How Apple “killed” an entire class of iPhone apps in Russia, violating its own rules

Posted by

The court confirmed the verdict of the FAS, which fined Apple 900 million rubles. for discrimination against Kaspersky Lab and other developers of iPhone parental control solutions. The court examined Apple’s documents and concluded that the corporation violated its own rules in the field of mobile application development for the sake of its own decision in the field of Screen Time parental control.

The court confirmed the conclusions of the FAS against Apple

The Moscow Arbitration Court rejected the suit of the American corporation Apple against the Federal Antimonopoly Service (FAS). The lawsuit concerned the decision of the Federal Antimonopoly Service of 2020, when the department recognized the corporation as a violator of antitrust laws. Later, the FAS imposed a fine of 906 million rubles on Apple.

The complaint against the corporation was filed by Kaspersky Lab (LC). The company accused Apple of discriminating against its mobile parental control application, Kaspersky Safe Kids (KSK), for the iOS platform (Apple’s mobile operating system for iPhone smartphones). FAS agreed that Apple is discriminating against developers of third-party parental control applications, while promoting its own solution in this area – Screen Time.

According to the court proceedings, the court studied Apple’s mobile application development rules in detail and concluded that the corporation’s actions violated its own rules. Among other things, the court explained to the corporation the difference between the two possible types of mobile application settings.

Why iPhone apps can’t be replaced with Android apps

To determine the boundaries of the commodity market, FAS conducted a survey of 53 Russian and foreign software and mobile application developers working in various areas, including Internet banking, taxi calling, instant messengers, social networks, antiviruses, etc. Most of the respondents admitted that the development of mobile applications is a critical area, and for two operating systems at once – iOS and Android.

Some of the IT companies surveyed have separate development teams for Android and iOS. At the same time, the majority of respondents do not intend to abandon the development of applications for one of these platforms in favor of another. According to a survey conducted by LK, 80% of iOS users and 71% of Android users are not ready to switch to a competing system, even if average monthly costs and time to find and install applications increase by 10%.

The FAS considered that there is no free switching between iOS and Android devices, as it will require costs from the user. At the same time, the App Store marketplace created by Apple is the only app store for iOS, respectively, the corporation is a monopolist in this area.

How Apple Approves iPhone Apps

In order for an application to be available in the App Store, its developer must submit it to Apple for review, including providing its source codes. During the hearings at the Federal Antimonopoly Service and court proceedings, Apple’s licensing policy regarding mobile application developers was considered, including in terms of configuration profiles and MDM (Mobile Device Management, mobile device management).

A configuration profile allows you to configure the device, including settings for Wi-Fi, VPN, email server, LDAP directory, CaDAV calendar service, and more. A configuration profile is an XML file and is created by an iOS application.

MDM allows system administrators to remotely configure iOS devices through a dedicated server. This method is used in a corporate environment.

How Parental Control Apps Work

The KLK application provides: hiding the built-in Safari browser and replacing it with a “safe” browser from LK; hiding other apps with adult content; blocking access to certain websites (or to all, except for a certain list); blocking access to the app store and prohibiting purchases; child location tracking.

A configuration profile is required for the parental control application to work. At the same time, KSK uses one of five possible ways to configure configuration profiles – through a web browser. The parent installs the application on the child’s smartphone, then creates an account in the KSK system and sets the necessary restrictions through a web browser, including a password to manage settings.

Why the court decided that Apple violated its own rules

In the fall of 2018, LK first applied to Apple for approval to include KSK in the App Store. However, the corporation refused this, considering that KSK uses MDM technology, which is only valid in corporate applications. In accordance with Apple’s rules, LK filed an appeal against this decision, but was again denied.

Meanwhile, the FAS and the court note that at that time there was no direct ban on the use of MDM technology in applications for the mass market (B2C) in Apple’s rules. Apple refers to its Developer License Agreement – DEPLA – which only allows MDM to be used in a corporate (B2B) environment. But the FAS and the court considered that this agreement applies only to developers of B2B applications. KSK is a B2C application, therefore, its developers do not have to comply with DEPLA requirements.

Court clarifies difference between configuration profiles and MDM to Apple

In addition, it appears from the court proceedings that Apple, in principle, equates the use of a configuration profile with the use of MDM technology. However, the FAS and the court think differently. According to them, there are two use cases. The first involves using a non-MDM configuration profile. In this case, settings can only be made locally – if you have physical access to it. By analogy, the device can be compared to a water faucet, and the configuration profile can be compared to a valve: to control the faucet, you need to approach the valve with an adjustable wrench.

