> We faced rejections in submitting the app, because they decided to change their policy on the app having a link in the "About WireGuard" tool window to www.wireguard.com/donations/ (which they previously had allowed explicitly; now they want 30% or something)
Last year Google started to ban donation links in FOSS apps, WireGuard was one of the first victims [0], completely removed from the store. I didn't know that Apple also started doing the same and hit WireGuard again. Extending the definition of an "in-app payment" to a link to the project homepage in the "About" window that doesn't buy any good or service related to the app is an overzealous restriction. Especially so when that button is clicked by, perhaps, only 10% of the users. This is just evil.
[0] Open-source apps removed from Google Play Store due to donation links
When they change that optional setting they introduced recently which blocks sideloading applications outside of the official store and make it non-optional, what are we going to do? Use special Chinese Android builds with Ali store (or whatever it's called)?
> When they change that optional setting they introduced recently
What setting was introduced recently? I remember such settings all the way back to the Nexus One.
In fact, things were more closed back then as Android phones bought from AT&T had it hard coded to disable third party apps. I'm not aware of a US carrier doing that any more.
> On your Android phone, only app installations from verified stores, like the Google Play Store and your device manufacturer’s app store, are allowed.
To be fair, from a security standpoint if you want *the highest security* allowing third party installers is one of the first things I would disable as well.
If your bank decides that your business is worth less to them than a compliance checkmark, that's on them.
All my phones are rooted and it has never been an issue with any banking app I use. It's all about priorities. For some people, that's going to be the roman numeral name suffix dropdown in the registration form. For me it's the bank not telling me what I can do with my devices.
It is not just what the bank wants and pushes on its clients, because f them. At least in EU, they are pushed into it by PSD2 ("Payment Services Directive 2"). Even if you are happy with accessing the bank via browser on the computer, you are going to need the second factor for auth, and SMS isn't going to be it.
Because it is pushed centrally, banks do not have a choice. Hence, you as a customer, won't have a choice either, unless you consider not using the bank online at all as a choice.
Actually, the EU is being used as a scapegoat here (as usual). SMS is perfectly allowed by the directive. As would be even a old Google Authenticator-style OTP code which does not need any propietary software to work.
Banks are forcing you to run proprietary software on proprietary operating systems with draconian "security measures" that would make the latest DRM-enforcing-rootkit look like a children toy. They check whether your device is rooted, whether it has any non-Google-approved programs installed, whether Google Play notifications work, etc. And if you fail any of these checks, good luck using your credit card!
Open-source operating systems are basically dead in the water at this point, since failing to run these proprietary programs is not going to be a minor "I can't play this game" level- nuisance, but rather a life critical issue. And so far more and more banks keep enforcing these measures.
And for some reason there is no big outcry about this.
Even Korea's "all banks require ActiveX" situation was very mild compared to where we're going...
I hate to say it, but if you have a phone that you can flash, I sincerely encourage you to do just that.
Why? Because even with "Google" phones, installing pure AOSP cripples the phone (and by that mean SMS breaks with LTE, you lose voLTE, Wi-Fi calling, etc.) A lot of Android ROMS have to scrape official images to get the binary bits (and it is nor a fun needle in a haystack excerise) to get basically phone functionality in Android.
This kind of response completely ignores the fact that the vast majority of the drivers required to just run on modern hardware are closed source and that the vast majority of phones these days have their bootloaders locked.
> that the vast majority of phones these days have their bootloaders locked.
I don't know if that is actually still true. Back in the day nearly every phone in the US was bootloader and carrier locked. Now basically every phone is carrier unlocked and anything besides Samsung can have the bootloader unlocked very easily. I guess Samsung phones are the most common but there are certainly many other options that are more open.
Many manufactures make it easy to unlock and root your device (shout-out oneplus), but many others do try to make you brick it if you try doing anything out of the ordinary. Like the HMD rebrands Nokia, Sharp, etc.
You can get the same backups you would have if you never rooted it to start with. I agree in some cases that's not enough but it's not no backups of any sort. Mostly just more hassle to restore.
Of course, everyone requires a wipe. That's to protect normies' data when they inevitably get their stuff stolen on a trip to Paris. Easy to live with, just root it first thing after unboxing.
Here in europe, you go to developer mode, check the OEM unlock button, reboot and hold some weird button combination while booting, phone asks you again if you want to unlock the bootloader, does a factory reset for security reasons, another reboot, and it's unlocked.
