Could P2B force Apple to be more transparent about iOS APIs?

The Platform-To-Business regulation started to apply on July 12th. This regulation aims to shed more light on the relations between platforms and companies P2B. The regulation scope includes app stores. In this post I am interested in P2B’s impact on Apple’s app store and iOS APIs.

The regulation “promoting fairness and transparency for business users of online intermediation services” (aka Platform-To-Business or P2B)[1] was adopted in June 2019 and started to apply on July 12th 2020. As its name suggests, this regulation tries to strike a bit of a balance between platforms (i.e. online intermediation services and search engines) and businesses. The scope of the regulation is relatively broad and behind the term online intermediation services, we find hotel booking platforms (e.g. booking, hotels, …), goods marketplaces (e.g. marketplaces of amazon, fnac, …) and application stores. The regulation also covers search engines.

As pointed out by Arcep[2], this regulation is a first step towards device neutrality. Yet, P2B’s impact on device seems limited since APIs are quite explicitly excluded from the scope of the Regulation … except where they are directly connected to an online intermediation service :

Technological functionalities and interfaces that merely connect hardware and applications should not be covered by this Regulation, as they normally do not fulfil the requirements for online intermediation services. However, such functionalities or interfaces can be directly connected or ancillary to certain online intermediation services and where this is the case, the relevant providers of online intermediation services should be subject to transparency requirements related to differentiated treatment based on these functionalities and interfaces [emphasize mind].

Some iOS APIs could be within the scope of the regulation because the possibility for an app to use certain APIs is decided when it is submitted to the App Store

The App Store as an API control point

To develop an application on iOS, developers are restricted in the APIs they can use: only public APIs are documented and open to third-party developers. There are private APIs that offer more functionalities but there are supposed to only be used by Apple applications.

Apple verifies that no private API is used at the time an app is submitted to the App Store. In the past, some apps have been able to bypass this verification but have subsequently been removed from the App Store[4] for violating the App Store’s terms of use[5].

The issue of opening these APIs is important since some of them may give a competitive advantage to Apple’s apps[3] but if they were open to everyone, it could harm iOS security and stability.

Some APIs (both private and public) require explicit permission from Apple (called “entitlement”) at the time the application is submitted to the App Store. If an entitlement called by an apps is not granted, iOS will not let the application use the protected API[6].

Thus, these APIs can be considered as directly connected to the App Store since it is the latter that acts as a control point.

One could then consider that the P2B regulation applies to the use of private or entitlement based APIs. In particular, Article 7 of the regulation requires platforms to describe the differentiated treatments they give:

  1. Providers of online intermediation services shall include in their terms and conditions a description of any differentiated treatment which they give, or might give, in relation to goods or services offered to consumers through those online intermediation services by, on the one hand, either that provider itself or any business users which that provider controls and, on the other hand, other business users. That description shall refer to the main economic, commercial or legal considerations for such differentiated treatment.
  2. […]
  3. The descriptions referred to in paragraphs 1 and 2 shall cover in particular, where applicable, any differentiated treatment through specific measures taken by, or the behaviour of, the provider of online intermediation services or the provider of the online search engine relating to any of the following: […]
(d)access to, conditions for, or any direct or indirect remuneration charged for the use of services or functionalities, or technical interfaces, that are relevant to the business user or the corporate website user and that are directly connected or ancillary to utilising the online intermediation services or online search engines concerned.

P2B’s article 7 could apply to APIs; if these APIs were used for privileged treatment, they could in some cases be subject to more transparency.

However, in as we will see below, this provision may only apply in a few cases.

The UBER case

UBER’s iOS app was given a privileged treatment: in 2017, it was discovered that Apple had granted UBER an entitlement for a private API allowing the app to read the screen content [7]. This exemption shows that it is possible for Apple to selectively offer privileges to certain apps without modifying its OS.

Apple did not particularly explain this decision and if it happened again today it could look like a textbook case for P2B, but surprisingly P2B could not apply. Indeed, P2B only applies to differentiated treatment that benefits the platform operator (either the provider itself or any user company controlled by that provider). Since Uber is not controlled by Apple, this privilege would not have to be justified according to P2B.

The Apple Pay investigation

Last June, DG-Competition opened two investigations about potential abuse of a dominant position by Apple [8]. One of them concerned Apple’s refusal to open the “tap and go” functionality to Apple Pay’s competitors. Indeed, only Apple Pay can benefit from this functionality and competitors consider themselves unfairly disadvantaged.

Unlike Uber, the service put forward (i.e. Apple Pay) is controlled by the company that deploys the online intermediation service. However, P2B only covers processing in relation to goods or services offered to consumers through these online intermediation services, and Apple Pay being integrated into iOS and is not accessible from the App Store.

In this context, it is not clear whether the P2B Regulation can apply.

