In most cases, there is no point asking for a phone number as 2FA if the user chooses Sign in with Apple (SIWA).
SIWA requires access to the device. App credentials are usually persisted per device, so 2FA doesn't really help if your device is stolen as the attacker would have app access anyway (if they were able to unlock the device). Even for non-Apple-device sign ins such as on Android or Windows, SIWA requires device access to generate a password, which requires 2FA on the Apple account [1].
Uber is allowed to ask for a phone number because a driver legitimately may need to contact a customer to arrange pickup. But in this case, Apple does not think that this app requires a phone number, and is thus protecting the privacy of its customers.
There are other issues I have with Apple's ecosystem/the App Store, but this is not one of them.
EDIT: After posting this comment OP has written in another comment that their app requires a phone number to arrange delivery. This information was not in the original tweet. In that case, I think this is likely a misunderstanding between the App Store reviewers and OP about how the phone number would be used, and I would need to see further discussion between those two before declaring Apple a bully in this case.
We ask phone number for the same reason as Uber does - our masters need to contact the user to be able to deliver the service. Explaining this to Apple took a week of back and forth, and only lasted for one submission.
What does the sign in flow look like? Does the phone number screen clearly inform the user that their phone number will only be used to arrange delivery?
Note that I don't have much experience working with Apple's approval process, and am just speaking as a layuser here.
In that sentence, "contact" can mean many different things. Will you contact me by text for non-urgent things like billing or promotions? As a user, I don't want to give up my phone number for promotions. And since the request is right after the sign-in flow, I think it's reasonable Apple thinks "contact" can also mean 2FA.
I would put more precise language, such as: "Our masters may need to contact you in order to arrange delivery of X service."
Also, the fact that Apple did approve your app already is further evidence that this is just a misunderstanding, likely because your copy is not 100% clear.
(Sidenote: This is not important, but personally, the term "master" makes me uncomfortable. I personally would not call people "masters," but I also don't know your target market, so the term may be more appropriate in that context.)
Next up for Apple: making you sign over rights to your source code.
I'm only half kidding.
This is egregious and exactly what Stallman warned us about. (I know he's done some terrible things that make him no longer worthy of being our role model, but he was exactly right about this.)
Pretty soon we won't own any of our devices. We'll rent them.
We won't own our data. We'll license it.
We won't be free to conduct business. We'll be given a revocable visa.
You don't need to add a disclaimer on Stallman having said bad things on a totally different subject to be allowed to mention him. People quote Mahatma Gandhi all the time without mentioning that is had some problematic views when it comes to black people, they quote MLK without adding something about his attitude towards women, etc. Stallman is no saint [1], neither are those who denunciate him. He said many things which ring true when it comes to data freedom and should be seen in that light, not in the light of his more disputable utterings. Cardinal Richelieu had it right when he stated that he'd find something to hang the most virtuous of men within reading 6 sentences written by him.
My phone number and email address is not your data. I don’t want every random developer to have my email address. SIWA, gives me control over who has my email address and I can block developers who either spam me or sell the anonymized email address that I give them.
It seems like you can sign up with a fake email or simply block the emails you don't like. This is such a non-issue. Yet what Apple has done poses an existential threat to many small operations.
Apple has a kill switch on small companies' customer lists. They're inserting themselves into every transaction as a middle man.
Do something Apple doesn't like? You just lost all of your customers. You no longer own that relationship anymore. Apple turned you into a sharecropper.
Congress and the DOJ need to do the following to counteract this obscene anticompetitive behavior:
1. Pass legislation describing "generic purpose computers" and require that they allow installation of any software by the user.
2. Break up Apple into hardware and software+services divisions and prevent them from dealing exclusively with one another.
> They're inserting themselves into every transaction as a middle man.
They’re not inserting themselves into every transaction. Instead, they’re allowing users who don’t want to have a direct relationship with every app on their phone, to substitute their pre-existing relationship with Apple instead.
While protecting consumers is noble, Apple isn't the company to do this. They're strong-arming every "business partner" on the app store while simultaneously strangling them for 30% of their income and forcing them to dance to the fiddle. To top it off, they cut off the business relationship these companies have with customers.
If users want a “relationship” with you, as part of SIWA they have the option to give you their real address. If they didn’t, obviously they didn’t want you to have their real email address.
Your other option is not to have any social login and use your own sign up process.
Apple is no more your partner than the wolf is partnering with the sheep.
“Strangling them with 30%”? Did you ever try to get a physical product in retail?
You can’t sign up with a fake email if they force you to do an email confirmation. But that also means that I need to keep up with a separate email for each service.
I don’t want a relationship with every company. I don’t have a “relationship” with the company when I buy their products in a physical store.
You really trust Congress to be technical enough to describe “a general purpose computer”? Did you see the hearings two weeks ago?
Are you also proposing that Apple licenses their operating system to other vendors? Which company owns the OS? The processor division? The IDE?
> You can’t sign up with a fake email if they force you to do an email confirmation. But that also means that I need to keep up with a separate email for each service.
> I don’t want a relationship with every company. I don’t have a “relationship” with the company when I buy their products in a physical store.
That's your prerogative. Apple doesn't need to step in and do this for everyone. They're knee capping everyone just because they can.
When Apple refuses to send marketing emails or promotions, then I'll think this is fair. But they won't subject themselves to the same punishment they dole out.