Only by the letter of the law, the android that ends up on your phone consists of mostly closed source binaries from Google that you don't get without installing the play store as well.
Is there an easy way to make F-Droid install updates automatically? I use both F-Droid and Google Play on my phone but manual updates are a huge usability pain.
That permission is only available to preinstalled system apps. If you have root, you can install the F-Droid System Extension and it'll do all it automatically.
Otherwise: send complaints to support@android.com (jk, there's no actual support)
Jason was planning to challenge the App Store rejection after the fix for the WireGuard regression has been published, though I'm not sure what's the current state of the issue.
The rejection is wrong, because the App Store review guidelines clearly spell out that apps may request donations through Safari. On the other hand, apps cannot use in-app purchases to request donations, unless they are published by an approved nonprofit.
3.2.2 Unacceptable
(iv) Unless you are an approved nonprofit or otherwise permitted under Section 3.2.1 (vi) above, collecting funds within the app for charities and fundraisers. Apps that seek to raise money for such causes must be free on the App Store and may only collect funds outside of the app, such as via Safari or SMS.
Having a link to an external web page to receive donations is not considered a violation on the App Store, this is a mistake by a reviewer.
Collecting funds "within the app" means that the payment flow is completed without leaving the app. They explicitly list two ways for any app to accept donations, by redirecting the user to an external web service opened in Safari, or by collecting payments using a text message.
You obviously have to somehow communicate to the user that donations can be made, and that is allowed to happen by showing an external link.
> "Having a link to an external web page to receive donations [by a registered charity or a non-profit] is not considered a violation on the App Store"
Which e.g. "PayPal@zx2c4.com" is not, clearly.
The words you are missing are important.
One of the reasons why I do not gift money to WireGuard developer(s) is that they have taken the steps to obscure where and to whom the money is going, which is in and of itself fishy. Just labelling something as 'donation' does not make it so.
Why though? What do you forsee the issue being with where the money could be going?
If Jason is recommending a way to donate to the project, who cares where it goes? If he puts it straight in his pocket and uses it to buy pizza or a computer game, it's still serving its purpose as far as I'm concerned. I have donated, and will do so again, and I'm perfectly happy with the money being used that way.
In a sense, for me, it's a thank you for the work thus far, not an payment for more work.
I imagine many see this differently, so I'm interested to hear some other opinions.
Only nonprofits are allowed to use in-app purchases on the App Store, while other apps must use Safari for fundraisers, read the guidelines in their entirety.
> One of the reasons why I do not gift money to WireGuard developer(s) is that they have taken the steps to obscure where and to whom the money is going, which is in and of itself fishy. Just labelling something as 'donation' does not make it so.
Your remark about WireGuard developers being fishy and obscuring where the money goes is ridiculous, and the way you framed it, just... wow.
I actually read them, and they also happen to be quoted upthread.
3.2 Other Business Model Issues
[list is not exhaustive]
3.2.1 Acceptable
(vi) Approved nonprofits may fundraise directly within their own apps or third-party apps, provided those fundraising campaigns adhere to all App Review Guidelines and offer Apple Pay support. These apps must disclose how the funds will be used, abide by all required local and federal laws, and ensure appropriate tax receipts are available to donors. Additional information shall be provided to App Review upon request. Nonprofit platforms that connect donors to other nonprofits must ensure that every nonprofit listed in the app has also gone through the nonprofit approval process. Learn more about becoming an approved nonprofit.
3.2.2 Unacceptable
(iv) Unless you are an approved nonprofit or otherwise permitted under Section 3.2.1 (vi) above, collecting funds within the app for charities and fundraisers. Apps that seek to raise money for such causes must be free on the App Store and may only collect funds outside of the app, such as via Safari or SMS.
It would appear that the current understanding is that if you are not a nonprofit, you don't fundraise within the app nor do you provide a link where you can transfer funds. If you are a nonprofit, you can register through the nonprofit program to use Apple Pay (which comes with actual checks of the status). This matches the intent every other point regarding payments, where soliticing money from within the app, even by way of link, is generally prohibited unless specifically allowed under one of the small list of exceptions. Remember when "reader" apps also had to remove links to purchase individual items and replaced it with, at best, "visit our website"? Same intent, same result.
