Apple 在歐盟 DMA 的法規下被強制開放 App Store 與各種限制

昨天科技圈最熱門的消息應該是 Apple 公開了在歐盟區開放 App Store 限制的計畫:「Apple announces changes to iOS, Safari, and the App Store in the European Union」,Hacker News 上的討論也很熱鬧,也提出了很多蘋果想盡辦法讓你不要換過去所設定的障礙:「Apple announces changes to iOS, Safari, and the App Store in the European Union (apple.com)」。

從文章可以看出 Apple 不斷的用 FUD 在擋,而且從文章裡面就可以看出來 Apple 極度不情願開放這塊肥肉。

除了文章的不情願態度外,Apple 也試著要建立各種機制讓 developer 無法轉移,其中目前最毒的是 Core Technology Fee 的設計,即使 app 後續會透過第三方的 app marketplace 下載,你仍然要付給 Apple 一筆很貴的費用:

Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.

不確定現有的 DMA 是否有阻止的能力,但這個是目前已經看到的重點項目,歐盟應該會有動作...

另外看一些群組討論,Apple 很不願意放 App Store 出來,看起來這個功能是被鎖到 countryd 層級的,無法單純註冊歐盟 App Store 的帳號就能安裝。

反正先坐著等一兩個月看新聞消化...

LSAs 與 application password 不同...

前天在「使用 application password 的 Google 服務將在 2024/09/30 停止支援」這邊寫完後,yan12125 在文章留言的地方提到:

看起來這次只有停止支援 Less Secure Apps, application password 還是可以用的。公告中提到:

> If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.

回頭去翻了一下 LSA 是什麼 (出自「Limiting access to less secure apps to protect G Suite accounts」這篇):

A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking.

看起來這邊指的是用原始的 Google 帳號與密碼登入,我一直以為這個方式早就被拔掉了,所以這次的公告以為是拔掉 application password,但看起來不是這樣。

「SMS 認證」被電信商 (以及第三方) 拿來套利的市場

Hacker News 上看到「Twitter Lost $60M a Year Because 390 Telcos Used Bot Accounts to Pump A2P SMS (commsrisk.com)」這篇,內文報導是這裡:「Elon Musk Says Twitter Lost $60mn a Year Because 390 Telcos Used Bot Accounts to Pump A2P SMS」。

簡訊的實際成本極低,但利潤超級高,發送方與接收方都有極大的獲利空間。

而這邊提到的 SMS pumping 的方式就是電信商自己做,或是電信商與第三方合作,利用各種發簡訊的方式 (內容不重要),讓 app 端要付出大量的簡訊成本,進而產生出大量的利潤。

Twilio 的「SMS Traffic Pumping Fraud」這頁就有這張圖:

簡訊的特點是很好 scale,你無法同時間接大量的電話,但可以同時間收大量的簡訊。在「SMS Fraud is costing you more than you realize」這邊也有提到這個問題。

這個問題在去年年底在我們自家的服務上就有看到跡象 (東南亞市場頗明顯),當時搜尋有一些討論,而現在看起來 Elon Musk 這次吵應該又會有更多熱度...

話說這樣演化下去,SMS 認證的退場又多了一個理由,除了 SS7 在資安上的安全問題外,看起來成本問題也會跑進來。

歐盟通過 Digital Markets Act 與 Digital Services Act

Hacker News Daily 上翻的時候看到的大消息,歐盟通過了 Digital Markets Act (DMA) 與 Digital Services Act (DSA):「EU Approves Landmark Legislation to Regulate Apple and Other Big Tech Firms」,這兩個法案會直接衝擊大企業壟斷的情況。

找了一下中文的資料,iThome 有報導:「歐洲議會通過《數位服務法》與《數位市場法》!傳訊服務必須互通,不得禁止使用者採用第三方App Store」。

其中 MacRumors 上的文章整理的蠻清楚的,DMA 包括了:

  • Allow users to install apps from third-party app stores and sideload directly from the internet.
  • Allow developers to offer third-party payment systems in apps and promote offers outside the gatekeeper's platforms.
  • Allow developers to integrate their apps and digital services directly with those belonging to a gatekeeper. This includes making messaging, voice-calling, and video-calling services interoperable with third-party services upon request.
  • Give developers access to any hardware feature, such as "near-field communication technology, secure elements and processors, authentication mechanisms, and the software used to control those technologies."
  • Ensure that all apps are uninstallable and give users the ability to unsubscribe from core platform services under similar conditions to subscription.
  • Give users the option to change the default voice assistant to a third-party option.
  • Share data and metrics with developers and competitors, including marketing and advertising performance data.
  • Set up an independent "compliance function" group to monitor its compliance with EU legislation with an independent senior manager and sufficient authority, resources, and access to management.
  • Inform the European Commission of their mergers and acquisitions.

可以看出來除了最後兩項是針對 EU 的監管機制外,其他的包括了安裝來自第三方的軟體、可以使用第三方的付款系統、可以整合系統服務、可以整合硬體功能、可以使用第三方的語音工具、可以反安裝所有的 app 以及提供平台蒐集到的資料給開發者,都是針對現在 AppleApp StoreGoogle Play 所限制的條件。

另外 DMA 也禁止了這些行為:

  • Pre-install certain software applications and require users to use any important default software services such as web browsers.
  • Require app developers to use certain services or frameworks, including browser engines, payment systems, and identity providers, to be listed in app stores.
  • Give their own products, apps, or services preferential treatment or rank them higher than those of others.
  • Reuse private data collected during a service for the purposes of another service.
  • Establish unfair conditions for business users.

