Should Apple Continue to Ban Rival Browser Engines on iOS?

[Sophisticatednut]

It's really not as clear-cut as that. Consider the following scenario:

I have a hardened OS and browser that is 100% secure. Adding anything at all to the mix will put my system at additional risk.

Of course, that is not a realistic scenario for something like an iPhone, which gets patched every few months (likely more so from iOS16+). But it's not that far off. You also have to consider the patching schedules of third party software. I've installed plenty of apps over the years that have not been updated in years. God only knows what risks they pose.

This scenario is completely valid on your device and/or on a fleet of devices or systems, but not the market with a billion different users for market penetration. Plus, nothing is 100% secure, and so far they all have similar security levels.

Firefox and chromium based browsers have a weekly update if not daily with serious exploits, apple currently do as you say uppdates every few quarters at most, that will hopefully be fixed in iOS 16 have . and then again if you use an app with sub 1% market penetration will likely be more secure than any software apple can create just from the nature of it not being worth their time. Find an exploit for a user base of 1 million or find an exploit for a billion users.

 

[Sophisticatednut]

I

It's really not as clear-cut as that. Consider the following scenario:

I have a hardened OS and browser that is 100% secure. Adding anything at all to the mix will put my system at additional risk.

Of course, that is not a realistic scenario for something like an iPhone, which gets patched every few months (likely more so from iOS16+). But it's not that far off. You also have to consider the patching schedules of third party software. I've installed plenty of apps over the years that have not been updated in years. God only knows what risks they pose.

f you want to have a great example why one engine to rule them all is terrible for the user experience.
my iPhone 8 Plus have ios15.5 and safari is completely broken. In every browser app they use WebKit. Making one bug affect everyone

Before the update it worked completely fine as well

But my iPad with the same software everything works perfectly fine

 

[LV426]

If you want to have a great example why one engine to rule them all is terrible for the user experience.
my iPhone 8 Plus have ios15.5 and safari is completely broken. In every browser app they use WebKit. Making one bug affect everyone

Before the update it worked completely fine as well

But my iPad with the same software everything works perfectly fine

Your phone is knackered. Full stop. My iPhone is on 15.5 and works just fine. I'm not in your group of "everybody".

I'll give you a counter-example. Let's say a couple of million people are allowed to install a Flash plugin for the browser of their choice. A couple of million people will then have a phone that dies a rapid death due to its poor coding.

I am reminded of something that happened the other day in my house. My front door has a fancy new secure lock, and you can only get keys or replacements by sending in a code to the manufacturer. So, I thought I'd take the opportunity to replace two other door locks in my house so that they all use the same key. Nice, my pocket is much lighter, and I only have one key for the house.

I told Mrs LV426 to throw away three of her old useless keys, and the first thing she complained was how was she going to get in if she had the wrong key on her person? She'd got used to occasionally having only one key with her, and if she couldn't get in the front, she could get round the back.

I'll let you figure out what the right answer is.

 

[Sophisticatednut]

Your phone is knackered. Full stop. My iPhone is on 15.5 and works just fine. I'm not in your group of "everybody".

Now I’m on iOS 16 beta and it works fine, so just a bug. And what I mean with everyone is: if Firefox uses its own engine then I could’ve just replaced safari with Firefox instead. But now at least I have iOS 16 and I love it even in beta.

I'll give you a counter-example. Let's say a couple of million people are allowed to install a Flash plugin for the browser of their choice. A couple of million people will then have a phone that dies a rapid death due to its poor coding.

That’s exactly my example. Multiple browsers sharing the same flaw. Currently everyone on iOS uses WebKit as the common security. At least with flash I could uninstall it or block it.

I am reminded of something that happened the other day in my house. My front door has a fancy new secure lock, and you can only get keys or replacements by sending in a code to the manufacturer. So, I thought I'd take the opportunity to replace two other door locks in my house so that they all use the same key. Nice, my pocket is much lighter, and I only have one key for the house.

I told Mrs LV426 to throw away three of her old useless keys, and the first thing she complained was how was she going to get in if she had the wrong key on her person? She'd got used to occasionally having only one key with her, and if she couldn't get in the front, she could get round the back.

I'll let you figure out what the right answer is.

That’s your mistake, your conflating one user with multiple key ways or one key way to a market of different ones.

Would you rather your neighbors all share the same one key, and when one copies that manufacturers everyone is exposed until the manufacturer sends you a new one or would you want to pick your own key?

 

[LV426]

Now I’m on iOS 16 beta and it works fine, so just a bug. And what I mean with everyone is: if Firefox uses its own engine then I could’ve just replaced safari with Firefox instead. But now at least I have iOS 16 and I love it even in beta.

That’s exactly my example. Multiple browsers sharing the same flaw. Currently everyone on iOS uses WebKit as the common security. At least with flash I could uninstall it or block it.