Using Bluetooth in the background

Contact tracing applications that wished to use Bluetooth to detect proximity have found themselves limited on iOS due to the fact that applications can hardly use Bluetooth when they are in the background. States found themselves forced to make a choice: develop an application that would work less well on iPhone or use the API common to Apple and Google even if it did not correspond to their needs [9] and is only supported with the latest version of iOS (thus excluding 10% of iPhones users [10]).

For many, Apple’s motivation was to protect users’ privacy, but there is no evidence that this objective weighed well in Apple’s refusal. On the one hand, applications that tried to circumvent Apple’s restriction (and were accepted on the App Store) either undermined the security of smartphones by prompting users to leave them unlocked [11] or were more intrusive by using geolocation [12]. On the other hand, all official Apple documentation indicates that the restrictions were motivated by the desire to reduce the consumption of resources (battery [13] and memory [14]) of iPhones.

As of now, Apple’s design motivation remains unknown since the company did not communicate on the subject and therefore never justified its choice. Hence applying P2B regulations could be relevant.

Indeed, Apple allows access to several pre-installed applications from the app store. Even if the applications cannot be installed from the app store, they are nevertheless visible and compete with the services offered by third party developpers [15]. Moreover, some of these applications use Bluetooth even when running in background. This is notably the case of the “Find My” application which uses BLE in the background to allow iPhones to be found [16]. In these circumstances, Apple may have to justify restricting access to the Bluetooth functionality in the background.

A need for more transparency

The debate on contact tracing apps clearly demonstrates the value of transparency: justifying the architectural choices of the OSs. Indeed, Apple did not justify its choice to refuse to open access to BLE to contact tracing applications. This silence has not been criticized since the company has been set up as a white knight protecting privacy against the states. But in the absence of explanation, this posture is questionable. If it turns out that made that Apple’s design is justified by iPhones reserving or is not even justified at all, the debate would not be the same.

Featured image by Jay Goldman
https://creativecommons.org/licenses/by-nc-sa/2.0/

[1] https://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:32019R1150&from=EN

[2] « Platform-to-Business » : un premier pas vers les terminaux ouverts dans le règlement européen ! https://www.arcep.fr/larcep/pendant-ce-temps-a-bruxelles.html#c18616

[3] « Apple frees a few private APIs, makes them public » https://www.theregister.com/2017/06/13/apple_inches_toward_openness/

[4] « Apple bans over 250 apps that secretly accessed users’ personal info » https://www.theverge.com/2015/10/19/9567447/apple-banned-apps-youmi-privacy-personal-data

[5] See section 2.1.5 on software requirements https://developer.apple.com/app-store/review/guidelines/#software-requirements

[6] See section 2.3 of ,«iRiS: Vetting Private API Abuse in iOS Applications » par Zhui Deng, Brendan Saltaformaggio, Xiangyu Zhang, Dongyan Xu

[7] « Uber App Has Access to Special iPhone Functions That Can Record Your Screen » https://www.inc.com/business-insider/uber-apple-iphone-features-app-software.html

[8] DG-Comp opened an investigation on access restrictions to NFC features: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1075

[9] « Two reasons why Singapore is sticking with TraceTogether’s protocol » https://www.tech.gov.sg/media/technews/two-reasons-why-singapore-sticking-with-tracetogether-protocol

[10] Apple’s Exposure Notification API requires iOS 13 whereas the French (StopCovid) and the Singaporean (TraceTogether) apps respectively works with iOS 11 and iOS 10 https://gs.statcounter.com/ios-version-market-share/mobile-tablet/france

[11] « iOS a ‘major hurdle’ to contact tracing app » https://www.innovationaus.com/ios-a-major-hurdle-to-contact-tracing-app/

[12] https://twitter.com/je5perl/status/1248230776287776769

[13] « Because performing many Bluetooth-related tasks require the active use of an iOS device’s onboard radio—and, in turn, radio usage has an adverse effect on an iOS device’s battery life—try to minimize the amount of work you do in the background. » https://developer.apple.com/library/archive/documentation/NetworkingInternetWeb/Conceptual/CoreBluetooth_concepts/CoreBluetoothBackgroundProcessingForIOSApps/PerformingTasksWhileYourAppIsInTheBackground.html

[14] « WWDC 2017: Because while your application is running in the background, the system may terminate it if it needs to free up more memory for the foreground application. » (https://asciiwwdc.com/2013/sessions/703 )

[15] « Apple Dominates App Store Search Results, Thwarting Competitors » https://www.wsj.com/articles/apple-dominates-app-store-search-results-thwarting-competitors-11563897221

[16] « The Clever Cryptography Behind Apple’s ‘Find My’ Feature » https://www.wired.com/story/apple-find-my-cryptography-bluetooth /