As for fishiness, compare these examples:
* Signal Technology Foundation is a registered nonprofit foundation, I can check if the money is going to development of Signal (it is). They even do it right by providing the EIN so it is trivial to check.
* Mozilla Foundation is a registered nonprofit foundation, I can check if the money is going to the development of the browser (it is not).
* WireGuard developers decided it is important for them to keep the information where their business is located private (this is what I am referring to as fishy: I would challenge you to find where that particular "Edge Security" firm is actually operating, as a company, or what zx2c4.com is beside a name that Jason used to tag some files and host a domain, and both are used as "this project is from") and to keep the profits.
See the difference? Two are genuine nonprofits entitled to donations, one is a business disguised as one (how much money that business makes is immaterial, it could be $1, it could be millions - I sincerely wish them the latter). Every developer has to make a living somehow - or at least recoup some costs, for FOSS projects - but this is not the way to go about it if you want to claim moral high ground over Apple.
I'm confused. Wireguard and Jason/zx2c4 are not a non-profit, nor do they advertise as one. Why are you making it sound like he is doing something nefarious?
The argument for the ruling being bad is: the app links to the wireguard webpage (not within the app) which contains information on how to donate. That's like if in my app, I linked to my twitter profile, and my twitter profile contained a link to donate to me. It shouldn't be a problem.
If you are a business, wth a few defined exceptions ("reader", multiplatform, _physical merchandise from outside of the platform_ etc.), you accept payments through Apple Pay, don't direct people to your website to to send you money regardless how you decide to call it and pay Apple the cut they desire. FOSS developers are still businesses, not charities, much as we like to pretend otherwise - and "tips", "donations", "patronage" and similar verbiage does not change that.
If you are an actual nonprofit, you get to ask for donations both via app and your website and have Apple not take the cut.
Don't like it - don't deploy on the platfrom, but if you persist you will soon run out of platforms. Note that particular point has also caused WireGuard to be delisted from Google's Play Store before so it should not come as a suprise to anyone (https://news.ycombinator.com/item?id=21268389).
Note that some of those distinctions are legal - where I am, I need to know if I am gifting you money or donating to a nonprofit to report it on the tax record (and I certainly need to know if I were to get my own limited company to "donate"), as going above certain limits makes _me_ liable for tax on gifts as well, including reporting who the recipient is. "I sent that money to a random functional email PayPal@zx2c4.com I can't say much about" does not cut it. Yes, Jason might be at the other end of it - but as is, it fails the smell test compared to other FOSS projects. Simple as that.
Can we go back to discussing why Apple is bad due to their ever changing APIs, general disregard for backwards compatibility and for that matter general compatibility with anything else and not one of the few things in the whole process that make sense? Or, for that matter, why Google effectively making GMS and locked bootloader a requirement for corporate and/or finance apps is ensuring that in many areas the existence of unlocked devices/alternative AOSP distributions is and will remain a fig leaf purely there to avoid being considered the one true dominant player?
> FOSS developers are still businesses, not charities
I mean, maybe in a technical sense? But the ones who publish these apps are usually just "non-profits run by single individuals who can't afford all the bureaucracy required to run a non-profit."
Keep in mind that FOSS apps like WireGuard are 1. entirely free, 2. with no ads, restrictions, or nags to donate. There's nothing you get from the app, or from the developer, by sending them a "monetary gift." Other than the fact that you can't claim it on your taxes, they're effectively working for a non-profit that produces this software.
If you consider someone offering a link to send them "monetary gifts" to pay their own salary to allow them to continue to work on an app they don't charge for, "a business" — I'd hate to see what you call a church, or a library, or PBS.
PBS (and BBC in the UK, and other equivalents) enjoys extra privileges to accept tax-free funding in exchange for the mandate or promise to stay non-commercial and not give priority to specific donors' requests. [0] Libraries, should they accept donations to operate (or public funding!), accept some restrictions as well. There are commercial libraries as well, incidentally, which don't get to accept donations, but are funded by some associated commercial business - my local bookstore had one before the current pandemic has started, though it is unknown if they will continue to have one by the time it ends.
Churches are "complicated" - and less said about the funding the better, especially in context of the US. Suffice to say I very much prefer the German model - which happens to come with quite stringent accountability requirements.