That’s your mistake, your conflating one user with multiple key ways or one key way to a market of different ones.

Would you rather your neighbors all share the same one key, and when one copies that manufacturers everyone is exposed until the manufacturer sends you a new one or would you want to pick your own key?

Right, so to confirm, you don't actually have a problem. Whereas having multiple browser engines on your device certainly could give you a problem. Aside from the redundant extra storage space needed, and the arbitrary patching mechanisms that may, or may not, exist for those browser engines.

When you open a mail in iOS, and it renders HTML content, which browser engine is it using? How does that get patched, and when. Clue: at the moment it's WebKit. I imagine there are numerous other parts of iOS that also use WebKit.

If I lend a door key to my neighbour, she cannot copy it. ABS keys cannot be created without knowing a secret alphanumeric code. I'm very happy that my door key works this way. Having multiple unique locks on my house each with a different key significantly reduces my house security: more keys to keep track of, and an open house if a single one is mislaid.

 

[Sophisticatednut]

Right, so to confirm, you don't actually have a problem.

i did have a problem until I updated to the developers beta of iOS 16, and now I have other problems because it’s a beta and some apps aren’t update. But at least my browser works.

Whereas having multiple browser engines on your device certainly could give you a problem. Aside from the redundant extra storage space needed, and the arbitrary patching mechanisms that may, or may not, exist for those browser engines.

why would you have multiple browser engines on your device? Only different browsers that doesn’t use WebKit would have it in the app, and would be deleted the second it’s removed with the app. The engines would update exactly like every other app today… through the AppStore. Or do you honestly believe ios contains a copy of the unreal engine 4 & 5 and the unity engines?

When you open a mail in iOS, and it renders HTML content, which browser engine is it using? How does that get patched, and when. Clue: at the moment it's WebKit. I imagine there are numerous other parts of iOS that also use WebKit.

as long as it doesn’t open up a browser, it’s its own engine. Such as when I use spark, outlook or gmail, and it’s updated with the app throu the AppStore.

If I lend a door key to my neighbour, she cannot copy it. ABS keys cannot be created without knowing a secret alphanumeric code.

I have a bridge to sell you, but they are very easy to recreate if you have physical access to them as every key. And takes just a few minutes to open up as well.
this “secret alphanumeric code” are just a uniqeu production code for your specific key.

I'm very happy that my door key works this way. Having multiple unique locks on my house each with a different key significantly reduces my house security: more keys to keep track of, and an open house if a single one is mislaid.

Hence you have completely misunderstood my analogy or how it would work.

iOS will only have ONE browser engine.
if I download Firefox, It would instead come with its own browser included engine and not use any WebKit code at all.

the second I uninstall it, the browser engine would disappear as well.

today if I download Firefox it will use ONLY the WebKit browser engine included in the iOS software under a user interface wrapper

 

[I7guy]

[….]
iOS will only have ONE browser engine.
if I download Firefo, I would instead come with its own browser engine and not use any WebKit code at all.

Yep, could be opening a Pandora’s box of vulnerabilities.

the second I uninstall it, the browser engine would disappear as well.

tosay if I dow Firefox it will use ONLY the WebKit browser engine included in the iOS software under a user interface wrapper

Imo, this is much safer overall for iOS.

 

[ponzicoinbro]

Brave was caught hijacking links and inserting their own affiliate codes into them and had a version of Tor built into their browser that was flagged as a bad virus by Windows.

Chrome is the browser of choice for gambling degens who waste their money on web3 magic beans and their ‘wallets’ are always being hacked and their money being stolen. Billions of dollars stolen, sent to god knows who god knows where. Might even be very dangerous people who will use that stolen money in very dangerous ways.

Safari for iOS has the least number of security incidents and theft. Also has the most efficient energy consumption.

So unless other browser engines can offer this security people should be smart to avoid them.

 

[LV426]

i did have a problem until I updated to the developers beta of iOS 16, and now I have other problems because it’s a beta and some apps aren’t update. But at least my browser works.

why would you have multiple browser engines on your device? Only different browsers that doesn’t use WebKit would have it in the app, and would be deleted the second it’s removed with the app. The engines would update exactly like every other app today… through the AppStore. Or do you honestly believe ios contains a copy of the unreal engine 4 & 5 and the unity engines?

as long as it doesn’t open up a browser, it’s its own engine. Such as when I use spark, outlook or gmail, and it’s updated with the app throu the AppStore.

I have a bridge to sell you, but they are very easy to recreate if you have physical access to them as every key. And takes just a few minutes to open up as well.
this “secret alphanumeric code” are just a uniqeu production code for your specific key.

