US/news/epic-games-files-complaint-to-support-cma-apple-investigation |url-status=live |access-date=16 Mar 2025 |website=[[Epic Games]]}}</ref><br />
<br />
On 11 September 2021, Judge Yvonne Gonzalez Rogers decided on the case. While the lawsuit against Apple failed on 9 of 10 counts, Rogers ruled against Apple's use of "anti-steering" - their strategies of preventing the user from being "steered" to a third-party storefront for payment processing, placing a permanent injunction on this behavior.<ref>{{Cite web |last=Brandon |first=Russell |date=11 Sep 2021 |title=Apple must allow other forms of in-app purchase, rules judge in Epic v. Apple |url=https://www.theverge.com/2021/9/10/22662320/epic-apple-ruling-injunction-judge-court-app-store |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref> Despite the case mostly failing, the discovery process provided significant insight into Apple's decisions around App Store policies, including decisions made in major app review disputes, and in one case, executive Phil Schiller arguing to reduce the fee from 30%.<ref>{{Cite web |last=Gurman |first=Mark |date=4 May 2021 |title=Apple’s Schiller Floated Cutting App Store Fees a Decade Ago |url=https://www.bloomberg.com/news/articles/2021-05-03/apple-s-schiller-floated-cutting-app-store-fees-a-decade-ago |url-status=live |access-date=1 May 2025 |website=[[iMore]]}}</ref><br />
<br />
Epic Games and Apple both appealed the decision. 35 state attorneys-general, the [[Electronic Frontier Foundation]] (EFF), [[Microsoft]], among others filed amicus briefs in support of Epic Games.<ref>{{Cite web |last=Peters |first=Jay |date=29 Jan 2022 |title=Epic largely lost to Apple, but 35 states are now backing its fight in a higher court |url=https://www.theverge.com/2022/1/28/22907106/epic-games-v-apple-amicus-briefs-states-eff-microsoft-appeal |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
On 11 December 2023, the jury in the case against Google decided on all 11 counts in favor of Epic Games.<ref>{{Cite web |last=Bensinger |first=Greg |last2=Scarcella |first2=Mike |date=13 Dec 2023 |title=Epic Games wins antitrust case against Google over Play app store |url=https://www.reuters.com/legal/google-epic-games-face-off-app-antitrust-trial-nears-end-2023-12-11/ |url-status=live |access-date=1 May 2025 |website=[[Reuters]]}}</ref><br />
<br />
On 1 May 2025, Rogers found that Apple willfully chose to not comply with the 2021 injunction, commenting "that it thought this court would tolerate such insubordination was a gross miscalculation".<ref>{{Cite web |last=Peters |first=Jay |date=1 May 2025 |title=A judge just blew up Apple’s control of the App Store |url=https://www.theverge.com/news/659246/apple-epic-app-store-judge-ruling-control |url-status=live |access-date=1 May 2025 |website=[[The Verge]]}}</ref><br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>{{Cite web |date=14 Aug 2020 |title=Paid Online Events for Small Business Recovery |url=https://about.fb.com/news/2020/08/paid-online-events/ |url-status=live |access-date=16 Mar 2025 |website=[[Meta]]}}</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of the app on the App Store, the company announced that an update was rejected due to a complaint about the business model. The app did not intend to support in-app purchases - instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix, Inc.|Netflix]], whose app does not provide any way to purchase a subscription.<ref>{{Cite web |last=Kastrenakes |first=Jacob |date=17 Jun 2020 |title=Hey.com exec says Apple is acting like ‘gangsters,’ rejecting App Store updates and demanding cut of sales |url=https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>{{Cite web |date=12 Aug 2024 |title=Apple’s requirements are about to hit creators and fans on Patreon. Here’s what you need to know. |url=https://news.patreon.com/articles/understanding-apple-requirements-for-patreon |url-status=live |access-date=16 Mar 2025 |website=[[Patreon]]}}</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="400px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>{{Cite web |last=@jasminericegirl |date=9 Jun 2021 |title=#fuckapple, a thread<br />
I cofounded @fanhouseapp<br />
8 months ago to empower creators to monetize their content. We pay creators 90% of earnings. Now, Apple is threatening to remove Fanhouse from the app store unless we give them 30% of creator earnings. This is theft and exploitation. |url=https://x.com/jasminericegirl/status/1402691047940100100 |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>{{Cite web |last=@wongmjane |date=2 Sep 2021 |title=Each Super Follow is an In-App Purchase on the App Store, but because there are too many IAPs for the Twitter app, the App Store only shows 10 instead of the full list |url=https://x.com/wongmjane/status/1433372120080261120 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>{{Cite web |title=Notarizing macOS software before distribution |url=https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>{{Cite web |last=@mysk_co |date=28 Jun 2024 |title=iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens: |url=https://x.com/mysk_co/status/1806638308455256242 |url-status=live |access-date=16 Mar 2025 |website=[[X]]}}</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>{{Cite web |title=App Review Guidelines |url=https://developer.apple.com/app-store/review/guidelines/#2.5.6 |url-status=live |access-date=16 Mar 2025 |website=[[Apple Developer]]}}</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing.<ref>{{Cite web |title=Mozilla says Apple’s new browser rules are ‘as painful as possible’ for Firefox<br />
|url=https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref><br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>{{Cite web |last=Bohn |first=Dleter |date=15 Feb 2012 |title=iOS apps and the address book: who has your data, and how they’re getting it |url=https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know |url-status=live |access-date=16 Mar 2025 |website=[[The Verge]]}}</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>{{Cite web |last=@whitehatguy |date=12 Jun 2017 |title=Impact of iOS 11 no longer providing shared cookies between Safari, Safari View Controller instances |url=https://github.com/openid/AppAuth-iOS/issues/120 |url-status=live |access-date=16 Mar 2025 |website=[[GitHub]]}}</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*Posts written by an author of this article:<br />
**[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
**[https://adamdemasi.com/2024/04/20/ios-eligibility.html How I tricked iOS into giving me EU DMA features]<br />
**[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4's eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple App Store]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=12429Artificial intelligence2025-04-02T10:54:13Z<p>Kirb: /* Case studies */ More</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
==Unethical website scraping==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
*Paths bots are allowed to index<br />
*Paths bots should not index<br />
*How long the bot should wait in between requests to the server, to reduce load<br />
*The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
===Effect on users===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
*'''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
*'''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
*'''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
*'''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
*'''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
===Case studies===<br />
====Diaspora====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref name="geraspora">https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[#MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
====LVFS====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
====LWN.net====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
====MediaWiki, Wikipedia, and the Wikimedia Foundation====<br />
[[wikipedia:MediaWiki|MediaWiki]] is of particular interest to LLM training due to the vast amount of factual, plain-text content wikis tend to hold. While [[wikipedia:Wikipedia|Wikipedia]] and the [[wikipedia:Wikimedia Foundation|Wikimedia Foundation]] host the most well-known wikis, numerous smaller wikis exist thanks to the work of many independent editors. The strength of wiki architecture is its ability for every edit to be audited by anyone, at any time - you can still view [https://en.wikipedia.org/w/index.php?oldid=1 the first edit to Wikipedia] from 2002. This makes wikis a hybrid of a static website and a dynamic web app, which becomes problematic when poorly-designed bots attempt to scrape them.<ref name="geraspora" /><br />
<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough?<br />
-->The Apple Wiki, which documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block non-legitimate requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with more than 280,000 total edits over the wiki's lifetime, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
On 1 April 2025, the Wikimedia Foundation indicated that its infrastructure has been under increasing pressure from content scraping bots since January 2024, with the particularly critical metric that "65% of our most expensive traffic comes from bots", despite estimating 35% of all traffic as coming from bots. The bots create traffic patterns that are significantly unlike human traffic patterns, effectively bypassing Wikimedia's caching infrastructure and placing significant load on the core servers. A blog post provides an example where bot traffic caused the [[wikipedia:Wikimedia Commons|Wikimedia Commons]] service to become unstable during a human traffic spike. The Foundation is considering introduction of a Responsible Use of Infrastructure policy to ensure the continued stability of their services.<ref>https://diff.wikimedia.org/2025/04/01/how-crawlers-impact-the-operations-of-the-wikimedia-projects/</ref><br />
<br />
====Perplexity AI and news outlets====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, an investigation by Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's publicly-listed IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> MacStories' findings were confirmed by a WIRED investigation.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, suggesting the behavior may be considered abusive under Amazon Web Services terms of service:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
====Read the Docs====<br />
In an early example, on 25 July 2024, open source documentation website Read the Docs detailed cases of abusive bots downloading large amounts of content from the service. Particularly, the significant range of IP addresses used in an aggressive manner rendered existing rate limiting ineffective. Taking action to block traffic identified by Cloudflare as "AI crawlers" reduced bandwidth requirements by 75%, at a cost saving of $1,500 USD/month.<ref>https://about.readthedocs.com/blog/2024/07/ai-crawlers-abuse/</ref><br />
<br />
====SourceHut and Fedora Linux====<br />
On 15 March 2025, an infrastructure manager for the [[wikipedia:Fedora Linux|Fedora Linux]] open source project discussed an assumed large language model crawling attack against the Prague.io Git source code hosting service. The project made the decision to block the entire country of Brazil for some time, while also blocking access to certain repositories whose traffic was creating significant CPU usage.<ref>https://www.scrye.com/blogs/nirik/posts/2025/03/15/mid-march-infra-bits-2025/</ref><ref>https://www.scrye.com/blogs/nirik/posts/2025/03/29/late-march-infra-bits-2025/</ref><br />
<br />
On 17 March 2025, the Git source code host SourceHut announced that the service was being disrupted by large language model crawlers. Mitigations deployed to reduce disruption involved requiring login for some areas of the service, and blocking IP ranges of cloud providers, affecting legitimate use of the website by its users.<ref>https://status.sr.ht/issues/2025-03-17-git.sr.ht-llms/</ref> In response to the event, SourceHut founder Drew DeVault wrote a blog post entitled "[https://drewdevault.com/2025/03/17/2025-03-17-Stop-externalizing-your-costs-on-me.html Please stop externalizing your costs directly into my face]", discussing his frustrations with having ongoing and ever-adapting attacks that must be addressed in a timely fashion to reduce disruption to legitimate SourceHut users. DeVault estimates that between "20-100%" of his time is now spent addressing such attacks.<br />
<br />
==Privacy concerns of online AI models==<br />
There are several concerns with using online AI models like [[ChatGPT]] ([[OpenAI]]), not only because they are proprietary, but also because there is no guarantee to where your data ends up being stored or used for. Recent developments in local AI models are an alternative to these online AI models, as they work offline once they are downloaded from platforms like HuggingFace.<ref>https://huggingface.co/</ref> Common models to run are like Llama ([[Meta]]), DeepSeek ([[DeepSeek]]), Phi ([[Microsoft]]), Mistral ([[Mistral AI]]), Gemma ([[Google]]).<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=12428Artificial intelligence2025-04-02T09:52:56Z<p>Kirb: /* MediaWiki, Wikipedia, and the Wikimedia Foundation */ It's not getting any better</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
==Unethical website scraping==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
*Paths bots are allowed to index<br />
*Paths bots should not index<br />
*How long the bot should wait in between requests to the server, to reduce load<br />
*The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
===Effect on users===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
*'''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
*'''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
