Apple's own Swift Playground app does the exact thing that supposedly violates the rules, abusing an inconsistently-applied exception for "educational" apps [1].
Recent regulation doesn't help here, by the way. iOS apps submitted for "notarization" to be distributed in alternative app stores in the EU, Japan, etc. still must comply with a subset of the guidelines, including 2.5.2. EU is probably not interested in strengthening the DMA so that Apple doesn't have to approve everything because then it makes other EU regulations easier to bypass (e.g. Chat Control).
The "educational" exception is definitely a convenient loophole, but it raises questions about consistency and fairness in how these rules are enforced across the board
It’ll be interesting to see if Apple comes around on customization of apps in general, because hopefully that’ll soon be what users expect.
In the world where users expect to be able to customize software more and more, apps start to look quite rigid and open platforms like the web that offer flexibility start to look more appealing.
Imagine a Lovable-style PWA that morphs into the app you vibecoded by storing the generated code in localStorage, for example - with cloud fallbacks to re-download the code if the storage is wiped.
Linux and Windows have always been a lot more customisable, Apple always was the more "we know better than you what you want" company... And they weren't wrong enough
I haven't been in the App Store ecosystem in a while, but the restriction is generally on running new Machine Code, all machine code needs to be signed on iOS. Interpreters get around this limitation, only the interpreter code that is compiled AoT and signed is actually running.
This tracks as the reasoning behind a lack of other browser engines, nobody can get comparable performance without a JIT, which would be compiling net new machine code that wasn't shipped with the binary.
The best way to handle this I would imagine within the current bounds of Apple's restrictions would be WASM.
Apps don't get removed for breaking that rule, though, because they can't break it in the first place. The system won't allow you to mark a freshly written page as executable.
Years ago I watched a bunch of people stop an apartment building from being built. They did this by employing a legal concern that they didn't actually care about, but that they knew would stop the development in its tracks. It worked.
That was the day I realized that for a lot of people, rules aren't actually rules. They're tools that they can use to stop something they don't like, no matter what the rule is really about.
I think this is a disgusting attitude, but it's unfortunately the way a lot of people operate.
So it might be that Apple has this "no external code" rule to stop things they don't like, and the category of "things Apple doesn't like" doesn't actually include every app that runs external code. It includes a lot of them, but for whatever reason Apple chose not to codify the details. Crummy if true, but I wouldn't be surprised. Every regulator I've ever dealt with leaves themselves an "I know it when I see it" escape hatch that lets them ban whatever they want.
If you read the actual rule the exceptions are relatively well defined. Stuff like pythonista falls into their educational/coding app exception as they define it
Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the app completely viewable and editable by the user.
There are not "exceptions"; there is one exception, and that's educational apps. But it's unclear why Pythonista is educational while the apps mentioned in the article are not. In fact, Pythonista is even listed in the "Productivity" section in the App Store.
Those are terminal emulators, not actual terminals. You can't fork or exec on iOS/iPadOS, so they're not actually running e.g. a python process, they're just running python interpreter.
As I understand it, ish implements x86 instructions and Linux syscalls as functions and translates running programs into arrays of calls to these functions, so all the machine code that will ever run is included in the app bundle, which at least satisfies the rules iOS enforces at runtime.
As for the rules as written, I suppose you could make reasonable arguments either way.
And it's always been a stupid rule. If I ship an app with a browser view, I can run any custom code I want in it. The rule is just a bandaid on Apple's lack of true sandboxing for apps.
> The rule is just a bandaid on Apple's lack of true sandboxing for apps.
That's not it at all. If an app can run arbitrary code then it can run other apps and that can by-pass the app store. They are specifically trying to prevent something like Wechat on the iPhone. It's not about security, it's about money and control.
Apple's huge problem here is - even though the get 50% more native app submissions this year - that these apps-in-apps (no matter how buggy they are) do not get them their predatory 30% Apple cut.
That being said, it is rumoured that Apple will make deal with the big one like Replit as long as these apps do not run on ios - they are going to keep profiting off that walled garden until it collapses.
What does vibe coding add here? How is this any different than just arbitrary code execution on device, which is exactly what this gatekeeper rule covers?
(Not commenting on the rule, just want to see what’s new here)
Interesting that they’re not ok with that, but are completely fine with plenty of React Native and Flutter apps using OTA to update themselves without going through AppStore review like GM’s apps, Crypto.com and countless others
IANAL, but I think it means creating apps that stand alone outside their creator. I have a couple of linux VM's a-shell and iSH, but nothing runs outside of them.
58 comments
Recent regulation doesn't help here, by the way. iOS apps submitted for "notarization" to be distributed in alternative app stores in the EU, Japan, etc. still must comply with a subset of the guidelines, including 2.5.2. EU is probably not interested in strengthening the DMA so that Apple doesn't have to approve everything because then it makes other EU regulations easier to bypass (e.g. Chat Control).
Looks like YC wasted their money on this one, unless it's exempt because one of the founders used to work at Apple or something: https://news.ycombinator.com/item?id=45041185
[1] https://developer.apple.com/swift-playground/
In the world where users expect to be able to customize software more and more, apps start to look quite rigid and open platforms like the web that offer flexibility start to look more appealing.
Imagine a Lovable-style PWA that morphs into the app you vibecoded by storing the generated code in localStorage, for example - with cloud fallbacks to re-download the code if the storage is wiped.
We helped a Series B YC company with a whitelabel Lovable app so all of their customers can build exactly what they need on top of their SaaS!
It really works -- 1200 customers are now vibe coding daily and using their SaaS a LOT more.
> open platforms like the web
I winced. The threats to the open web at the moment are depressing.
This tracks as the reasoning behind a lack of other browser engines, nobody can get comparable performance without a JIT, which would be compiling net new machine code that wasn't shipped with the binary.
The best way to handle this I would imagine within the current bounds of Apple's restrictions would be WASM.
That was the day I realized that for a lot of people, rules aren't actually rules. They're tools that they can use to stop something they don't like, no matter what the rule is really about.
I think this is a disgusting attitude, but it's unfortunately the way a lot of people operate.
So it might be that Apple has this "no external code" rule to stop things they don't like, and the category of "things Apple doesn't like" doesn't actually include every app that runs external code. It includes a lot of them, but for whatever reason Apple chose not to codify the details. Crummy if true, but I wouldn't be surprised. Every regulator I've ever dealt with leaves themselves an "I know it when I see it" escape hatch that lets them ban whatever they want.
Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the app completely viewable and editable by the user.
There are not "exceptions"; there is one exception, and that's educational apps. But it's unclear why Pythonista is educational while the apps mentioned in the article are not. In fact, Pythonista is even listed in the "Productivity" section in the App Store.
https://apps.apple.com/us/app/ish-shell/id1436902243
https://apps.apple.com/us/app/a-shell/id1473805438
As for the rules as written, I suppose you could make reasonable arguments either way.
>"and that has always been disallowed".
And it's always been a stupid rule. If I ship an app with a browser view, I can run any custom code I want in it. The rule is just a bandaid on Apple's lack of true sandboxing for apps.
> The rule is just a bandaid on Apple's lack of true sandboxing for apps.
That's not it at all. If an app can run arbitrary code then it can run other apps and that can by-pass the app store. They are specifically trying to prevent something like Wechat on the iPhone. It's not about security, it's about money and control.
That being said, it is rumoured that Apple will make deal with the big one like Replit as long as these apps do not run on ios - they are going to keep profiting off that walled garden until it collapses.
(Not commenting on the rule, just want to see what’s new here)
"One more day where I get to use llm to code but still avoid being replaced myself"