Hence you have completely misunderstood my analogy or how it would work.

iOS will only have ONE browser engine.
if I download Firefox, It would instead come with its own browser included engine and not use any WebKit code at all.

the second I uninstall it, the browser engine would disappear as well.

today if I download Firefox it will use ONLY the WebKit browser engine included in the iOS software under a user interface wrapper

You really should stop visiting badly written websites. As a web developer myself and a developer of browsers for embedded systems, I'm all too aware of how many rubbish websites there are. For a website to "work", it has to have valid HTML and the browser needs to work, too. Very few websites actually don't "work" with Safari. I've shown examples of websites here that "work" in Chrome, but by rights they should not "work" at all in any browser. Chrome, instead of declaring the website as having a bad syntax, simply makes assumptions about the website's intentions. That's bad for end users and bad for the internet,

Why would you have multiple browser engines on your device? I wouldn't. Certainly not to persuade badly written websites to work; not to interfere with my phone's performance; and not to give me yet more apps to patch. Assuming they actually get patched, that is. My phone has plenty of orphaned apps that never get updated.

I'm well aware of how all iOS browsers work, in that they all depend on WebKit code. In my opinion this is actually a GREAT thing. It stops browser vendors creating rubbish iOS applications that can interfere with phone security and performance. These are exactly the reasons that Steve Jobs banned Flash (a kind of browser "engine") on iOS. It's also an efficient way of sharing components across the operating system.

 

[Maximara]

So unless other browser engines can offer this security people should be smart to avoid them.

If people were smart the world wouldn't be the FUBAR of the week or engage in all these get rich quick schemes.

 

[Sophisticatednut]

Yep, could be opening a Pandora’s box of vulnerabilities.

how would a Pandora’s box of vulnerability be opening up? If you only use safari and a new exploit for chromes blink engine is discovered, then you won’t be affected. If you use Firefox, then. You will also be unaffected. If a new WebKit exploit is discovered and you use Firefox then you won’t be affected (if you can use only Firefox gecko engine)

Imo, this is much safer overall for iOS.

witch one? And we all remember the text bombs

Complete Guide to iPhone text bombs

Beware! There are symbols out there that could crash your iPhone, iPad and Mac. We tell you how to avoid iPhone text bomb bugs and what to do if you open a dodgy text on your iPhone or iPad.

www.macworld.com

 

[I7guy]

how would a Pandora’s box of vulnerability be opening up? If you only use safari and a new exploit for chromes blink engine is discovered, then you won’t be affected. If you use Firefox, then. You will also be unaffected. If a new WebKit exploit is discovered and you use Firefox then you won’t be affected (if you can use only Firefox gecko engine)

Because it’s a guarantee that all browsers will have their respective vulnerabilities and an exploit on one browser could compromise one’s digital life.

witch one? And we all remember the text bombs

Complete Guide to iPhone text bombs

Beware! There are symbols out there that could crash your iPhone, iPad and Mac. We tell you how to avoid iPhone text bomb bugs and what to do if you open a dodgy text on your iPhone or iPad.

www.macworld.com

Perfect example why it makes sense to have one underbelly for all browsers. Fix an issue once and for all one time one place.

 

[Sophisticatednut]

You really should stop visiting badly written websites. As a web developer myself and a developer of browsers for embedded systems, I'm all too aware of how many rubbish websites there are. For a website to "work", it has to have valid HTML and the browser needs to work, too. Very few websites actually don't "work" with Safari. I've shown examples of websites here that "work" in Chrome, but by rights they should not "work" at all in any browser. Chrome, instead of declaring the website as having a bad syntax, simply makes assumptions about the website's intentions. That's bad for end users and bad for the internet.

If you actually knew what I’m talking about you would know it’s not about a bad websites, as I provided a video demonstrating my problem, that included macrumors, twitter and YouTube. This was for every website.

If you want to have a great example why one engine to rule them all is terrible for the user experience.
my iPhone 8 Plus have ios15.5 and safari is completely broken. In every browser app they use WebKit. Making one bug affect everyone

Before the update it worked completely fine as well

But my iPad with the same software everything works perfectly fine
View attachment 2019925

Why would you have multiple browser engines on your device? I wouldn't. Certainly not to persuade badly written websites to work; not to interfere with my phone's performance; and not to give me yet more apps to patch. Assuming they actually get patched, that is. My phone has plenty of orphaned apps that never get updated.

So that I could circumvent badly written safari WebKit code. As in my example

I'm well aware of how all iOS browsers work, in that they all depend on WebKit code. In my opinion this is actually a GREAT thing. It stops browser vendors creating rubbish iOS applications that can interfere with phone security and performance.

Then the same logic should be applied to game engines.

These are exactly the reasons that Steve Jobs banned Flash (a kind of browser "engine") on iOS. It's also an efficient way of sharing components across the operating system.

That’s a plug-in not a browser engine. Browser engine is what’s used to render websites.