*'''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
*'''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
*'''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
===Case studies===<br />
====Diaspora====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref name="geraspora">https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[#MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
====LVFS====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
====LWN.net====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
====MediaWiki, Wikipedia, and the Wikimedia Foundation====<br />
[[wikipedia:MediaWiki|MediaWiki]] is of particular interest to LLM training due to the vast amount of factual, plain-text content wikis tend to hold. While [[wikipedia:Wikipedia|Wikipedia]] and the [[wikipedia:Wikimedia Foundation|Wikimedia Foundation]] host the most well-known wikis, numerous smaller wikis exist thanks to the work of many independent editors. The strength of wiki architecture is its ability for every edit to be audited by anyone, at any time - you can still view [https://en.wikipedia.org/w/index.php?oldid=1 the first edit to Wikipedia] from 2002. This makes wikis a hybrid of a static website and a dynamic web app, which becomes problematic when poorly-designed bots attempt to scrape them.<ref name="geraspora" /><br />
<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough?<br />
-->The Apple Wiki, which documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block non-legitimate requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with more than 280,000 total edits over the wiki's lifetime, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
On 1 April 2025, the Wikimedia Foundation indicated that its infrastructure has been under increasing pressure from content scraping bots since January 2024, with the particularly critical metric that "65% of our most expensive traffic comes from bots", despite estimating 35% of all traffic as coming from bots. A blog post provides an example where bot traffic caused the [[wikipedia:Wikimedia Commons|Wikimedia Commons]] service to become unstable during a human traffic spike. The Foundation is considering introduction of a Responsible Use of Infrastructure policy to ensure the continued stability of their services.<ref>https://diff.wikimedia.org/2025/04/01/how-crawlers-impact-the-operations-of-the-wikimedia-projects/</ref><br />
<br />
====Perplexity AI and news outlets====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, an investigation by Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's publicly-listed IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> MacStories' findings were confirmed by a WIRED investigation.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, suggesting the behavior may be considered abusive under Amazon Web Services terms of service:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
====SourceHut====<br />
On 17 March 2025, the Git source code host SourceHut announced that the service was being disrupted by large language model crawlers. Mitigations deployed to reduce disruption involved requiring login for some areas of the service, and blocking IP ranges of cloud providers, affecting legitimate use of the website by its users.<ref>https://status.sr.ht/issues/2025-03-17-git.sr.ht-llms/</ref><br />
<br />
==Privacy concerns of online AI models==<br />
There are several concerns with using online AI models like [[ChatGPT]] ([[OpenAI]]), not only because they are proprietary, but also because there is no guarantee to where your data ends up being stored or used for. Recent developments in local AI models are an alternative to these online AI models, as they work offline once they are downloaded from platforms like HuggingFace.<ref>https://huggingface.co/</ref> Common models to run are like Llama ([[Meta]]), DeepSeek ([[DeepSeek]]), Phi ([[Microsoft]]), Mistral ([[Mistral AI]]), Gemma ([[Google]]).<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=11939Artificial intelligence2025-03-18T07:43:42Z<p>Kirb: /* Case studies */ Add SourceHut</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
==Unethical website scraping==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
*Paths bots are allowed to index<br />
*Paths bots should not index<br />
*How long the bot should wait in between requests to the server, to reduce load<br />
*The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
===Effect on users===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
*'''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
*'''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
*'''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
*'''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
*'''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
===Case studies===<br />
====Diaspora====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref name="geraspora">https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[#MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
====LVFS====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
====LWN.net====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
====MediaWiki====<br />
[[wikipedia:MediaWiki|MediaWiki]] is of particular interest to LLM training due to the vast amount of factual, plain-text content wikis tend to hold. While [[wikipedia:Wikipedia|Wikipedia]] and the [[wikipedia:Wikimedia Foundation|Wikimedia Foundation]] host the most well-known wikis, numerous smaller wikis exist thanks to the work of many independent editors. The strength of wiki architecture is its ability for every edit to be audited by anyone, at any time - you can still view [https://en.wikipedia.org/w/index.php?oldid=1 the first edit to Wikipedia] from 2002. This makes wikis a hybrid of a static website and a dynamic web app, which becomes problematic when poorly-designed bots attempt to scrape them.<ref name="geraspora" /><br />
<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough?<br />
-->The Apple Wiki, which documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block non-legitimate requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with more than 280,000 total edits over the wiki's lifetime, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
====Perplexity AI and news outlets====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, an investigation by Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's publicly-listed IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> MacStories' findings were confirmed by a WIRED investigation.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, suggesting the behavior may be considered abusive under Amazon Web Services terms of service:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
====SourceHut====<br />
On 17 March 2025, the Git source code host SourceHut announced that the service was being disrupted by large language model crawlers. Mitigations deployed to reduce disruption involved requiring login for some areas of the service, and blocking IP ranges of cloud providers, affecting legitimate use of the website by its users.<ref>https://status.sr.ht/issues/2025-03-17-git.sr.ht-llms/</ref><br />
<br />
==Privacy concerns of online AI models==<br />
There are several concerns with using online AI models like [[ChatGPT]] ([[OpenAI]]), not only because they are proprietary, but also because there is no guarantee to where your data ends up being stored or used for. Recent developments in local AI models are an alternative to these online AI models, as they work offline once they are downloaded from platforms like HuggingFace.<ref>https://huggingface.co/</ref> Common models to run are like Llama ([[Meta]]), DeepSeek ([[DeepSeek]]), Phi ([[Microsoft]]), Mistral ([[Mistral AI]]), Gemma ([[Google]]).<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=9859Artificial intelligence2025-02-25T05:30:30Z<p>Kirb: /* Perplexity AI and news outlets */ Clarify it's not about robots.txt, just general anti-abuse rules</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
==Unethical website scraping==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
*Paths bots are allowed to index<br />
*Paths bots should not index<br />
*How long the bot should wait in between requests to the server, to reduce load<br />
*The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
===Effect on users===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
*'''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
*'''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
*'''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
*'''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
*'''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
===Case studies===<br />
====Diaspora====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref name="geraspora">https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[#MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
====LVFS====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
====LWN.net====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
====MediaWiki====<br />
[[wikipedia:MediaWiki|MediaWiki]] is of particular interest to LLM training due to the vast amount of factual, plain-text content wikis tend to hold. While [[wikipedia:Wikipedia|Wikipedia]] and the [[wikipedia:Wikimedia Foundation|Wikimedia Foundation]] host the most well-known wikis, numerous smaller wikis exist thanks to the work of many independent editors. The strength of wiki architecture is its ability for every edit to be audited by anyone, at any time - you can still view [https://en.wikipedia.org/w/index.php?oldid=1 the first edit to Wikipedia] from 2002. This makes wikis a hybrid of a static website and a dynamic web app, which becomes problematic when poorly-designed bots attempt to scrape them.<ref name="geraspora" /><br />
<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough?<br />
-->The Apple Wiki, which documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block non-legitimate requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with more than 280,000 total edits over the wiki's lifetime, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
====Perplexity AI and news outlets====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, an investigation by Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's publicly-listed IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> MacStories' findings were confirmed by a WIRED investigation.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, suggesting the behavior may be considered abusive under Amazon Web Services terms of service:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
==Privacy concerns of online AI models==<br />
There are several concerns with using online AI models like [[ChatGPT]] ([[OpenAI]]), not only because they are proprietary, but also because there is no guarantee to where your data ends up being stored or used for. Recent developments in local AI models are an alternative to these online AI models, as they work offline once they are downloaded from platforms like HuggingFace.<ref>https://huggingface.co/</ref> Common models to run are like Llama ([[Meta]]), DeepSeek ([[DeepSeek]]), Phi ([[Microsoft]]), Mistral ([[Mistral AI]]), Gemma ([[Google]]).<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Motorola&diff=7761Category:Motorola2025-02-03T05:35:08Z<p>Kirb: Created page with "Category:Mobile phone companies"</p>
<hr />
<div>[[Category:Mobile phone companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Nike&diff=7760Category:Nike2025-02-03T05:33:25Z<p>Kirb: Created page with "Category:Clothing companies"</p>
<hr />
<div>[[Category:Clothing companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:NanoGUARD&diff=7759Category:NanoGUARD2025-02-03T05:33:09Z<p>Kirb: Created page with "Category:Actnano"</p>
<hr />
<div>[[Category:Actnano]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Muzio_Player&diff=7758Category:Muzio Player2025-02-03T05:33:01Z<p>Kirb: Created page with "Category:Red Sky Labs"</p>
<hr />
<div>[[Category:Red Sky Labs]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:EduVULCAN&diff=7757Category:EduVULCAN2025-02-03T05:32:50Z<p>Kirb: Created page with "Category:Educational technology companies"</p>
<hr />
<div>[[Category:Educational technology companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Disney&diff=7756Category:Disney2025-02-03T05:32:40Z<p>Kirb: Created page with "Category:Entertainment companies"</p>
<hr />
<div>[[Category:Entertainment companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Ally_Invest_Securities&diff=7755Category:Ally Invest Securities2025-02-03T05:32:32Z<p>Kirb: Created page with "Category:Financial services companies"</p>
<hr />
<div>[[Category:Financial services companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:BMW&diff=7754Category:BMW2025-02-03T05:32:23Z<p>Kirb: Created page with "Category:Automotive companies"</p>
<hr />
<div>[[Category:Automotive companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=FUTO&diff=7752FUTO2025-02-03T05:27:51Z<p>Kirb: Fix category</p>
<hr />
<div>{{InfoboxCompany<br />
| Name = FUTO<br />
| Type = Private<br />
| Founded = 2021<br />
| Industry = Technology<br />
| Official Website = https://www.futo.org/<br />
| Logo = Futo header logo.svg<br />
}}<br />
[https://futo.org/ FUTO] , founded in 2021 by [[Eron Wolf]] ( a software developer, and noteworthy investor in [[What's app]] {{Citation needed}}), is an organization that develops applications and sponsors [[FOSS]] ([[wikipedia:Free_and_open-source_software|free and open source]]) software projects as well as other independent software projects that align with their principles.<ref>https://futo.org/about/what-is-futo/</ref><ref>https://futo.org/grants/</ref> FUTO has enabled the development of notable apps, such as [[Immich]], FUTO Keyboard, and [[GrayJay]]. <br />
<br />
