In its post, Apple argues that web apps are built “directly on WebKit” — the engine used by Safari — allowing web apps to “align with the security and privacy model for native apps on iOS.” With the change to iOS 17.4, websites added to the homescreen now act only as bookmarks that open a new tab in your browser, rather than (potentially) standalone services capable of doing things like sending notifications and showing badges, a feature Apple just added to web apps last year.
Progressive web apps on iOS are also capable of storing data separately from your browser instance, which comes in handy if there’s a site you want quick access to and don’t want to keep signing in. Some services, like Facebook Gaming, use web apps as a way to get around the Apple App Store and its fees.
Now that alternative browser engines are getting thrown into the mix in the EU, Apple claims it’s a security risk, noting “malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent.” It also says browsers could install web apps without a user’s knowledge — even though Android phones have offered web apps with different types of browsers for years.
“We expect this change to affect a small number of users,” Apple writes. “Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.” Apple cites “very low user adoption” of homescreen apps as another reason for the lack of support.