> Did you see the hearings two weeks ago?
I watched it twice. Lucy McBath is my representative. It was a highlight of 2020.
> Are you also proposing that Apple licenses their operating system to other vendors?
They'll probably have to if they're split into two companies. I don't see any problem with that. Microsoft is doing an amazing job right now doing just that.
> Which company owns the OS? The processor division? The IDE?
Software+Services, Hardware, Software+Services ... these are easy questions. If the DOJ hands down this ruling, Apple probably gets to decide for itself.
> They'll probably have to if they're split into two companies. I don't see any problem with that. Microsoft is doing an amazing job right now.
Microsoft did great with phones didn’t they? So this Apple company that is going to have to license its OS - is the government going to also tell them how to design their OS and for what hardware? Is this mythical company going to have five different licensing programs? One each for watches, phones, tablets, computers, and set top boxes? Are they going to also split up the processor division?
While the government is at it are they going to force both Google and Microsoft to divest their hardware business?
As far as your Senator. She asked why Apple removed apps that were spyware and recorded everything kids did on their phone. Yeah she’s bright.
This doesn't seem much like bullying. If you support third-party logins, one of them must be Apple's. And yeah, requiring two-factor auth in addition to that seems broken.
I mean, yeah, it's extra work for you as a developer, but as a user, I only want to use login with Apple, and if you ask for my phone number in addition, it's a delete for you.
It's not a two-factor auth, we ask phone number confirmation because our masters need to contact you to deliver our service. If there is no phone number, our app is useless for you. So it's perfectly fine for us if you want to delete the app instead of giving up your number, and it seems like a better solution for privacy concerned people.
On the other hand, if we allow to login but only request phone number later, this will seem somewhat deceiving to the user. Like we pretended that he can use the app while keeping his info private, while in the end it ends up that he cannot.
That absolutely makes sense! It's a shame Apple misunderstood why you are asking for the number. I wonder if the messaging in that area could be improved? Or maybe the reviewer just wasn't paying attention.
Title is clickbait and not very objective. Apple isn't "bullying". It sounds like reviewer was convinced a phone number was not needed. That's why you simply reply back to the reviewer or get it appealed.
Reviewers aren't 100% perfect. I've had apps that violated rules pass the review only to be rejected a few updates later. One app I had forced users to use their birthday (at the client's request) as the password. 1.0.0 passed the review, but 1.0.1 was rejected because birthday is not an acceptable form of a password.
Apple could absolutely do better with reviewers, but it's likely they had to lower the quality of reviews in some way to reduce the amount of time it takes to review an app (from 5-7 days to 24 hours). Regardless, I rather take the 24 hour app review time since any rejection can be quickly re-assessed again.
I would not be complaining online if simply replying back would work. This is the second time we got rejected for that reason. Last time it took a week of back and forth trying to convince reviewers that we need phone number and it doesn't make sense to ask for it later somewhere.
We did get approved eventually, only to get rejected again for the same reason on the next update.
Judging from the screenshots in your tweet, your first rejection was failing to follow the rules that stated if you have a third party sign in, you're supposed to use Sign In with Apple too. That's not on Apple.
Regardless, I don't see how this is Apple trying to "bully" small developers. They're trying to enforce guidelines. That's all.
All of my screenshots are from the second round we went through after trying to remove apple login entirely.
They bully small developers, because big companies like Uber or Grab have the same functionality with zero problems. While when we try to explain that we use phone number for the same reason, Apple insists that we change how our app looks and works.
How do you know Uber and Grab? (Grubhub?) were never rejected? You're assuming they passed every single review which I think it's highly unlikely.
Considering 40% of all submissions in the past week (shown on Apple's website) get rejected, it's entirely possible they were rejected using phone number input and after explaining to Apple their purpose, they were finally accepted. You're bound to get 1 or 2 apps erroneously rejected considering they go through 100k submissions every week.
It also says the app store team takes 1000 calls every week to discuss the rejections. It's not just you or small devs.
Fair enough, although I don't see why the constant rejection and need to explain the same thing to Apple again and again seem like a normal thing to us. Their review process is too rigid and their control over your app updates is too tight, which is why they are now getting bunch of other problems with companies like Epic.
Speaking of Epic, maybe you're right and it's not just small developers.
In most cases, there is no point asking for a phone number as 2FA if the user chooses Sign in with Apple (SIWA).
SIWA requires access to the device. App credentials are usually persisted per device, so 2FA doesn't really help if your device is stolen as the attacker would have app access anyway (if they were able to unlock the device). Even for non-Apple-device sign ins such as on Android or Windows, SIWA requires device access to generate a password, which requires 2FA on the Apple account [1].
Uber is allowed to ask for a phone number because a driver legitimately may need to contact a customer to arrange pickup. But in this case, Apple does not think that this app requires a phone number, and is thus protecting the privacy of its customers.
There are other issues I have with Apple's ecosystem/the App Store, but this is not one of them.
EDIT: After posting this comment OP has written in another comment that their app requires a phone number to arrange delivery. This information was not in the original tweet. In that case, I think this is likely a misunderstanding between the App Store reviewers and OP about how the phone number would be used, and I would need to see further discussion between those two before declaring Apple a bully in this case.
[1] https://support.apple.com/en-us/HT204397