I have no problem sending money in appreciation for the work with no expectation of any return on it (not even a tax deduction). I do not have a problem with someone making a profit on those "gifts" - I wish them all the best, in fact. I do, however, firmly believe that you can't have your cake and eat it too: you receive the ability to accept donations in a way where you enjoy various exemptions (in this context, from Apple/Google delisting you or taking their cut) in exchange for actually going through that bureaucratic rigmarole to get registered. It's not a $DEITY-given FOSS right.
Side note - as I wrote before, my local tax office would like to know who the money is going to, to either try to get their pound of flesh (cynical and realistic view) or to identify the money going to 'bad actors' (take your usual terrorists/criminals/think of the children BS excuse the politicians always make up to pass the relevant law), doubly so when the money is sent internationally - if I wanted to actually send an one-off gift to Jason/zx2c4, I can only assume he is not in my country.
> I do not have a problem with someone making a profit on those "gifts"
You seem to be assuming, though, that "not being a registered nonprofit" automatically implies that there's some non-trivial probability that you'll be profitable.
Every FOSS developer I've met who is accepting "tips" for their work, is not anywhere close to "breaking even" from those tips (insofar as you'd treat the FOSS project as its own business with its own balance sheet, rather than as a marque of the owner's hypothetical individual-proprietorship IT consultancy.)
Sure, some of these are side-projects they do in addition to a full-time job, and therefore the self-employment-wages they get paid out for this effort are "pure profit" in the sense that they already make a living wage. But that would be just as true if they worked full-time for a business, and then worked as a part-time paid employee of a nonprofit.
Profitability of a FOSS-project-as-corporation, is what's left over after you pay yourself (the sole employee) out at a working wage for all the labor you put in. As such, in legal terms, these side-projects almost always would qualify as non-profits.
FOSS developers aren't YouTubers with a fanbase of millions and a platform where they can directly, incessantly plug their Patreon to that captive audience with embedded advertising. They're just people publishing apps, where the app almost never event hints at the "personal brand" of the developer.
And so, I think a critical difficulty in the communication here, is that you might be imagining this thing on the wrong scale. We're talking about maybe 200 people per year, sending the developer maybe $5 apiece. Not about individual transfers of hundreds/thousands of dollars; nor about enough transfers to pay a living wage. That's why it makes sense to call these monetary transfers "tips", rather than "funding."
And that's also, partly, why people are so confused/appalled — Apple and Google do not serve their own bottom lines by getting in the way of people "donating" to these FOSS projects. The labor-cost required to enforce this directive probably costs more than they'd ever make by taking a cut of these tips!
> in exchange for actually going through that bureaucratic rigmarole to get registered
It's not the "rigmarole" (labor), it's the cost. A nonprofit corporation is still a corporation — and most FOSS developers, as individual proprietors, don't receive enough in tips to actually be able to afford the fees involved in incorporating and registering a nonprofit.
(I mean, they can probably afford it themselves. But the hypothetical nonprofit that is the FOSS project can't afford to pay for it out of its own treasury. I.e., incorporation would just put the FOSS project further "in the hole" in being revenue-negative, and therefore in being worth the developer's time to contribute to.)
There's a reason that governments allow individual proprietors to just "do business" without incorporating: it's a fiscal stumbling-block that trips up the people governments most want to encourage to start businesses.
The same thing should be true for nonprofits/charities, intuitively. Even if there is no legal recognition for "individual proprietorship nonprofits", everyone acts like those are a thing. (They don't expect their donations to be tax-deductible, but most people in the middle class don't donate to formal nonprofits enough to realize "donations" are their own, tax-deductible, class of thing, separate from regular monetary gifts.)
And most of all, people expects corporations to go along with it — and most corporations do go along with it. Microsoft with Github Sponsors, etc. That's why everyone is so up-in-arms that Apple and Google aren't going along with it.
Of course, Apple and Google are technically, legally in the right — these are not donations. The problem is that common sense disagrees with the law: by common sense, these should be donations, tax-deductibility and all. If push came to shove, the law — not common sense — would be what bends. But nobody's pushed that far yet.
> Side note - as I wrote before, my local tax office would like to know who the money is going to
Is there some problem I'm not seeing, tax-wise, with sending small monetary gifts to people you believe to be individuals who are online acquaintances of yours (e.g. people you talked to on a forum once)?
If I want to send money to a FOSS developer, it's because I view them as, effectively, an acquaintance. Someone I'd buy a beer at a conference. By "donating" to them, I'm just buying this acquaintance of mine a beer asynchronously.