Eron Wolf Hired [[Louis Rossmann - Video Directory|Louis Rossmann]]<ref>https://en.wikipedia.org/wiki/Louis_Rossmann</ref> in 2022 as Director of Community Outreach.<ref>https://www.linkedin.com/in/louis-rossmann-3a5396292</ref> <br />
<br />
[https://keyboard.futo.org/ FUTO Keyboard] is a keyboard app for [[Android]]-based operating systems which offers many modern typing features like localized voice input, swipe typing, and autocorrect, while respecting the purchaser's rights.<br />
<br />
FUTO has been criticized for using their own definition of the term "open source"<ref>https://danb.me/blog/futo-open-source-definition/</ref> and claiming their applications are "open source", when their license does not meet the [https://opensource.org/osd OSI's definition of the term]. FUTO has since changed their wording.<ref>https://www.futo.org/about/futo-statement-on-opensource/</ref><br />
<br />
==Organization's objectives & principles==<br />
<br />
===Three pledges===<br />
<br />
*FUTO's first pledge is to "never sell out. All FUTO companies and FUTO-funded projects are expected to remain fiercely independent." <ref>https://futo.org/about/what-is-futo/</ref><br />
*FUTO's second pledge is to never abuse it's customers.<br />
*FUTO's third pledge is to all be devoted to transparency and to making High Quality Open-source software.<br />
<br />
===Ethical Capitalism===<br />
FUTO while a legally a C-Corporation for profit company<ref>https://futo.org/about/futo-faq/</ref> but as of 2025, according to Louis Rossmann, Director of Community Outreach at FUTO{{Citation needed}} is in no way profitable to it's sole owner & investor [[Eron Wolf]], and their stated financial goal is to operate fiercely independently and "never sell out." <br />
<br />
===The Five Pillars of FUTO-ey Software===<br />
" 1. Source First /Open Source If people are to have control over the computers in their lives, they must have the capability to inspect and modify the software running on them.<br />
<br />
2. Self Manageable Servers (if applicable) Servers should be Source First too. It should be relatively easy for a user to run their own server for whatever service their client software needs.<br />
<br />
3. Sovereign Identity (if applicable) Servers must allow the user to authenticate with a private/public key pair. Email and phone number authentication is sensible for normies, but it must always be possible for a user to transition to using a sovereign mechanism.<br />
<br />
4. Open Databases (if applicable) Crowdsourced content should never be kept hidden in a silo by the crowdsourcer. The creator of the content most likely intended for their work to be distributed as widely as possible. The crowdsourcer must provide reasonable mechanisms for the content to be distributed by others.<br />
<br />
5. End-to-end Encryption (if possible) Servers should never be able to leverage their man in the middle status to discern the content of communications between their users.<br />
<br />
0. Don’t Suck This applies to all software, FUTO-ey or not. We have accomplished nothing if our software is sluggish, unreliable, or lacks key features. Our clients need to be delightful. Our servers need to help our clients be delightful. " <ref>https://futo.org/about/what-is-futo/</ref><br />
<br />
<br />
==References==<br />
{{reflist}}<br />
<br />
[[Category:Software companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Sony_X900H&diff=7751Category:Sony X900H2025-02-03T05:26:11Z<p>Kirb: Created page with "Category:Sony"</p>
<hr />
<div>[[Category:Sony]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Sony_WF-1000XM4&diff=7750Category:Sony WF-1000XM42025-02-03T05:26:04Z<p>Kirb: Created page with "Category:Sony"</p>
<hr />
<div>[[Category:Sony]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Logitech_G_HUB&diff=7748Category:Logitech G HUB2025-02-03T05:24:43Z<p>Kirb: Created page with "Category:Logitech"</p>
<hr />
<div>[[Category:Logitech]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:IKEA_%C3%85SKV%C3%84DER&diff=7747Category:IKEA ÅSKVÄDER2025-02-03T05:24:36Z<p>Kirb: Created page with "Category:IKEA"</p>
<hr />
<div>[[Category:IKEA]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Hisense_H9G_Smart_TV&diff=7746Category:Hisense H9G Smart TV2025-02-03T05:24:25Z<p>Kirb: Created page with "Category:Hisense"</p>
<hr />
<div>[[Category:Hisense]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Canon_Camera_Connect&diff=7745Category:Canon Camera Connect2025-02-03T05:24:15Z<p>Kirb: Created page with "Category:Canon"</p>
<hr />
<div>[[Category:Canon]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Apple_App_Store&diff=7743Category:Apple App Store2025-02-03T05:21:16Z<p>Kirb: Created page with "Category:Apple"</p>
<hr />
<div>[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=6177Artificial intelligence2025-01-28T07:48:30Z<p>Kirb: /* Case studies */ Trying to make wiki section even more neutral</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
== Unethical website scraping ==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
* Paths bots are allowed to index<br />
* Paths bots should not index<br />
* How long the bot should wait in between requests to the server, to reduce load<br />
* The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
=== Effect on users ===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
* '''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
* '''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
* '''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
* '''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
* '''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
=== Case studies ===<br />
==== Diaspora ====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref name="geraspora">https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[#MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
==== LVFS ====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
==== LWN.net ====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
==== MediaWiki ====<br />
[[wikipedia:MediaWiki|MediaWiki]] is of particular interest to LLM training due to the vast amount of factual, plain-text content wikis tend to hold. While [[wikipedia:Wikipedia|Wikipedia]] and the [[wikipedia:Wikimedia Foundation|Wikimedia Foundation]] host the most well-known wikis, numerous smaller wikis exist thanks to the work of many independent editors. The strength of wiki architecture is its ability for every edit to be audited by anyone, at any time - you can still view [https://en.wikipedia.org/w/index.php?oldid=1 the first edit to Wikipedia] from 2002. This makes wikis a hybrid of a static website and a dynamic web app, which becomes problematic when poorly-designed bots attempt to scrape them.<ref name="geraspora" /><br />
<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough?<br />
-->The Apple Wiki, which documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block non-legitimate requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with more than 280,000 total edits over the wiki's lifetime, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
==== Perplexity AI and news outlets ====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's posted IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> Two days later, this was corroborated by WIRED.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, citing a terms of service clause requiring bots hosted on Amazon Web Services to honor robots.txt:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=6174Artificial intelligence2025-01-28T07:28:14Z<p>Kirb: +AI cat</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
== Unethical website scraping ==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
* Paths bots are allowed to index<br />
* Paths bots should not index<br />
* How long the bot should wait in between requests to the server, to reduce load<br />
* The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
=== Effect on users ===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
* '''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
* '''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
* '''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
* '''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
* '''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
=== Case studies ===<br />
==== Diaspora ====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref>https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[wikipedia:MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
==== LVFS ====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
==== LWN.net ====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
==== Perplexity AI and news outlets ====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's posted IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> Two days later, this was corroborated by WIRED.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, citing a terms of service clause requiring bots hosted on Amazon Web Services to honor robots.txt:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
==== The Apple Wiki ====<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough? --><br />
The Apple Wiki, a MediaWiki instance that documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block abusive requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with the more than 280,000 total edits, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Artificial_intelligence_companies&diff=6173Category:Artificial intelligence companies2025-01-28T07:27:21Z<p>Kirb: +AI cat</p>
<hr />
<div>[[Category:Software companies]]<br />
[[Category:Artificial intelligence]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Category:Artificial_intelligence&diff=6172Category:Artificial intelligence2025-01-28T07:26:05Z<p>Kirb: Created blank page</p>
<hr />
<div></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=6121Artificial intelligence2025-01-28T03:49:24Z<p>Kirb: Can I add this link?</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
== Unethical website scraping ==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
* Paths bots are allowed to index<br />
* Paths bots should not index<br />
* How long the bot should wait in between requests to the server, to reduce load<br />
* The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
=== Effect on users ===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
* '''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
* '''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
* '''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
* '''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
* '''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
=== Case studies ===<br />
==== Diaspora ====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref>https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[wikipedia:MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
==== LVFS ====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
==== LWN.net ====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
==== Perplexity AI and news outlets ====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's posted IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> Two days later, this was corroborated by WIRED.<ref>https://www.wired.com/story/perplexity-is-a-bullshit-machine/</ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, citing a terms of service clause requiring bots hosted on Amazon Web Services to honor robots.txt:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
==== The Apple Wiki ====<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough? --><br />
The Apple Wiki, a MediaWiki instance that documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block abusive requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with the more than 280,000 total edits, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
== References ==<br />
<references /></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=6119Artificial intelligence2025-01-28T03:47:52Z<p>Kirb: Adding rest of the article</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref><br />
<br />
== Unethical website scraping ==<br />
While "mainstream" companies such as [[OpenAI]], [[Anthropic]], and [[Meta]] appear to correctly follow industry-standard practice for web crawlers, others ignore them, causing [[wikipedia:Denial-of-service attack|distributed denial of service attacks]] which damage access to freely-accessible websites. This is particularly an issue for websites that are large or contain many dynamic links.<br />
<br />
Ethical website scrapers, known as "spiders" that crawl the web, follow a certain set of minimum guidelines. Specifically, they follow [[wikipedia:robots.txt|robots.txt]], a text file found at the root of a domain that indicates:<br />
<br />
* Paths bots are allowed to index<br />
* Paths bots should not index<br />
* How long the bot should wait in between requests to the server, to reduce load<br />
* The [[wikipedia:Sitemaps|sitemap]] of the website's content<br />
<br />
These rules are typically configured for all bots, with minor adjustments made to individual bots as needed. Additionally, specific web pages may use the [[wikipedia:noindex|robots meta tag]] to control use of their output.<br />
<br />
While it is good practice for a bot to respect robots.txt, there is no requirement for it, and there is no punishment for not following a website's wishes. It is additionally standard practice, but in no way enforced, that bots use a [[wikipedia:User-Agent header|User-Agent header]] to uniquely identify itself. This allows a website operator to observe a bot's traffic patterns, potentially blocking the bot outright if its scraping is not desirable. The header also typically contains a URL or email address that can be used to contact the operator in case of anomalies observed in its traffic.<br />
<br />