 

[Sophisticatednut]

Because it’s a guarantee that all browsers will have their respective vulnerabilities and an exploit on one browser could compromise one’s digital life.

Well that’s exactly how every app in the AppStore works now? Every game, every mail app, every messaging application, every video player etc etc use application specific code completely independent from apples iOS code to function or be exploited

Perfect example why it makes sense to have one underbelly for all browsers. Fix an issue once and for all one time one place.

Firefox fixed it in a day, safari fixed in in a month. What do you do while you wait? Not use the internet?

 

[I7guy]

Well that’s exactly how every app in the AppStore works now? Every game, every mail app, every messaging application, every video player etc etc use application specific code completely independent from apples iOS code to function or be exploited

Why increase the surface vector unnecessarily?

Firefox fixed it in a day, safari fixed in in a month. What do you do while you wait? Not use the internet?

You are for opening up multiple avenues of attack potentially simultaneously. Not everything is fixed in a day however to your point Apple also has had speedy responses in the past. It’s shortsighted to poke the bear so to speak and open the flood gates for zero day vulnerabilities.

 

[Sophisticatednut]

Why increase the surface vector unnecessarily?

It has zero impact on you tho. If you continue to use safari and chrome had an exploit, then you will be unaffected. And it lowers your individual surface vector dramatically.

You are for opening up multiple avenues of attack potentially simultaneously. Not everything is fixed in a day however to your point Apple also has had speedy responses in the past. It’s shortsighted to poke the bear so to speak and open the flood gates for zero day vulnerabilities.

I’m only for opening up the ability replace parts with other in order to increase my security. If I can replace safari with some obscure web browser then I would, I would replace my messaging program eliminating any chance for me to get an iMessage text that bricks my device.

 

[I7guy]

It has zero impact on you tho. If you continue to use safari and chrome had an exploit, then you will be unaffected. And it lowers your individual surface vector dramatically.

It has an effect on brand value and brand perception. Choice is great, android fits the bill. If you use android you are $$$ and sending a message to apple.

I’m only for opening up the ability replace parts with other in order to increase my security. If I can replace safari with some obscure web browser then I would, I would replace my messaging program eliminating any chance for me to get an iMessage text that bricks my device.

ios is locked down and android allows you to do what you want. I understand what you desire but maybe or maybe not this could become reality in the future.

 

[Sophisticatednut]

It has an effect on brand value and brand perception. Choice is great, android fits the bill. If you use android you are $$$ and sending a message to apple.

I mean from a security perspective.

ios is locked down and android allows you to do what you want. I understand what you desire but maybe or maybe not this could become reality in the future.

Well it does with jailbreaks, but iOS 16 seems to improve this option

 

[Maximara]

If you want to have a great example why one engine to rule them all is terrible for the user experience.
my iPhone 8 Plus have ios15.5 and safari is completely broken. In every browser app they use WebKit. Making one bug affect everyone

Before the update it worked completely fine as well

But my iPad with the same software everything works perfectly fine

Since iOS and iPad both use WebKit the statement that "the same software" works fine on one but not the other shows something else is going on. If you upgraded one but not the other than by definition it cannot be "the same software"

 

[Jackpaultechnab]

No! because chrome browser is very user-friendly for anyone.

 

[Maximara]

Both can actually be true.

Chromium is a resource hog.

But Apple is able to save RAM cost by forbidding third-party engines thereby increasing Apple's highest profit margins.

That is a non sequitor because Chromium is a fork of webkit. Side note you do know Webkit is open source, right?

 

[F27]

One benefit I could certainly see of this is the decoupling of Safari from iOS allowing it to be updated more regularly.

Right now only an iOS update updates Safari, people may go months and even years before updating leaving them with an out of date browser whereas an App Store browser could be updated every week independently.

Having used Safari for the first time on a new iPad I personally think it's a terrible browser with a poor UI and poor performance and would welcome other browsers.

 

[Maximara]

That really is a badly-written website! Thank you. Once I figured out the website was at fault, I simply downloaded Firefox and went from there.

Kind of defeats the purpose of a standard doesn't it?

 

[ABronxBoy]

Firefox doesn't use its own engine on android?

I think not. I turned on a “privacy“ setting in Firefox, and now my Safari doesn’t download web based icons on many pages. If anything, different browsers seem to coexist with Apple’s engine but still do their own “thing”.
However, I still don’t trust Chrome to be my default browser, even on my now unused ‘Droid device.

 

[Sophisticatednut]

Since iOS and iPad both use WebKit the statement that "the same software" works fine on one but not the other shows something else is going on. If you upgraded one but not the other than by definition it cannot be "the same software"

well, I had the same iOS version on both(ios 15.5). But one is the iPhone 8 from 2017 and the other is the iPad Pro from 2018.

Hence why it's likely it was just a bug. And a bug i could fix in any other way but to reinstall the OS or update it. instead of using a different browser