Most people make small monetary transfers to individuals they aren't sure of the identity of all the time. For example, buying hand-made jewelry at a pop-up street bazaar. There's no "business" name — it's just an individual proprietor — and you might never learn the proprietor's name, either!
Because there are so many situations like this that can arise in every-day life, it's never the job of private citizens to prevent money from being unknowingly laundered into the hands of trade-embargoed states or entities. It's not your legal civic responsibility to avoid shopping at a store just because you haven't ruled it out as being a money-laundering operation.
Instead, it's the legal duty of banks and payment processors — with their fancy KYC/AML databases — to do that: to identify the transfer recipient through network-analysis at point of fan-in. Money launderers aren't fought by starving them of demand; they're fought by deplatforming them from the financial system they depend on.
(That being said, if you were acting as your own payment processor, ala https://en.wikipedia.org/wiki/Hawala, you might be on the hook at tax time.)
Not sure about Apple, but I know Google has special treatments for formally registered 501(c)(3) orgs and they are allowed to seek donation directly without going through Google Play's commission.
Update: Apple Pay appears to have similar policies [0].
What if the non-profit is located outside of the US (and is considered a non-profit in its local jurisdiction)? Do they need to apply for a 501(c)(3), that is if they even can?
"proof of registration with the relevant country's regulatory bodies and authorities" also counts. You can read that HN discussion about donations in FOSS apps in my original comment, link [0].
Signal is actually registered as a non-profit (which means accounting for where the money is going as well), so iOS version is perfectly fine to have "Donate to Signal" link opening in Safari.
I couldn't agree more. You're not paying for the app, or the service, those are free and you are simply making a donation.
I can imagine that Apple may want to define 'FOSS' to some extent (donations need to go to a non-profit with a board, software needs to be licensed under one of the following licenses, etc), but there should be some room for supporting FOSS that is included in an App Store.
Yeah, I can imagine that payment links can potentially be used as a loophole for selling unauthorized in-app payment items outside the store. But this is not the case here, nothing is sold, it's literally only a link to the project home page, https://wireguard.com/donations/.
Simple solution, there are human reviewers for this kinda reason and if the rule is "Open Source Apps get a donation button" then not any random can loophole around.
Heck, if both Apple and Google offered a solution by which you provide the source code to build, any necessary secret variables for the build and then it gives you those extra privileges, it would be nice. But that costs money the open source apps don't have.
I think Apple/Google see that as a distinction without a difference. You're providing thing, the app, and because of that app and via that app people are giving you money. And since you're not a registered charity they want their pound of flesh.
IANAL - but I'm pretty sure the app platforms are breaking many laws here, not allowing people to freely donate. Like free speech, able to ask for help, freedom to do business, abuse of monopoly. They might be able to get away with a transaction fee, and a store fee, but they should not be able to censor text, links, etc. This is the new Mafia. If you don't play by their rules (theirs, not the law) your business dies!
Yes, you are obviously NAL. The rules are clear and are applied evenly; it is the even application of the rule that is causing the problem here. FOSS-advocates think they are special snowflakes who deserve an exception to the rule about asking for payment. The app stores (both Apple and Google) clearly disagree and think that this is something that will be easily gamed and abused.
Nothing is preventing these apps from simply saying 'if you want to learn more or support our project go to <some top-level URL>' instead of directly linking the URL to a donation. Do that and there is no problem.
I have certainly heard of apps removing all links to their website because Apple reviewers have followed a help/feedback link, gotten to their main website, and then found purchase/donation links there and rejected the review.
Any references for this? I have only heard of this happening when the page is clearly for donations (like this case) or almost exclusively composed of 'give us money' content.
Amazon.com is nothing but a sales site so I cannot imagine why anyone would think it is anything other than a path to try to route around in-app purchases, same with Bandcamp. The one with the developer blog and a patreon link is a lot weaker, but the other two examples were explicity not allowed according to the rules at the time.
Last year Google started to ban donation links in FOSS apps, WireGuard was one of the first victims [0], completely removed from the store. I didn't know that Apple also started doing the same and hit WireGuard again. Extending the definition of an "in-app payment" to a link to the project homepage in the "About" window that doesn't buy any good or service related to the app is an overzealous restriction. Especially so when that button is clicked by, perhaps, only 10% of the users. This is just evil.
[0] Open-source apps removed from Google Play Store due to donation links
https://news.ycombinator.com/item?id=21268389