Unethical AI scraper bots do not follow robots.txt - in fact, they may not even request this file at all. They typically completely ignore it, instead opting to start from an entry point such as the root home page (<code>/</code>), working its way through an exponentially growing list of links as it finds them, with little to no delay between requests. The bots use false User-Agent header strings that would correspond to real web browsers on desktop or mobile operating systems - blocking them would also block legitimate users, or at least legitimate users on VPNs.<br />
<br />
Some AI services opt to use separate User-Agent strings, potentially also ignoring robots.txt, when a request is made through user command rather than as part of model training. For example, ChatGPT identifies itself as <code>ChatGPT-User</code> rather than its standard <code>OpenAI</code> when it uses the "search the web" command - even if searching the web was an automatic decision. In a less favorable example, Perplexity AI in this same situation falsely identifies as a standard Chrome web browser running on Windows. AI companies defend this under the belief that they are not a "spider", but rather a "user agent" (like a web browser), when called upon by a user's request.<ref name="perplexity-aws" /><br />
<br />
Less legitimate bots use a wide distribution of IP addresses, further reducing options for the website to protect itself. This is in a clear attempt to bypass IP-based request throttling and rate limiting the website may implement. They are also known to ignore HTTP response status codes that indicate a server error ([[wikipedia:HTTP status code#5xx server errors|5xx]]), or warnings that the client needs to slow down ([[wikipedia:HTTP status code#429|429 Too Many Requests]]) or has been entirely blocked ([[wikipedia:HTTP status code#403|403 Forbidden]]).<br />
<br />
=== Effect on users ===<br />
To protect against unethical crawlers, due to concerns of both intellectual property and service disruption, websites adopt practices that affect the experience of real users:<br />
<br />
* '''Bot check walls''': The user may be required to pass a security check "wall". While usually automatic for the user, this can affect legitimate bots. When a website protection service such as [[Cloudflare]] is not confident as to whether the visitor is legitimate, it may present a CAPTCHA to be manually filled out. An example is "Google Sorry", a CAPTCHA wall frequently seen when using Google Search via a VPN.<br />
* '''Login walls''': Should bots be found to pass CAPTCHA walls, the website may advance to requiring logging in to view content. A major recent example of this is [[YouTube]]'s "Sign in to confirm you're not a bot" messages.<br />
* '''JavaScript requirement''': Most websites do not need JavaScript to deliver their content. However, as many scrapers expect content to be found directly in the HTML, it is often an easy workaround to use JavaScript to "insert" the content after the page has loaded. This may reduce the responsiveness of the website, increasing points of failure, and preventing security-conscious users who disable JavaScript from viewing the website.<br />
* '''IP address blocking''': Blocking IP addresses, especially by blocking entire providers via their [[wikipedia:Autonomous system (Internet)|autonomous system number]], always comes with some risk of blocking legitimate users. Particularly, this may restrict access to users making use of a VPN.<br />
* '''Heuristic blocking''': Patterns in request headers may give away that the request is being made by an unethical bot, despite attempts to act as a legitimate visitor. Heuristics are imperfect and may block legitimate users, especially those that may use less common browsers.<br />
<br />
In rare situations, a website operator may redirect detected bot traffic, such as to download speed test files hosted by ISPs containing multiple gigabytes of random garbage data. This may have the effect of disrupting the bot, but its effectiveness is unknown.<br />
<br />
The need to respond to unethical scraping also further consolidates the web into the control of a few large [[wikipedia:Web application firewall|web application firewall]] (WAF) services, most notably [[Cloudflare]], as website owners find themselves otherwise unable to protect their service from being disrupted by such traffic.<br />
<br />
=== Case studies ===<br />
==== Diaspora ====<br />
On 27 December 2024, the open-source social network project Diaspora noted that 70% of traffic across its infrastructure was in service of AI scrapers.<ref>https://pod.geraspora.de/posts/17342163</ref> Particularly, the project noted that bots had followed links to crawl every individual edit in their [[wikipedia:MediaWiki|MediaWiki]] instance, causing an exponential increase in the number of unique requests being made.<br />
<br />
==== LVFS ====<br />
The [https://fwupd.org/ Linux Vendor Firmware Service] (LVFS) provides a free central store of firmware updates, such as for UEFI motherboards and SSD controllers. This feature is integrated with many Linux distributions through the <code>fwupd</code> daemon. For situations where internet access is not permitted, the service allows users to make a local mirror of the entire 100+ GB store.<br />
<br />
On 9 January 2025, the project announced that it would introduce a login wall around its mirror feature, citing unnecessary use of its bandwidth.<ref>https://lore.kernel.org/lvfs-announce/zDlhotSvKqnMDfkCKaE_u4-8uvWsgkuj18ifLBwrLN9vWWrIJjrYQ-QfhpY3xuwIXuZgzOVajW99ymoWmijTdngeFRVjM0BxhPZquUzbDfM=@hughsie.com/T/</ref> Up to 1,000 files may be downloaded per day without logging in. The author later mentioned on Mastodon that the problem appears to be caused by AI scraping.<ref>https://mastodon.social/@hughsie/113871373001227969</ref><br />
<br />
==== LWN.net ====<br />
On 21 January 2025, Jonathan Corbet, maintainer of the Linux news website [[wikipedia:LWN.net|LWN.net]], made the following [https://social.kernel.org/notice/AqJkUigsjad3gQc664 post] to social.kernel.org:<br />
<br />
<blockquote><br />
Should you be wondering why @LWN #LWN is occasionally sluggish... since the new year, the DDOS onslaughts from AI-scraper bots has picked up considerably. Only a small fraction of our traffic is serving actual human readers at this point. At times, some bot decides to hit us from hundreds of IP addresses at once, clogging the works. They don't identify themselves as bots, and robots.txt is the only thing they *don't* read off the site.<br />
<br />
This is beyond unsustainable. We are going to have to put time into deploying some sort of active defenses just to keep the site online. I think I'd even rather be writing about accounting systems than dealing with this cr*p. And it's not just us, of course; this behavior is going to wreck the net even more than it's already wrecked.<br />
</blockquote><br />
<br />
He later commented:<ref>https://www.heise.de/en/news/AI-bots-paralyze-Linux-news-site-and-others-10252162.html</ref><br />
<br />
<blockquote><br />
We do indeed see a kind of pattern. Every IP stays below the threshold for our fuses, but the overload is overwhelming. Any form of active defense will probably have to figure out to block entire subnets instead of individual addresses, and even that might not be enough.<br />
</blockquote><br />
<br />
==== Perplexity AI and news outlets ====<br />
[[Perplexity AI]], founded in August 2022, is a large language model that aims to be viewed as a general search engine. It encourages users to consume news through its summaries of stories.<br />
<br />
On 15 June 2024, Apple blog MacStories found that Perplexity does not follow its own documented policies when accessing content the user requests from the web. In their testing, the scraper pretended to be Chrome 111 running on Windows 10, connecting from an IP address not found in Perplexity's posted IP address ranges.<ref>https://rknight.me/blog/perplexity-ai-is-lying-about-its-user-agent/</ref> Two days later, this was corroborated by WIRED.<ref><!-- Can't link the article directly because the URL has a word that trips the swearing filter 😉 --></ref> Perplexity responded by removing its list of IP addresses.<br />
<br />
On 27 June 2024, [[Amazon]] announced an investigation into Perplexity AI, citing a terms of service clause requiring bots hosted on Amazon Web Services to honor robots.txt:<ref name="perplexity-aws">https://www.wired.com/story/aws-perplexity-bot-scraping-investigation/</ref><br />
<br />
<blockquote><br />
"AWS's terms of service prohibit abusive and illegal activities and our customers are responsible for complying with those terms," [AWS spokesperson Patrick] Neighorn said in a statement. "We routinely receive reports of alleged abuse from a variety of sources and engage our customers to understand those reports."<br />
</blockquote><br />
<br />
==== The Apple Wiki ====<br />
<!-- COI alert: I, [[User:kirb]], am an admin for The Apple Wiki. Hopefully this is neutral enough? --><br />
The Apple Wiki, a MediaWiki instance that documents internal details of Apple's hardware and software, holds more than 50,000 articles. On 2 August 2024, with a repeat occurrence on 5 January 2025, the service was disrupted by scraping efforts.<ref>https://theapplewiki.com/wiki/The_Apple_Wiki:Community_portal#Bot_traffic_abuse</ref> The wiki contains a considerable amount of information that is scraped by legitimate security research tools, making it difficult for the website to block abusive requests. Efforts to block unethical scraping and protect the wiki have disrupted these legitimate tools. The large article count, combined with the more than 280,000 total edits, create an untenable situation where it is simply not possible to scrape the website without causing significant service disruption.<br />
<br />
== References ==<br />
<references /></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Artificial_intelligence&diff=6117Artificial intelligence2025-01-28T03:46:35Z<p>Kirb: Created page with "'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of ChatGPT, large language model (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus..."</p>
<hr />
<div>'''Artificial intelligence''' (AI) is a field of computer science producing software that aims to ultimately replace all manual labor. AI is not a new concept - it has been of interest as early as the 1950s. Since the November 2022 launch of [[ChatGPT]], [[wikipedia:Large language model|large language model]] (LLM) chatbots have been a main focus of the industry, with billions of dollars in funding allocated to producing more "intelligent" LLMs. Also a significant focus are [[wikipedia:Text-to-image model|text-to-image models]], which "draw" an image using written instructions, and [[wikipedia:Text-to-video model|text-to-video models]], which extend the text-to-image concept across several smooth video frames.<br />
<br />
[[wikipedia:Generative artificial intelligence|Generative artificial intelligence]] models are trained through vast amounts of existing human-generated content. Using the example of an LLM, by learning about common trends in sentence structure, the model is able to form complete sentences and show artificial "knowledge" of a topic. The artificial nature may cause [[wikipedia:Hallucination (artificial intelligence)|hallucination]] through confidently-written, but mostly or entirely incorrect, output.<br />
<br />
The current well-funded, lucrative industry of artificial intelligence tools has resulted in rampant unethical use of content. Startups intending to produce AI services have been scraping the internet for content to train future models at a concerning pace, with no regard for copyright law, as members of the field are concerned that they are approaching the limit of publicly-available content to train from.<ref>https://observer.com/2024/12/openai-cofounder-ilya-sutskever-ai-data-peak/</ref></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=5365Apple App Store2025-01-25T07:27:05Z<p>Kirb: Clearer wording about Hey, fix an oopsie sentence</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
Apple uses several technical measures to protect their App Store ecosystem and prevent consumer choice. They are good at obscuring their intentions with technical roadblocks, while typically citing security reasons for them - assuming the public even recognizes what is going on. This actively hurts the ability for lawmakers to have an accurate understanding, so they can consider applying legislative pressure.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax</ref> to booking a Zoom call with a local business,<ref name="facebook">https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, between 15% and 30% of their revenue. This is revenue that can be reinvested into the app, but instead must be earmarked for the platform they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/</ref> Japan,<ref>https://www.theregister.com/2024/06/13/japan_smartphone_software_law/</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>https://www.gov.uk/cma-cases/investigation-into-apple-appstore</ref> Australia,<ref>https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is</ref><ref name="doj">https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3</ref><ref>https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/</ref><ref>https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>https://theapplewiki.com/wiki/Eligibility</ref> misrepresenting/overstating risks, and using existing, trusted terms to describe unreasonably difficult to use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since opening the iTunes Store in 2004. The opening of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires every purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable, because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year, with exceptions such as for games.<ref>https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/</ref> Otherwise, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily rely on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a very popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>https://stripe.com/pricing</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Competing payments services have fees close or identical to this. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html</ref><ref>http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of January 2025.<br />
