Apple forces changes for some Parental Control apps

On Friday, April 27th, 2019, the New York Times posted a story that claims that Apple is crippling competitors to its Screen Time feature, by either forcing changes or removing apps altogether.

The story provides some information from several developers regarding that their applications have been pulled and that their businesses have been shutdown and/or the apps they have created had to be modified because "Apple began purging apps that offered similar services."

According to one developer,

“They are systematically killing the industry,”

In response to story, Apple has provided its reasoning for the requesting changes, and if the apps were not updated, removing the apps.

Part of Apple's statement says:

We recently removed several parental control apps from the App Store, and we did it for a simple reason: they put users’ privacy and security at risk. It’s important to understand why and how this happened. Over the last year, we became aware that several of these parental control apps were using a highly invasive technology called Mobile Device Management, or MDM. MDM gives a third party control and access over a device and its most sensitive information including user location, app use, email accounts, camera permissions, and browsing history. We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017.

As some quick background, Apple unveiled its Screen Time feature on June 4th, 2018 at their World Wide Developer Conference. The feature is part of iOS 12, which was released on September 19th, 2019.

My Thoughts

I am sure that some will argue that this is Apple abusing its dominant position. However, I do not think this is the case, given that some of the parental control apps were using Mobile Device Management to provide the significant access. As Apple states, third parties have FULL CONTROL OVER YOUR DEVICES. This cannot be understated. For some of these apps, if you install an MDM certificate and agree, that third-party developer now has access to everything on your device. So when Apple says they are requiring the changes due to privacy and security, I think they are being honest about it.

There is a line from the New York Times article from a developer whose app was removed. The reason that the developer received was: "Your app uses public A.P.I.s in an unapproved manner, which does not comply with guideline 2.5.1 of the App Store Review Guidelines".

Section 2.5.1 of the App Store Review Guidelines states, as of this writing, "Apps should use APIs and frameworks for their intended purposes and indicate that integration in their app description.". It is the first half of that statement that many developers seem to be reason why they were asked to make changes and/or why their apps were removed from the App Store.

It is only my guess, but it seems to me that the developer was using MDM to provide additional settings, then they were in violation of the rule. The reason they were in violation is because MDM is only to be used by businesses and schools to control devices that they own and provide to users of their company or students. MDM is not designed to allow developer access to end-user devices.

Even though these developers were in violation, it does not seem as though Apple made it clear that the developer's use of MDM was the reason why their app was being removed.

What Apple Can Do

There are a few different ways that Apple can change things to make robust apps available in the store.

Specifically regarding parental control apps, Apple could provide more granular controls both within the Screen Time section, within the Settings app, as well as allowing developers access to configure these settings. However, I can see the significant reluctance for this to occur. Allowing applications access to change when applications are available, could allow a developer to programmatically limit access to apps, possibly without the user's consent; which would not be a good situation. If there is no interface for developers, it would honestly not surprise me if there are additional settings with the next release of iOS, possibly with more granular control.

I also do think that Apple could be a bit more explicit when communicating with developers. I understand not wanting to provide exact steps for having applications come into compliance with the App Store Review Guidelines, as there are exceptions to each rule. I also get that indicating exactly how to fix an app might come off as a way of exerting excessive control and explicitly dictating how applications should be created. Even with that, additional information provided to developers can go a long way.

In this case of the removed apps, something along the lines of "The application's use of MDM certificates violates the App Store guidelines, because MDM is intended for business or school usage", or something along those lines could have gone a long way to making it clear as to why the apps were being removed.

Closing Thoughts

I think that use of MDM by companies does need to come to light. One of the arguments of the story is that once Apple introduced Screen Time that competing apps were being targeted and removed. However, I do not think this is the case. I take Apple at its word that the reason that they removed the apps was because they were violating user's privacy and/or abusing the MDM certificates.

The New York Times story does state that some of the developers were contacted in August of last year, about needing to change their apps. Apple likely began looking into these some of the apps, that utilized MDM certificates, after it came to light that Facebook and Apple were violating the use of MDM certificates by doing the same thing. And if Apple is going to revoke Facebook's and Google's MDM certificates, then there is no reason why they would not do the same thing for smaller developers.