Apple to allow 3rd party browser engines like Chromium in EU

To comply with the upcoming DMA act in the EU, Apple today announced major changes to its App Store policies.

First, app developers will be able to use alternative browser engines. Until now, even 3rd party web browsers on iOS were using Apple’s own WebKit. With this new change, alternative browser engines like Chromium can be used for dedicated browser apps and apps providing in-app browsing experiences in the EU.

However, Apple will only authorize developers to implement alternative browser engines after meeting specific criteria and committing to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities. Read about Apple’s requirements for 3rd party browser engines below.

To qualify for the entitlement, your app must:

• Be available on iOS in the European Union only
• Be a separate binary from any app that uses the system-provided web browser engine
• Have the default web browser entitlement
• Meet the following functional requirements to ensure your app is using a web browser engine that provides a baseline of web functionality:
  • Pass a minimum percentage of tests available from industry standard test suites:
    • 90% from Web Platform Tests
    • and 80% from Test262
  • Meet the above test suite requirement if Just in Time (JIT) compilation is unavailable (e.g., if Lockdown Mode is enabled by the user)
• You and your app must meet the following security requirements:
  • Commit to secure development processes, including monitoring your app’s software supply chain for vulnerabilities, and following best practices around secure software development (such as performing threat modeling on new features under development).
  • Provide a URL to a published vulnerability disclosure policy that includes contact information for reporting of security vulnerabilities and issues to you by third parties (which may include Apple), what information to provide in a report, and when to expect status updates.
  • Commit to mitigate vulnerabilities that are being exploited within your app or the alternative web browser engine it is using in a timely manner (e.g., 30 days for the simplest classes of vulnerabilities being actively exploited).
  • Provide a URL to a publicly available webpage (or pages) that provides information on which reported vulnerabilities have been resolved in specific versions of the browser engine and associated app version if different
  • If your alternative web browser engine uses a root certificate store that is not accessed via the iOS SDK, you must make the root certificate policy publicly accessible and the owner of that policy must participate as a browser in the Certification Authority / Browser Forum.
  • Demonstrate support for modern Transport Layer Security protocols to protect data-in-transit communications when the browser engine is in use.

Program security requirements

You must do the following:

• Use memory-safe programming languages, or features that improve memory safety within other languages, within the alternative web browser engine at a minimum for all code that processes web content;
• Adopt the latest security mitigations (for example, Pointer Authentication Codes) that remove classes of vulnerabilities or make it much harder to develop an exploit chain;
• Follow secure design, and secure coding, best practices;
• Use process separation to limit the effects of exploitation and validate inter-process communication (IPC) within the alternative web browser engine;
• Monitor for vulnerabilities in any third-party software dependencies and your app’s broader software supply chain, migrating to newer versions if a vulnerability impacts your app;
• Not use frameworks or software libraries that are no longer receiving security updates in response to vulnerabilities; and
• Prioritize resolving reported vulnerabilities with expedience, over new feature development. For example, where the alternative web browser engine bridges capabilities between the platform’s SDK and web content to enable Web APIs, upon request you must remove support for such a Web API if it is identified to present a vulnerability. Most vulnerabilities should be resolved in 30 days, but some may be more complex and may take longer.

Program privacy requirements

You must do the following:

• Block cross-site cookies (i.e., third-party cookies) by default unless the user expressly opts to allow such cookies with informed consent;
• Partition any storage or state observable by websites per top level website, or block such storage or state from cross-site usage and observability;
• Not sync cookies and state between the browser and any other apps, even other apps of the developer;
• Not share device identifiers with websites without informed consent and user activation;
• Label network connections using the APIs provided to generate an App Privacy Report on iOS; and
• Follow commonly adopted web standards on when to require informed user activation for web APIs (e.g., clipboard or full screen access), including those that provide access to PII.

Apple will also provide authorized developers of dedicated browser apps access to security mitigations and capabilities to enable them to build secure browser engines, and access features like passkeys for secure user login, multiprocess system capabilities to improve security and stability, web content sandboxes that combat evolving security threats, and more.

In addition to allowing 3rd party browser engines, Apple will display a new choice screen where users can choose a default web browser from a list of options. When users in the EU first open Safari on iOS 17.4, they’ll be prompted to choose their default browser.