<br />
Despite criticism of Apple forcing their fee into transactions with small businesses and creators on [[#Patreon|Patreon]], [[#Facebook online events|Facebook]], and similar platforms, on 23 January 2025, Apple announced the Advanced Commerce API. It "support[s] developers' evolving business models - such as exceptionally large content catalogs, creator experiences, and subscriptions with optional add-ons".<ref>https://developer.apple.com/news/?id=yxy958ya</ref> While positioned as a way for such businesses to save development time and avoid ongoing costs by building on top of Apple's mature payments platform, its use is in fact necessary for these businesses to work within the App Store guidelines, as seen in cases outlined below. The feature requires submitting the app's business model to Apple for approval. This continues a trend of requiring Apple's consent to conduct business in a place users have been trained to expect it.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>https://about.fb.com/news/2020/08/paid-online-events/</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of the app on the App Store, the company announced that an update was rejected due to a complaint about the business model. The app did not intend to support in-app purchases - instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix]], whose app does not provide any way to purchase a subscription.<ref>https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>https://news.patreon.com/articles/understanding-apple-requirements-for-patreon</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="500px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>https://twitter.com/jasminericegirl/status/1402691047940100100</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>https://twitter.com/wongmjane/status/1433372120080261120</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>https://twitter.com/mysk_co/status/1806638308455256242</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>https://developer.apple.com/app-store/review/guidelines/#2.5.6</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>https://github.com/openid/AppAuth-iOS/issues/120</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*Posts written by an author of this article:<br />
**[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
**[https://adamdemasi.com/2024/04/20/ios-eligibility.html How I tricked iOS into giving me EU DMA features]<br />
**[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4's eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=5364Apple App Store2025-01-25T07:01:39Z<p>Kirb: Add new Advanced Commerce API, other tweaks</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
Apple uses several technical measures to protect their App Store ecosystem and prevent consumer choice. They are good at obscuring their intentions with technical roadblocks, while typically citing security reasons for them - assuming the public even recognizes what is going on. This actively hurts the ability for lawmakers to have an accurate understanding, so they can consider applying legislative pressure.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax</ref> to booking a Zoom call with a local business,<ref name="facebook">https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, between 15% and 30% of their revenue. This is revenue that can be reinvested into the app, but instead must be earmarked for the platform they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/</ref> Japan,<ref>https://www.theregister.com/2024/06/13/japan_smartphone_software_law/</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>https://www.gov.uk/cma-cases/investigation-into-apple-appstore</ref> Australia,<ref>https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is</ref><ref name="doj">https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3</ref><ref>https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/</ref><ref>https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>https://theapplewiki.com/wiki/Eligibility</ref> misrepresenting/overstating risks, and using existing, trusted terms to describe unreasonably difficult to use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since opening the iTunes Store in 2004. The opening of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires every purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable, because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year, with exceptions such as for games.<ref>https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/</ref> Otherwise, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily rely on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a very popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>https://stripe.com/pricing</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Competing payments services have fees close or identical to this. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html</ref><ref>http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of January 2025.<br />
<br />
Despite criticism of Apple forcing their fee into transactions with small businesses and creators on [[#Patreon|Patreon]], [[#Facebook online events|Facebook]], and similar platforms, on 23 January 2025, Apple announced the Advanced Commerce API. It "support[s] developers' evolving business models - such as exceptionally large content catalogs, creator experiences, and subscriptions with optional add-ons".<ref>https://developer.apple.com/news/?id=yxy958ya</ref> While positioned as a way for such businesses to save development time and avoid ongoing costs by building on top of Apple's mature payments platform, its use is in fact necessary for these businesses to work within the App Store guidelines, as seen in cases outlined below. The feature requires submitting the app's business model to Apple for approval. This continues a trend of requiring Apple's consent to conduct business in a place users have been trained to expect it.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>https://about.fb.com/news/2020/08/paid-online-events/</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of their app on the App Store, the company announced that an update was rejected. The app did not intend to support in-app purchases. Instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix]], whose app does not provide any way to purchase.<ref>https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>https://news.patreon.com/articles/understanding-apple-requirements-for-patreon</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="500px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>https://twitter.com/jasminericegirl/status/1402691047940100100</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>https://twitter.com/wongmjane/status/1433372120080261120</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>https://twitter.com/mysk_co/status/1806638308455256242</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>https://developer.apple.com/app-store/review/guidelines/#2.5.6</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>https://github.com/openid/AppAuth-iOS/issues/120</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*Posts written by an author of this article:<br />
**[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
**[https://adamdemasi.com/2024/04/20/ios-eligibility.html How I tricked iOS into giving me EU DMA features]<br />
**[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4's eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=4819Apple App Store2025-01-23T11:25:27Z<p>Kirb: Links to refs</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
Apple uses several technical measures to protect their App Store ecosystem and prevent consumer choice. They are good at obscuring their intentions with technical roadblocks, while typically citing security reasons for them - assuming the public even recognizes what is going on. This actively hurts the ability for lawmakers to have an accurate understanding, so they can consider applying legislative pressure.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax</ref> to booking a Zoom call with a local business,<ref name="facebook">https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/</ref> hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, between 15% and 30% of their revenue. This is revenue that can be reinvested into the app, but instead must be earmarked for the platform they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/</ref> Japan,<ref>https://www.theregister.com/2024/06/13/japan_smartphone_software_law/</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>https://www.gov.uk/cma-cases/investigation-into-apple-appstore</ref> Australia,<ref>https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is</ref><ref name="doj">https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3</ref><ref>https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/</ref><ref>https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>https://theapplewiki.com/wiki/Eligibility</ref> misrepresenting/overstating risks, and using existing, trusted terms to describe unreasonably difficult to use systems.<br />
<br />
==Background info==<br />
Important terms you'll run into in this article:<br />
<br />
*'''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
*'''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
*'''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
==In-app purchases==<br />
Apple has been collecting users' credit card numbers since opening the iTunes Store in 2004. The opening of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires every purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable, because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year, with exceptions such as for games.<ref>https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/</ref> Otherwise, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily rely on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a very popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>https://stripe.com/pricing</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Competing payments services have fees close or identical to this. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html</ref><ref>http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj" /> The future of this lawsuit is unclear as of January 2025.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
===Facebook online events===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>https://about.fb.com/news/2020/08/paid-online-events/</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook" /> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
===HEY===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in inbox organization tools.<br />
<br />
After successfully launching the initial version of their app on the App Store, the company announced that an update was rejected. The app did not intend to support in-app purchases. Instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix]], whose app does not provide any way to purchase.<ref>https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
===Patreon===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>https://news.patreon.com/articles/understanding-apple-requirements-for-patreon</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="500px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>https://twitter.com/jasminericegirl/status/1402691047940100100</ref><br />
<br />
===Twitter===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>https://twitter.com/wongmjane/status/1433372120080261120</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
==Notarization==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
*Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>https://twitter.com/mysk_co/status/1806638308455256242</ref><br />
<br />
==JIT==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are still outlawed.<ref>https://developer.apple.com/app-store/review/guidelines/#2.5.6</ref> In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
==Sandbox==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by apps abusing user data before the current permission system was built out.<ref>https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know</ref>)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
*'''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
*'''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
*'''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
==In-app browsers==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple claimed this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<ref>https://github.com/openid/AppAuth-iOS/issues/120</ref><br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
==See also==<br />
*[https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
*[https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
*[https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4’s eligibility system]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=4236Apple App Store2025-01-22T10:05:50Z<p>Kirb: /* In-app purchases */ New section</p>
<hr />
<div>[[File:App Store (iOS).svg|thumb|150px]]<br />
<br />