The second option is to configure devices by a system administrator via remote access, which is possible if there is an MDM configuration in the profile. Here we can draw the following analogy: the device is a TV, and the role of the MDM server is performed by the control panel from it (the analogies are taken from the text of the court decision).

Digital novelties of VTB: from biometrics for the web version to a bank in Telegram

IT in banks

In the second case, the device belongs to the “managed” category. However, as noted in the court, according to the MDM protocol handbook, a device is considered “managed” if it is connected to an MDM server, and its configuration profile has an MDM “payload” set (special values ​​for the group are set by the “payload” parameter) .

Apple was unable to prove to the court that there was no difference between the aforementioned states. At the same time, LK presented the source code of KSK to the court, and the court was convinced that MDM technologies were not used in it.

How Apple forced Kaspersky Lab to cut the functionality of its application

In early 2019, LK was still able to get approval from Apple to allow KSK into the App Store. But for this, configuration profiles had to be removed from the application, which, in turn, deprived it of a number of important functions, for example, the ability to hide the Safari browser and age restrictions on the use of other applications.

In the summer of 2019, Apple introduced a new licensing policy for mobile app development. This time, a direct ban on the use of configuration profiles in B2C applications (excluding APN, Wi-Fi and VPN technologies) was expressly prescribed, and it became possible to use the technology in B2B applications only with written permission from Apple. In the B2C realm, MDM was allowed for parental control applications, but again only with written permission from Apple. In addition, MDM application developers are prohibited from sharing user data with third parties and from using third-party analytics or advertising.

CNews Analytics: Atlas of the Russian Internet of Things Market

Internet of Things

At the same time, at the end of 2018, Apple released a new version of iOS 12, which included the Screen Time app. Its functionality is similar to the functionality of applications for parental control, which means that it is a competitor to KSK, they decided in the FAS and in court.

The court concluded that Apple had unequally placed developers of third-party parental control apps in comparison to Screen Time. On the one hand, they can’t use configuration profiles without Apple’s permission, making their apps uncompetitive or even useless compared to Screen Time. On the other hand, if configuration profiles are used, application developers will not have access to analytics tools that are critical for application development.

Apple tried to convince the court that such restrictions were introduced in the interests of security. However, the court considered that Apple could allow the use of an analytics tool (in the case of MDM) under certain conditions, such as agreeing with Apple on the relevant tools. Instead, Apple introduced a complete ban on the use of analytics tools.

Evidence that KSK or other parental control applications violated the requirements of the law in the field of protection of confidential information and personal data, including in relation to children, as well as that any version of KSK contained components and features that violate these requirements. At the same time, Apple itself, as the court notes, collects data about its users and uses analytics tools to improve its applications, including Screen Time.

How Apple let kids turn off parental controls

Later, a new edition of iOS, 13, was released. It introduced the concept of devices in supervised mode. This mode is similar to the root access mode in Android devices, it allows you to use advanced functionality that is not available on standard devices. At the same time, a number of MDM payload configurations became available only for such devices.

The court notes that in order to transfer the iPhone smartphone to the “maintenance” mode, the consumer must have certain knowledge and capabilities, including the Apple Configarator 2 program. At the same time, this program only works on computers running MacOS, without which the device cannot be transferred to the “maintenance” mode “.

On non-maintained iOS devices, features such as hiding the Safari browser and the App Store, as well as the ability to set a password to delete a configuration profile, are no longer available. Accordingly, as noted in court, children themselves will be able to delete configuration files from their devices, since parents will not be able to protect them with a password.

As a result, the court came to the conclusion that Apple’s actions regarding iOS 13 led to an even greater deterioration in the functionality of the KSK application and other parental control applications that use configuration profiles, up to a state of complete uselessness (with the child unhindered deleting the configuration profile), which negatively affected the competitiveness of the KSK app and similar parental control apps with respect to Screen Time, which is not affected by these restrictions.”

At the same time, the Screen Time application is perceived by users as free, which, due to the existence of a zero price effect, leads to an even greater decrease in the propensity of consumers to switch to third-party solutions, the court says. In addition, switching overhead may be higher due to the initial integration of the pre-installed application with the operating system and other applications.

Igor Korolev

Source link

Leave a Reply

Your email address will not be published.