而 DSA 的部份則是針對網路上的非法內容處理:

The Digital Services Act (DSA), which requires platforms to do more to police the internet for illegal content, has also been approved by the European Parliament.

其中 DMA 的生效日看起來會在 2023 年年中生效?應該是 六個月加上六個月...

Once formally adopted, the Act, which takes the legal form of a Regulation, will enter into force 20 days after publication in the EU Official Journal and will apply six months later. The designated gatekeepers will have a maximum of six months after the designation decision by the Commission to ensure compliance with the obligations laid down in the Digital Markets Act.

而 DSA 至少要到 2024 年才有機會會實施:

Once adopted, the DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024, whichever later, after entry into force.

歐盟的市場夠大,這個應該會帶來足夠大的衝擊...

AWS App Runner 總算可以存取 VPC 內的資源了

算是上個星期的消息了,App Runner 這個產品剛出來的時候無法連到 VPC 內的資源,不知道要怎麼用,現在總算是把這個功能補上了:「New for App Runner – VPC Support」。

不過還是不看好,旁邊還有 AWS Elastic BeanstalkAWS Amplify 同質性超高的服務,都是只寫 code 丟上去就能跑:

AWS App Runner is a fully managed service that makes it easy for developers to quickly deploy containerized web applications and APIs, at scale and with no prior infrastructure experience required. Start with your source code or a container image. App Runner builds and deploys the web application automatically, load balances traffic with encryption, scales to meet your traffic needs, and makes it easy for your services to communicate with other AWS services and applications that run in a private Amazon VPC. With App Runner, rather than thinking about servers or scaling, you have more time to focus on your applications.

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.

AWS Amplify is a set of purpose-built tools and features that lets frontend web and mobile developers quickly and easily build full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. With Amplify, you can configure a web or mobile app backend, connect your app in minutes, visually build a web frontend UI, and easily manage app content outside the AWS console. Ship faster and scale effortlessly—with no cloud expertise needed.

更不用說旁邊還有 Lambda 類的架構...

Pixel 3 無法撥打 911 的問題

Hacker News 首頁上看到「Pixel prevented me from calling 911」這則 Reddit 上的發文,提到 Pixel 3 無法撥打 911 的問題,另外 Hacker News 上的討論在這邊可以看到:「Pixel prevented me from calling 911 (reddit.com)」。

hnrvsr1 這則 comment 可以看到,目前 Google 確認了這個軟體 bug,在 Anrdoid 10 上有安裝 Microsoft Teams,並且是在沒有登入的情況下,就會中這個 bug:

Based on our investigation we have been able to reproduce the issue under a limited set of circumstances. We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system. Because this issue impacts emergency calling, both Google and Microsoft are heavily prioritizing the issue, and we expect a Microsoft Teams app update to be rolled out soon – as always we suggest users keep an eye out for app updates to ensure they are running the latest version.

這個 bug 聽起來像是有什麼東西在 sandbox 裡沒擋好,被 app 干擾到緊急撥號的流程... 所以 Google 也承諾 Android 的部份也會有對應的更新:

We will also be providing an Android platform update to the Android ecosystem on January 4.

不確定台灣的 110、112 與 119 會不會有類似的問題...

法院認為 Apple 必須在 12 月 9 日前開放行動平台上的第三方支付

大標題是「Judge orders Apple to allow external payment options for App Store by December 9th, denying stay」,小標題是「And Apple announces it will appeal」。

本來 Apple 想要繼續拖延,但法院直接打槍,然後 Apple 決定要再上訴到第九巡迴庭,基本上我們就是在旁邊坐著等看戲...

另外前陣子 Google 宣佈在南韓會開放其他付款機制 (參考「Google 在南韓開放 app 裡面使用其他付款機制了」),就沒看到 Apple 這邊的動作,找了一下新聞只看到 Apple 在南韓的頭決定不幹了:「Apple's top exec in South Korea departs amid dispute over App Store」,也許之後再找看看...

Google 在南韓開放 app 裡面使用其他付款機制了

先前在「南韓對 Apple 與 Google 的 In-App 付款機制的提案」這邊提到南韓的法案將會強迫 AppleGoogle 開放 IAP 的通路,前幾天 Google 正式發出公告會支援其他通路了:「Enabling alternative billing systems for users in South Korea」。

不免俗的,還是會放話說一些 FUD

Alternative billing systems may not offer the same protections or payment options and features of Google Play's billing system—such as parental controls, family payment methods, subscription management, Google Play gift cards, and Play Points.

然後拖一下時間,說正在開發這些功能中:

In the coming weeks and months, we will share implementation details for developers, including instructions for submitting security and customer service verifications and a set of user experience guidelines so users can make an informed choice.

但這應該是第一個強制開放的市場?來等後續 payment gateway 給的數字...

不使用 Google 服務的 Android 手機

一樣是在 Lobsters Daily 上翻到的,去 Google 服務的 Android 系統搞法:「Lineage with microG on a Sony XA2」。

主要是看關鍵字的部份,TWRP 換掉 recovery image,然後 LineageOS 是系統底,microG 是 open source 版本的 Google 專屬 API 的相容層,Magisk 則是負責 root 相關的事情,F-Droid 是 open source 軟體的 app store,可以用他來裝 Aurora Store,就可以裝 Play Store 裡的 app。

會這樣搞的人主要還是考慮到 privacy,可以預期有不少應用程式是不會動的...