Apple uses several technical measures to protect their App Store ecosystem and prevent consumer choice. They are good at obscuring their intentions with technical roadblocks, while typically citing security reasons for them - assuming the public even recognizes what is going on. This actively hurts the ability for lawmakers to have an accurate understanding, so they can consider applying legislative pressure.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref name="patreon">https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax</ref> to booking a Zoom call with a local business,<ref name="facebook">https://www.reuters.com/article/us-facebook-apple-exclusive/exclusive-facebook-says-apple-rejected-its-attempt-to-tell-users-about-app-store-fees-idUSKBN25O042/</ref></ref>, hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, between 15% and 30% of their revenue. This is revenue that can be reinvested into the app, but instead must be earmarked for the platform they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several governments, including South Korea,<ref>https://www.reuters.com/technology/skorea-approves-rules-app-store-law-targeting-apple-google-2022-03-08/</ref> Japan,<ref>https://www.theregister.com/2024/06/13/japan_smartphone_software_law/</ref> the European Union,<ref>[[wikipedia:Digital Markets Act|Digital Markets Act]]</ref> the United Kingdom,<ref>https://www.gov.uk/cma-cases/investigation-into-apple-appstore</ref> Australia,<ref>https://www.accc.gov.au/media-release/dominance-of-apple-and-googles-app-stores-impacting-competition-and-consumers</ref> as well as the US and a handful of states,<ref>[[wikipedia:Open App Markets Act|Open App Markets Act]]</ref><ref>https://www.congress.gov/bill/118th-congress/senate-bill/5364/text/is</ref><ref name="doj">https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3</ref><ref>https://azcapitoltimes.com/news/2021/02/19/its-time-to-free-ourselves-from-big-tech-monopoly/</ref> have opened investigations into anti-competitive practices, or considered or already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/</ref><ref>https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>https://theapplewiki.com/wiki/Eligibility</ref> misrepresenting/overstating risks, and using existing, trusted terms to describe unreasonably difficult to use systems.<br />
<br />
== Background info ==<br />
Important terms you'll run into in this article:<br />
<br />
* '''[[wikipedia:Sandbox (computer security)|Sandbox]]''': Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
* '''[https://theapplewiki.com/wiki/Entitlements Entitlements]''': Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
* '''[[wikipedia:Digital Markets Act|Digital Markets Act]]''': The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
== In-app purchases ==<br />
Apple has been collecting users' credit card numbers since opening the iTunes Store in 2004. The opening of the App Store in 2008, followed by the introduction of in-app purchases (IAPs) in 2009, gave iPhone app developers the opportunity to sell app features to users. The IAP system is provided as a developer framework named [https://developer.apple.com/storekit/ StoreKit]. Apps and their in-app purchases are managed through a dashboard named [https://developer.apple.com/app-store-connect/ App Store Connect]. App sales have eclipsed iTunes Store sales, and are now a primary focus of Apple's Media Services division.<br />
<br />
Apple requires every purchase of a digital good or service in an app to use their in-app purchase system. This may seem reasonable, because the customer may inevitably call Apple support, demanding a refund for an app they have issues with. Apple would rather give that refund and leave the customer with a positive support experience, than to provide a messy process involving contacting a third-party, whose customer service is likely nowhere near the same experience.<br />
<br />
App Store purchase fees are between 15% and 30%. In September 2016, Apple expanded subscriptions to be available to any type of app, also introducing a 15% discount incentive when the user has already subscribed for a year.<ref>https://www.theverge.com/2016/9/2/12774758/apple-developers-app-store-new-subscription-rules</ref> In November 2020, Apple introduced a reduced 15% fee for app developers with revenue below $1 million per year, with exceptions such as for games.<ref>https://tidbits.com/2020/11/18/apple-drops-app-store-commission-to-15-for-small-developers/</ref> Otherwise, the fee is 30%. In the 2008 announcement of the App Store, Apple considered this a reasonable, industry-standard fee. However, the way we use apps has significantly evolved since 2009 - the world has shifted to heavily rely on mobile apps, which have also evolved into more complex and sustainable business models than a simple one-time purchase.<br />
<br />
[[wikipedia:Stripe, Inc.|Stripe]], a very popular platform used for payments on the web, uses a base fee of 2.9% plus a fixed $0.30 in the United States.<ref>https://stripe.com/pricing</ref> With add-on services, before considering volume discounts, a Stripe transaction may rather have a cost of 6.4% + $1.10.<ref>Calculated from base fee (2.9% + $0.30) + international card (1.5%) + adaptive pricing (2%) + international payment methods ($0.80), as of January 2025</ref> Competing payments services have fees close or identical to this. '''The in-app purchase system does not provide sufficient value to justify considerably higher fees than alternative payment platforms.'''<br />
<br />
The App Store system poorly handles secondary marketplaces of digital services that exist within the primary App Store marketplace, such as Patreon. Apple, however, still requires companies in the business of selling digital services to use this inadequate system. This requires the app to account for Apple's fee, which is significant enough to often warrant increasing prices, and to follow rules even if they do not make sense for the nature of service they are providing. Apple has frequently been found in disputes with such apps. This injects extra complication at no benefit to the marketplace, the creator, or the customer - only to Apple, who has little to no involvement after delivering the initial app download to the user's phone. The significant fee also often drives app developers to consider building their app around an advertising model instead, creating privacy concerns.<br />
<br />
Additionally, the 15% small businesses fee discount is judged based on the app's overall turnover, and is not based on individual creators in the app's marketplace. An app that turns over $1 million per year by providing services to creators that individually make less than $1 million per year does not have the opportunity to use the discount.<br />
<br />
Apple, often together with Google, use lobbying efforts in the United States and other countries in an attempt to minimize the issues. "ACT | The App Association", pitched as an association of independent small business app developers, is at least 50% funded by Apple, and does not list its claimed 2,000 members.<ref>http://www.fosspatents.com/2021/10/not-class-act-so-called-app-association.html</ref><ref>http://www.fosspatents.com/2022/09/vast-majority-of-act-app-associations.html</ref> In March 2024, the United States Department of Justice along with 16 state attorneys-general filed a lawsuit against Apple, including an accusation that the company "extracts more money from consumers, developers, content creators, artists, publishers, small businesses, and merchants, among others".<ref name="doj"/> The future of this lawsuit is unclear as of January 2025.<br />
<br />
Given Apple's strong incentives, and a ticking clock as legal pressure builds, it is not hard to find stories from app developers regarding poor experiences with Apple's app review process.<br />
<br />
:''This list is extremely incomplete. Please add examples if you know of any.''<br />
<br />
=== Facebook Online Events ===<br />
In August 2020, in response to the COVID-19 pandemic, Facebook introduced the ability for small businesses to accept an entrance fee for events. Previously, Facebook would only act as a way to RSVP for the event - the organizer must use a third-party event ticketing system to collect fees. The company pledged to not collect any fee on event sales "until 2023".<ref>https://about.fb.com/news/2020/08/paid-online-events/</ref><br />
<br />
Apple disagreed, requiring the feature to use the in-app purchases system. This introduced Apple's 30% fee. As this increases the price the user pays, with no benefit to the small business the user intended to support, the fee was displayed as a line item in checkout. Apple did not accept this disclosure of the fee, referring to it as "irrelevant".<ref name="facebook"/> Facebook was allowed to compromise on displaying the fee, but ''without'' indicating that it is specifically an App Store fee.<br />
<br />
=== HEY ===<br />
HEY.com is a paid webmail provider launched in June 2020 by long-time software company [[wikipedia:37signals|37signals]], specializing in providing tools that help organize the inbox.<br />
<br />
After successfully launching the initial version of their app on the App Store, the company announced that an update was rejected. The app did not intend to support in-app purchases. Instead, the user is expected to already have an account with the service. Apple did not like this arrangement, and demanded the company build an in-app subscription option. The company argued that they are being held to a different set of rules than apps such as [[Netflix]], whose app does not provide any way to purchase.<ref>https://www.theverge.com/2020/6/16/21293419/hey-apple-rejection-ios-app-store-dhh-gangsters-antitrust</ref> After a suggestion from Apple executive Phil Schiller in the media, HEY introduced a 14 day free trial mode, which was approved.<ref>https://www.hey.com/apple/path/</ref><ref>https://techcrunch.com/2020/06/18/interview-apples-schiller-says-position-on-hey-app-is-unchanged-and-no-rules-changes-are-imminent/</ref><br />
<br />
=== Patreon ===<br />
In August 2024, [[Patreon]] announced a change in arrangement with Apple for its App Store app. From November 2024, subscriptions started from the iOS app would be required to use the in-app purchase system, bypassing Patreon's own long-standing payments practices.<ref>https://news.patreon.com/articles/understanding-apple-requirements-for-patreon</ref><ref name="patreon" /> This change does not affect the Android app.<br />
<br />
By forcing Patreon out of the payments pipeline, certain payment models are no longer available to users of Patreon's iOS app. Creators who rely on the "per-creation" payment model, as opposed to the standard "per-month", can no longer be subscribed to from the app. The app is also not able to support the "first-of-the-month" model, where payments from all subscribers are collected on the first day of the month, rather than every 30 days since each member's day of subscription. The price must also be rounded to a price tier supported by Apple.<br />
<br />
Patreon provides creators with the choice to increase their prices by 30% in the iOS app, or to keep the same prices but forfeit 30% to Apple. Creators frequently remind potential supporters to not use the Patreon iOS app, adding extra inconvenience to those wanting to support the work of small creators.<br />
<br />
<gallery mode="packed" heights="500px"><br />
File:Patreon iOS app pricing options - fee on top.png|"Maintain earnings and cover Apple's fee by increasing prices in iOS app" (Recommended)<br />
File:Patreon iOS app pricing options - absorb fee.png|"Keep prices in the iOS app the same and cover Apple's fee yourself"<br />
</gallery><br />
<br />
A similar case occurred with the app Fanhouse in 2021.<ref>https://twitter.com/jasminericegirl/status/1402691047940100100</ref><br />
<br />
=== Twitter ===<br />
In August 2021, [[Twitter]] introduced a feature named Super Follows (now Subscriptions), in which a user can pay a subscription fee to access more of a creator's content. For each user who enables Subscriptions, Twitter must submit a new in-app purchase SKU to the App Store, which will become available with the next update to the app.<ref>https://twitter.com/wongmjane/status/1433372120080261120</ref> This, of course, is subject to the 30% fee. At the time of writing in January 2025, viewing the App Store listing reveals Elon Musk's $4.00 subscription as the fourth most popular IAP item.<br />
<br />
== Notarization ==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
* Mysk: "iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens."<ref>https://twitter.com/mysk_co/status/1806638308455256242</ref><br />
<br />
== JIT ==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are [https://developer.apple.com/app-store/review/guidelines/#2.5.6 still outlawed]. In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
== Sandbox ==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by [https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know apps abusing user data] before the current permission system was built out.)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
* '''Completely safe''': Entitlements any developer can opt into, with little to no risk.<br />
* '''Approval required''': Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
* '''Private''': Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. For example, it would be a nightmare if you can tap the wrong link in Safari and have a hacker easily steal your cookies from other websites. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
== In-app browsers ==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple [https://github.com/openid/AppAuth-iOS/issues/120 claimed] this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
== See also ==<br />
* [https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
* [https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
* [https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4’s eligibility system]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=File:App_Store_(iOS).svg&diff=4189File:App Store (iOS).svg2025-01-22T08:11:47Z<p>Kirb: App Store logo, from [https://commons.wikimedia.org/wiki/File:App_Store_(iOS).svg], released as public domain</p>
