[joerobot]

So startups and the little guy deserve my data more than the big guys? No one deserves my data. Not everything in this world needs to be a marketing opportunity. How does "more pain and friction from marketing" allow for freedom on my devices?

[scarface_74]

This also parallels with developers complaining that they can’t have a direct relationship with customers.

I don’t want a direct relationship with developers. I don’t want to go to their website to subscribe or to cancel my subscription and I don’t want to give them my credit card information.

I want to be able to use “Sign in with Apple” and not give them my real email address.

[joerobot]

I absolutely agree. It seems like some developers are under the impression that everything needs to be a social experience. It doesn't.

[bdavbdav]

100%. It really hacks me off when I can’t “sign in with (Apple/google)”

[Affric]

The problem is that VC doesn't want to build a successful business, they want to build a profitable exit strategy. They want an IPO or acquisition that nets huge amounts of cash.

Diligently creating a business which turns a healthy profit for a fair exchange with the customer is less profitable than developing a large customer base that could be sold to someone.

Say what you will about the big players... there is no exit strategy. They are in the endgame.

[asow92]

Why else would the VC give you money to build anything in the first place? We couldn’t even be having this discussion without the decades of VC spending that’s gone into technology.

[Affric]

> We couldn’t even be having this discussion without the decades of VC spending that’s gone into technology.

Unless this is a reference to the fact we are having the conversation on the Y Combinator website specifically, it's is a fallacious argument to suppose that the only way any of our current technology could happen through the historical accidents that have occurred.

The nature of complex systems mean that larger systems process more information relevant to their continuance are more successful.

I do agree with the point underlying your rhetorical question. I am just not so certain we should be grateful for naked self interest.

[asow92]

To be honest with you, my whole point is not even missing out on a marketing opportunity. It's way more banal than that. It's more like routing to a specific experience on first app launch based on where you came from on the web.

[joerobot]

I'm ok not having a unique or customized first startup experience if it means I get to safeguard my privacy.

[asow92]

I mean, there are other ways around this. We could create an App Clip that essentially does the same thing. It's just harder for the user to get through.

Surely there's a compromise solution here? I don't see why Apple couldn't grant trusted certificates to good actors and revoke certificates from bad actors in regards to pasteboard access?

[eropple]

As I have said elsewhere, this is the compromise position. The extreme position is "there is no option for pasteboard access at all and all pasteboard interactions must happen through OS-provided, fully disintermediated controls."

You already have a compromise: you can, if you insist and if your user consents--not Apple through some "trusted certificate" granting process but the user themselves--choose to not follow standard system flows. Or you can follow standard system flows and receive implicit consent by the user when they click 'Copy' in the share sheet.

Why is seeking consent so terrifying a prospect? And why should anyone privilege "your flows" over that consent?

[asow92]

I don't have a problem with seeking consent from the user, and that's exactly what Firebase Dynamic Links offered by including "Check to continue my place in the app" on by default, but that product is no more thanks to Apple. Consent is given on the webpage before going to the App Store.

My issue is with Apple acting as the arbiters of what consent looks like. You have to consent with the flow to go through with it, right? Nobody's forcing our users to continue.

And like I have already said, it's not like we can't do what you're suggesting. In fact, we have, but that equates to more churn in our flows because users get confused or are fatigued by the amount of hoops they have to jump through to make the product work, which was my original point to this whole thread.

[eropple]

Ground truth, inviolate: the OS owns the trust relationship with the user. The OS may allow the extension of that trust relationship (MDM, custom TLS roots, etc.) but that's informing the OS's own authorization, it's not supplanting it. It follows, then, Apple is the arbiter of consent on an iOS device because they own the OS (the user has chosen to, by buying an iOS device, grant the authorizee's part of the trust relationship).

Apple does not have a trusted relationship with you, the software developer. And Apple doesn't know about a trust relationship between the user and the software developer until the OS sees confirmation from the user.

It then follows that consent must be given at or inside the security boundary to be provable; the web page you refer to is outside of it. You are asking to move from a less trusted environment (a web browser, generally watched like a hawk) to a more trusted environment (an application, with additional implicit permissions and the explicit ability to ask for others). That isn't a decision you are allowed to make and it isn't something that, for all Apple knows, you confused-deputy'd your way around a user's affirmatively consenting to.

It's turtles all the way down. You have to acquire consent at a trustable level. That means the OS or, if the OS isn't sure, the user themselves, through an OS-verifiable method. Sorry that your third-party vendor doesn't count, but it shouldn't. "Just trust me" isn't security.

"But nobody cares" might be next up, so let's settle that now: nobody cares because they pay Apple to care for them.

[jrmg]

Why not encode the data you want to pass in the link, like you would on the web, rather Han require an extra pasteboard-based payload?

[asow92]

We won't get the data from the link without the pasteboard or fingerprinting. The app is a blank slate on first open after installing: we lose the context from which we came.

It's important to note that this is not an issue for apps that are already installed: we get those links and their data; this is just a first-ever launch issue.

[adamwk]

It’s been a while since I’ve worked with universal linking, but doesn’t Apple’s APIs allow you to carry context? Or at least preserve the URL so you can take the user to where they were? I don’t think you need to hijack the pasteboard just to continue the users flow.

[asow92]

You definitely do for the first launch post install.

The flow is click link, copy data or finger print, redirect to the App Store, install, user opens app for the first time, route to experience from finger print.

[asow92]

So you just trust that apple has your best interests in mind and fully believe them?

[isbvhodnvemrwvn]

Apple has more at stake than a rando like you.

[asow92]

what does that even mean in this context?