<hr />
<div>== Summary ==<br />
App Store logo, from [https://commons.wikimedia.org/wiki/File:App_Store_(iOS).svg], released as public domain</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=File:Patreon_iOS_app_pricing_options_-_fee_on_top.png&diff=4185File:Patreon iOS app pricing options - fee on top.png2025-01-22T07:16:00Z<p>Kirb: Screenshot of Patreon dashboard for Apple App Store</p>
<hr />
<div>== Summary ==<br />
Screenshot of Patreon dashboard for [[Apple App Store]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=File:Patreon_iOS_app_pricing_options_-_absorb_fee.png&diff=4184File:Patreon iOS app pricing options - absorb fee.png2025-01-22T07:15:52Z<p>Kirb: Screenshot of Patreon dashboard for Apple App Store</p>
<hr />
<div>== Summary ==<br />
Screenshot of Patreon dashboard for [[Apple App Store]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=2384Apple App Store2025-01-18T17:26:41Z<p>Kirb: Write an intro</p>
<hr />
<div>Apple uses several technical measures to protect their App Store ecosystem and prevent consumer choice. They are good at obscuring their intentions with technical roadblocks, while typically citing security reasons for them - assuming the public even recognizes what is going on. This actively hurts the ability for lawmakers to have an accurate understanding, so they can consider applying legislative pressure.<br />
<br />
A never-ending demand for a cut of every sale of a digital product, ranging from game currency, to supporting content creators,<ref> https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax</ref> to booking a Zoom call with a local business<ref> https://www.theverge.com/2020/8/14/21369169/facebook-paid-live-events-ios-android-apple-app-store-fees-fortnite-epic</ref>, hurts the ability for app developers to innovate. These developers, working hard and pulling countless hours to build a quality app, always need to take Apple's (and [[Google]]'s) demands into account - specifically, between 15% and 30% of their revenue. This is revenue that can be reinvested into the app, but instead must be earmarked for the platform they are '''required''' to use to reach their customers.<br />
<br />
Because this is a clear problem, several countries, including South Korea, Japan, the European Union, the United Kingdom, Australia, as well as a handful of US states,<!-- TODO: Receipts for each country + states --> have considered or have already passed legislation to force "gatekeeper platforms" such as Apple to be more reasonable with third-party developers.<br />
<br />
This being a major threat to Apple's revenue stream (interestingly, one they claim to be unsure is profitable<ref>https://9to5mac.com/2024/04/17/app-store-is-profitable-apple-notes/</ref><ref>https://9to5mac.com/2025/01/17/apple-denies-app-store-profit-margin-is-75-claims-to-have-no-clue/</ref>), they have responded with practices such as geoblocking certain operating system functionality based on physical location,<ref>https://theapplewiki.com/wiki/Eligibility</ref> misrepresenting/overstating risks, and using existing, trusted terms to describe unreasonably difficult to use systems.<br />
<br />
== Background info ==<br />
Important terms you'll run into in this article:<br />
<br />
* [[wikipedia:Sandbox (computer security)|Sandbox]]: Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
* [https://theapplewiki.com/wiki/Entitlements Entitlements]: Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
* [[wikipedia:Digital Markets Act|Digital Markets Act]]: The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
== Notarization ==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
* [https://twitter.com/mysk_co/status/1806638308455256242 Mysk: iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens.]<br />
<br />
== JIT ==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are [https://developer.apple.com/app-store/review/guidelines/#2.5.6 still outlawed]. In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
== Sandbox ==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by [https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know apps abusing user data] before the current permission system was built out.)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
* Completely safe: Entitlements any developer can opt into, with little to no risk.<br />
* Approval required: Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
* Private: Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
== In-app browsers ==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple [https://github.com/openid/AppAuth-iOS/issues/120 claimed] this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
== See also ==<br />
* [https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
* [https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
* [https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4’s eligibility system]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Apple]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Template:StubNotice&diff=1543Template:StubNotice2025-01-17T03:08:51Z<p>Kirb: Make sure template itself doesn't get categorised</p>
<hr />
<div><!-- Uses style code from https://www.mediawiki.org/wiki/Template:Colored_box --><br />
<div class="cat-mw-box" style="border-radius:0.2rem;border:1px solid #a2a9b1;margin-bottom:2rem"><br />
<div class="cat-mw-box-header" style="background:rgba(0,0,0,0.03);padding:0.2rem 1rem;font-size:1rem;""><br />
<span style="margin-right:8px;">❗</span>'''Article Status Notice: This Article is a stub '''<br />
</div><br />
<div class="cat-mw-box-body" style="padding:0.2rem 1rem;"><br />
<br />
<div style="font-size:1.75em; font-weight: 500;padding-top:0.2em;padding-bottom:0.2em"> Notice: This Article Requires Additional Expansion </div><br />
----<br />
<br />
This article is underdeveloped, and needs additional work to meet the wiki's [[Moderator Guidelines|Content Guidelines]] and be in line with our [[Mission statement|Mission Statement]] for comprehensive coverage of consumer protection issues. Issues may include:<br />
<br />
* This article needs to be expanded to provide meaningful information<br />
* This article requires additional verifiable evidence to demonstrate systemic impact<br />
* More documentation is needed to establish how this reflects broader consumer protection concerns<br />
* The connection between individual incidents and company-wide practices needs to be better established<br />
* The article is simply too short, and lacks sufficient content<br />
<br />
'''How You Can Help:'''<br />
<br />
* Add documented examples with verifiable sources<br />
* Provide evidence of similar incidents affecting other consumers<br />
* Include relevant company policies or communications that demonstrate systemic practices<br />
* Link to credible reporting that covers these issues<br />
* Flesh out the article with relevant information<br />
<br />
''This notice will be removed once the article is sufficiently developed. Once you believe the article is ready to have its notice removed, visit the Discord ([https://discord.gg/WUW6GGDMvW join here]) and post to the <code>[https://discord.com/channels/1324835844812443810/1326356503065526303 #appeals]</code> channel, or mention its status on the article's talk page.''<br />
<includeonly><br />
[[Category:Articles in need of additional work]]<br />
[[Category:Articles requiring expansion]]<br />
</includeonly><br />
</div><br />
</div></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple&diff=935Apple2025-01-15T14:42:32Z<p>Kirb: /* OS downgrades */ New section</p>
<hr />
<div>{{Under_Development}}<br />
Apple are a company founded in 1976 by Steve Jobs and Steve Wozniak. There was always a bit of a head in the clouds approach from Apple to designing things, but it seemed to work well until about the 2000's. Suddenly, there was an obsession with cutting excess weight, probably sparked about the time of the iPod, at the cost of repairability and upgradeability. Of course, the iPhone's launch would wind up staging the path of crafting the most popular consumer electronic device in the world, and smartphones now have become one of the most controversial to the right to repair community. That is normally expected to be designed with little regard to ease of independent repair. <sup>Sources?</sup><br />
<br />
=== 2010's ===<br />
Apple had numerous design failings in the 2010's, and these were often brushed under the rug, and people experiencing such an issue would be normally charged exorbitant amounts for repair. High-cost GPU failures on early 2010's MacBooks, the 2016-'17 MacBook Pro's screen cable skimping scandal, the 2019 16-inch MacBook Pro's SSD failures and more are design flaws Apple have, as they have often, dodged accountability for and continue to do.<sup>Sources?</sup><br />
<br />
==== Too little, too late - Attempts, or "Attempts" to do better ====<br />
Apple have attempted recent changes to their products that have made them better, but still not on par with some other manufacturers for pro-consumer behaviour.<sup>Source?</sup> Many believe this to be driven by changing legislation.<sup>Who?</sup> Certain parts of this, certainly are.<sup>Source?</sup> This includes:<br />
<br />
* Opening an online "self service repair" parts store.<sup>Source?</sup><br />
* Making the back glass of iPhones removable.<sup>Source?</sup><br />
* Allowing alternative app stores in an update to iOS 17, in compliance with new EU legislation.<sup>Source?</sup><br />
* Calibration tools for newly installed used parts in iOS 18, which sometimes work.<sup>Source?</sup><br />
* An upgradeable, swappable SSD in the 2024 Mac Mini - albeit you cannot swap these units between M4 and M4 Pro units due to the internal casing's design being different without much good reason.<sup>Sources?</sup><br />
* A battery removable with just a 9V battery in the 2024 iPhone 16 and 16 Plus.<sup>Source?</sup><br />
<br />
==== OS downgrades ====<br />
It is not possible to upgrade or downgrade an iPhone, iPad, Apple TV, etc. to an OS version other than the absolute latest. On Macs with T2 chip or Apple Silicon, the user can select from three modes of secure boot:<ref>https://support.apple.com/102522</ref><br />
<br />
* No security: Allow any OS to run (same as turning off secure boot on a PC)<br />
* Medium security: Allow any OS that is signed with a secure boot certificate (default, same as turning on secure boot on a PC)<br />
* Full security: Only allow the latest version of macOS, do not allow any other OS<br />
<br />
iOS devices only support full security mode. The device checks for a cryptographic "[https://theapplewiki.com/wiki/APTicket ticket]", which are tied to the OS version and CPU serial number. These are provided by a server, which only provides them for the latest version (with very specific exceptions). The device refuses to boot if the ticket does not match. [https://theapplewiki.com/wiki/Firmware_downgrading Workarounds] exist, but with major caveats that are not viable for most users.<ref>https://en.wikipedia.org/wiki/SHSH_blob</ref><br />
<br />
Users often complain of new OS versions slowing down their device. Once a new version is installed, there is no opportunity to go back. This also restricts the user's choice to jailbreak the device, as the latest version naturally has patches for the latest jailbreak exploits. App developers also require access to earlier iOS versions to test that their app works correctly. The alternative, Xcode's iOS Simulator, is not a complete replacement for real hardware, as it does not have all features of a physical device.<ref>https://contextqa.com/test-on-ios-emulators-simulators/</ref> Instead, app developers are forced to purchase several test devices, and remember to ''never'' allow them to update.<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Companies]]</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=User:Kirb&diff=517User:Kirb2025-01-14T15:03:02Z<p>Kirb: Created page with "{{DISPLAYTITLE: User:kirb}} iOS jailbreaker, reverse engineer, works on too many side projects. I run Chariz, a jailbreak app store, and The Apple Wiki, which documents inner workings of Apple's platforms. @hbkirb on Discord."</p>
<hr />
<div>{{DISPLAYTITLE: User:kirb}}<br />
<br />
iOS jailbreaker, reverse engineer, works on too many side projects. I run Chariz, a jailbreak app store, and The Apple Wiki, which documents inner workings of Apple's platforms. @hbkirb on Discord.</div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=516Apple App Store2025-01-14T14:56:35Z<p>Kirb: /* Sandbox */ Clean up some wording</p>
<hr />
<div>''I started writing this 6 months ago and didn't really finish it. Feel free to use it as a starting point for an article. Hopefully it's not too technical.''<br />
<br />
Writing down some anti-consumer standards Apple has, which in my opinion aren't getting the coverage they deserve from lawmakers. Apple is good at obscuring their intentions with technical roadblocks, typically citing security reasons, or just hoping nobody notices or asks in the first place.<br />
<br />
== Background info ==<br />
Important terms you'll run into in this article:<br />
<br />
* [[wikipedia:Sandbox (computer security)|Sandbox]]: Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
* [https://theapplewiki.com/wiki/Entitlements Entitlements]: Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
* [[wikipedia:Digital Markets Act|Digital Markets Act]]: The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
== Notarization ==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
* [https://twitter.com/mysk_co/status/1806638308455256242 Mysk: iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens.]<br />
<br />
== JIT ==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are [https://developer.apple.com/app-store/review/guidelines/#2.5.6 still outlawed]. In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
== Sandbox ==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by [https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know apps abusing user data] before the current permission system was built out.)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
* Completely safe: Entitlements any developer can opt into, with little to no risk.<br />
* Approval required: Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
* Private: Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy if you're not a developer, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android used this design from the very start - you can't even do fundamental things like access the internet without declaring it in your manifest. It makes it very explicit what the app's intentions are.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
== In-app browsers ==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple [https://github.com/openid/AppAuth-iOS/issues/120 claimed] this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
== See also ==<br />
* [https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
* [https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
* [https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4’s eligibility system]<br />
<br />
== References ==<br />
<references /></div>Kirbhttps://mirror.consumerrights.wiki/index.php?title=Apple_App_Store&diff=515Apple App Store2025-01-14T14:38:30Z<p>Kirb: Created page with "''I started writing this 6 months ago and didn't really finish it. Feel free to use it as a starting point for an article. Hopefully it's not too technical.'' Writing down some anti-consumer standards Apple has, which in my opinion aren't getting the coverage they deserve from lawmakers. Apple is good at obscuring their intentions with technical roadblocks, typically citing security reasons, or just hoping nobody notices or asks in the first place. == Background info =..."</p>
<hr />
<div>''I started writing this 6 months ago and didn't really finish it. Feel free to use it as a starting point for an article. Hopefully it's not too technical.''<br />
<br />
Writing down some anti-consumer standards Apple has, which in my opinion aren't getting the coverage they deserve from lawmakers. Apple is good at obscuring their intentions with technical roadblocks, typically citing security reasons, or just hoping nobody notices or asks in the first place.<br />
<br />
== Background info ==<br />
Important terms you'll run into in this article:<br />
<br />
* [[wikipedia:Sandbox (computer security)|Sandbox]]: Reduces exposure of the user's device/data to security risks, by reducing what an app is allowed to do.<br />
* [https://theapplewiki.com/wiki/Entitlements Entitlements]: Apple's method of "poking holes" in the sandbox, to give the app more permissions. Some are available to developers, while many are only available to Apple.<br />
* [[wikipedia:Digital Markets Act|Digital Markets Act]]: The European Union's fairly sweeping recent regulations against forcing companies they classify as "gatekeepers" to play nice, giving smaller businesses access to software/hardware features they've historically reserved for their own use.<br />
<br />
== Notarization ==<br />
Since 2015, Apple expects all Mac apps to be "notarized". This is a preliminary, automated malware check, which upon passing, provides a notary certificate that gets "stapled" to the app. Apple's explanation:<br />
<br />
<blockquote><br />
Notarization of macOS software is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.<ref>https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution</ref><br />
</blockquote><br />
<br />
Whether this is actually a better approach than used by Windows antivirus, where they find out about new malware samples only when they end up on a user's computer, is a separate topic.<br />
<br />
To comply with the DMA's regulations on app marketplaces, Apple created a new channel of releasing apps outside of the iOS App Store. Apps go through a notarization process. But the process is definitely ''not'' notarization. The name is intentionally being abused, by contrast to notarization on macOS, to make you believe it is something other than the existing App Review system. Despite the pain some developers and users have with it, notarization on macOS has always been considered a net positive. It made sense to take advantage of its reputation for the entirely different "notarization" on iOS.<br />
<br />
See for yourself - view the [https://developer.apple.com/app-store/review/guidelines/ App Review Guidelines] and tick "Show Notarization Review Guidelines Only". While most rules are knocked out by this, a good number of them are still in place. These apps are still reviewed and tested by the App Review team, must have a full product listing in App Store Connect, and can be outright rejected - all in the same way as an App Store app.<br />
<br />
By contrast, all that is required for notarization on macOS is for your app to not be malware. You submit it to an automated system that approves it within minutes. '''You don't need to convince Apple your app is worthy of existing on their platform.'''<br />
<br />
The point of macOS notarization is that Apple has a record of all binaries that are intended for wide distribution on macOS, and can review them both in advance and on a regular basis for known malware/common malware patterns. Say a malware app manages to initially get through, when Apple finds out, they can go back in the notary records and find every sample of that malware to analyze and block. This is purely a technical process, managed by skilled security researchers, while iOS app review and "notarization" is a business process, managed by workers who have been given a checklist of violations to look for.<br />
<br />
Apple is retaining complete control over what's allowed to run on iOS. On macOS, you can choose to run apps that have not been notarized (even though the process to bypass the warning is intentionally difficult). On iOS, you never get even that option. What Apple created is the App Store but with more steps. It still goes on the App Store, just hidden so it can only be installed by the third-party store it's tied to.<br />
<br />
* [https://twitter.com/mysk_co/status/1806638308455256242 Mysk: iOS should enable alternative marketplaces to add their own links when users share their apps. Links still point to the App Store and if the app is not available there, this happens.]<br />
<br />
== JIT ==<br />
Safari is allowed to [[wikipedia:Just-in-time compilation|just-in-time]] compile code worldwide. The super short version of what that means: it can run JavaScript code ''really fast''. All browsers, and other runtimes like Microsoft .NET, Java, Lua use this. Ok, fine, it's the system web browser, it's very carefully written to be secure, and it's important to the platform to be doing well in performance benchmarks and all that.<br />
<br />
Apple's [https://apps.apple.com/app/swift-playgrounds/id908519492 Playgrounds] app on iPad is also allowed to JIT. It bundles Apple's [[wikipedia:Swift (programming language)|Swift]] compiler, and shares backend code with the version of Playgrounds found in [[wikipedia:Xcode|Xcode]].<br />
<br />
Competing apps like Pythonista (a Python IDE), emulators like Delta and UTM, and terminal environments like iSH, are not allowed to JIT. As such, they need to rely on inferior performance, potentially from an entirely separate implementation of their compiler/interpreter that may be less proven, because the JIT-less implementation doesn't need to exist on any other platform.<br />
<br />
Likely the most clear example is UTM SE. UTM is a port of the [[wikipedia:QEMU|QEMU]] emulator to iOS, allowing you to run desktop OSes (Linux, Windows 98, XP, classic Mac OS, etc). iPhone hardware is very capable these days and it runs impressively well, ''if'' you use a hack to enable JIT (which Apple has now patched). "SE" stands for "slow edition" - yes, really. If you compare the true version of UTM to the App Store UTM SE app, you ''will'' feel the loss in performance. It's impressive UTM even got to be on the App Store at all, and the DMA is to thank for it. But Apple is still holding the line on allowing JIT to apps that require that performance.<br />
<br />
While UTM SE releasing at all might seem like a pathway to getting Firefox and Chrome "slow editions" on the App Store, browser engines other than the built-in Apple WebKit/JavaScriptCore are [https://developer.apple.com/app-store/review/guidelines/#2.5.6 still outlawed]. In the EU, Apple has blessed web browser JavaScript engines with the option to use JIT. The app must be approved for an entitlement, and then must work within APIs provided by Apple for it. As of January 2025, no browsers have been released using this. We were all anticipating proper competition around web browsers on iOS, but almost a year later, we have nothing. Mozilla has [https://www.theverge.com/2024/1/26/24052067/mozilla-apple-ios-browser-rules-firefox discussed] why.<br />
<br />
== Sandbox ==<br />
You might not like app sandboxing, but it's a powerful security feature used on all modern platforms. The reality is very few apps need more than a few basic permissions. [[wikipedia:Flatpak|Flatpak]] on Linux also sandboxes apps, and it seems to work great! Still, it's completely fair that there should be processes for doing things beyond what the sandbox allows. You see some of this with permission prompts - does a flashlight app ''really'' need access to your contacts? (Apple has been burned by [https://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know apps abusing their kindness] before.)<br />
<br />
It can go further than this. As we established in previous sections, an app can be given more access to features of the system using entitlements. These come in a few flavors:<br />
<br />
* Completely safe: Entitlements any developer can opt into, with little to no risk.<br />
* Approval required: Entitlements that might be more of a security risk to allow, e.g. giving considerably wider access to the system, or that Apple simply doesn't want to hand out to just ''anyone'' for competitive reasons. The developer must submit a request to Apple with evidence of why they need the entitlement.<br />
* Private: Entitlements that are never allowed for any app developer to use. Many of these are reasonably fenced off because they handle user data that is very risky, or bypasses permission prompts, etc, but can just as well also be guarding features Apple wants to keep to itself.<br />
<br />
There have been [https://gizmodo.com/researchers-uber-s-ios-app-had-secret-permissions-that-1819177235 exceptions] where Apple quietly gave a company access to private entitlements anyway, raising eyebrows.<br />
<br />
On iOS, you also can't be ''more'' secure than the default sandbox. That might seem crazy, but it's pretty important for security in a variety of situations. On macOS, there are several entitlements you must declare to decide whether you're allowed to access certain types of user data at all. Android echoed this design from the very start - you can't even do fairly fundamental things like access the internet without declaring it in your manifest. It makes it very clear what the app intends to do.<br />
<br />
iOS has one sandbox used by all App Store apps. System apps, and App Store apps developed by Apple, are allowed to expand or reduce their sandbox permissions as needed. Third-party apps do not get the right to expand or reduce their sandbox permissions at all. This is clearly less secure. To take the example of Playgrounds again, while it's allowed to run your code from a separate process executing in an ultra locked down sandbox with very few permissions, competing apps such as Pythonista must run your code entirely in the same sandbox and address space as the main app process. The Python interpreter crashing would therefore crash the entire app, possibly losing work. In the worst case, a vulnerability in third-party code could give access to all data stored by/accessible to the app. If that third-party code could run in its own limited sandbox, the risk is significantly reduced.<br />
<br />
The only known workaround is to execute the code via JavaScript, as Apple's JavaScriptCore engine runs in a heavily sandboxed process. This requires you to port the code to JS, which may be a lot of work, or just not viable. You wouldn't want to run the Python interpreter inside JavaScript - the performance would be terrible!<br />
<br />
== In-app browsers ==<br />
Safari's in-app browser, that is the minimal version you get when tapping a link from social media, uses an entirely separate data store for each app. The in-app browser isn't aware of cookies in the "full" Safari app, or any other app, and doesn't support Safari extensions. Any websites you're logged into. Apple [https://github.com/openid/AppAuth-iOS/issues/120 claimed] this was to protect malicious apps from stealing or setting cookies in Safari without your knowledge, which is a fair argument, but it's hard to not notice that it makes web browsing inconvenient, encouraging users to install native apps, where they can make transactions through Apple.<br />
<br />
This also means your browsing in the in-app browser is just forgotten - there's no history menu, and it doesn't get logged to the history in the full Safari app either. Good luck recalling that article you read a few weeks ago.<br />
<br />
== See also ==<br />
* [https://theapplewiki.com/wiki/Eligibility Eligibility]<br />
* [https://adamdemasi.com/2024/04/19/app-marketplace-experience.html The iOS 17.4 app marketplace flow is a disaster]<br />
* [https://adamdemasi.com/2024/04/23/ios-eligibility-features.html Features controlled by iOS 17.4’s eligibility system]<br />
<br />
== References ==<br />
<references /></div>Kirb