That's one reason, but not the only reason. Security is another big one in that the WebKit process is running with privileges that Apple does not want to award to any other app process on the platform, much less a third-party one.
They also want to make sure that if they fix the next security flaw what will undoubtedly be reported in WebKit, that all the apps with an embedded browser will get the fix and won't continue to be vulnerable due to them not updating whatever version of Chromium they were embedding.
Of course, between sandboxing and not allowing JIT compilation, those vulnerabilities couldn't do do much harm, but that embedded Chromium also wouldn't be much fun to use.
Which means, if you let me make a prediction of the future, that when Apple is forced into allowing other browser engines, articles will be written about how Apple is complying by the letter of the law but not the spirit by "seriously hampering 3rd party engines" compared to their own by now allowing JIT compilation.
If they had to then also allow those 3rd party engines to do JIT compilation and bypass the sandbox in means that browser engines need to, then we'll be in a much worse position security wise.
We'll see how this is going to play out, but I'm pretty sure exerting control is not the only reason for Apples' stance.
Yes, because Chrome and Firefox have such a terrible track record with security /sarcasm
Lets face it, that's a conveniently plausible excuse, not an actual reason.
If they really cared about security then they could subject their browser to an independent security audit, and require the same audit be passed for any other browser that's allowed on their platform.
Why don't they do this?
Because the idea that all you need to do to ensure software is secure is hire an expensive consultant is ridiculous.
Especially with a web browser which are highly complex pieces of software.
Taking Apple's word for their browser being secure and other browsers not is just as if not even more ridiculous.
What fair, independent way of determining browser security would you suggest be used instead of an audit?
As it stands now, WebKit and the processes hosting it (Safari, WKWebView) are probably the most complex piece of software running on our iOS devices and as we can see, they are full of security flaws.
But so are the engines of all other browser makers.
Audits is not what uncovers security flaws. Detailed research, fuzzing and effectively unlimited time to do both on the side of white-hat hackers and unlimited budget and criminal energy on the side of black-hats is what does.
Same is true for other engines of course.
But being restricted to a single engine shipped and updated as part of the OS with tailor-made support by the OS for sandboxing and JIT restrictions for this one engine does help to reduce attack surface.
Also, my initial concern isn't as much about third parties shipping their browsers (though, consider how many third party browsers exist and how many are well-maintained), but much more about apps embedding a vulnerable version of an engine and never updating it ("it works fine for us - no need to change a running system")
Audits aren't supposed to be an ultimate guarantee of security, but provide a minimum, independently judged hurdle that has to be passed to get on the platform.
If there's a better, independent way to judge what browsers are "secure enough" to be on the platform (ie. not just "Apple says no"), I'd love to hear about it.
It’s like the skepticism over the Steve Jobs “Flash” memo… why do nerds have such a hard time accepting that Apple might actually be sincere about wanting to make a decent product?
Minimize attack surface, minimize choice.
The Jobs Flash memo was crystal clear about why Flash was being booted off his platform. It was to avoid "a third party layer of software coming between the platform and the developer".
What it does is hold part of the system constant, so that attackers know ahead of time that iOS users will be running WebKit. Reducing variability makes attacks easier and increases the value of WebKit vulnerabilities.
Safari developers optimize for battery life whereas Chrome developers seem not to care about client-side resource use.
As I said in my comment: I believe Safari and the underlying WebKit to be the most complex and most insecure part of iOS by multiple orders of magnitude.
Not adding more of equally complex and demanding pieces does provide a significant reduction of attack surface
HTML5 by and large didn’t have this problem. Was it possible to write a grossly inefficient HTML5 site? Yes, of course, but it wasn’t the default state, as evidenced by how much happier those same machines mentioned in the last paragraph were when running e.g. the HTML5 YouTube player instead of the flash one.
While users can choose their primary browser, they have no control over what embedded browsers third party apps use, and so if embedding Chromium becomes popular in third party apps it will unavoidably cut the battery life of many if not most users.
When/if Apple starts allowing third party engines on iOS, I think they should require engines to meet minimum efficiency levels to prevent this issue. As a bonus, it’ll allow savvy laptop users to use community builds of desktop Chromium/Firefox with iOS efficiency compliance flags switched on if they want to extend the battery lives of their laptops by an hour or two.
The real bullshit about the Jobs Flash memo wasn't that it was justifying not shipping Flash Player on phones, but that it was justifying banning apps that used any third-party developer tool. Adobe had decided to just ship a packaging tool that let you stick a SWF and Flash Player into an iOS app; which Jobs considered to be a way to pollute the App Store with garbage apps. Except this wasn't a ban of one specific developer tool, it applied to everything that wasn't entirely C, C++, Objective-C, or JavaScript[1]. This only lasted about 3 months because...
1. A lot of mobile game developers were already using scripting tools that violated the new rule, and the games they were shipping were not garbage
2. The FTC was threatening to sue Apple
After that, Apple caved completely. In fact, if you've played iPhone games, you've probably already used Flash Player on iPhone. Jobs' fear was mostly unfounded because developers absolutely could make performant mobile games in Flash and ship them as apps. The problem was that they had to work around all of Flash's legacy crap to get there.
[0] Safari has several UI affordances for mobile web usage that Flash never got. Notably, those "cutting edge floating menus" still work because Safari treats finger touches as either a hover or a click, and picks between the two based on how the page changes when it simulates a hover.
Furthermore, browsers around this time were moving to GPU compositing internally, but Flash has always been built around a particularly quirky scanline renderer. Getting that to work on GPUs was apparently too much for Adobe, and even Ruffle has rendering problems caused by it.
[1] The language in the developer agreement was "originally written", so no, transpiling doesn't get you out of this.
While that's just Safari and Chrome, that's probably ok. But what happens when it's Safari, Chrome, Firefox, Opera, Brave, etc, etc?
For the security test, there are various ways that an org builds software with integrity, and it's the sort of thing that requires a huge amount of effort to get right. Standards like FedRAMP, SOC2, ISO9001, etc etc are the sorts of standardized things that exist (containing things like 'all code must be reviewed'). I think for a browser, if you were Apple and were looking to accept other browser partners, you'd likely do something like this; regular audits of quality, requirements that must be met to maintain access, pentests, basically a continuous process that's to be met by the supplier (similar to how hardware suppliers must meet many requirements).
W.R.T. compositing, browsers took a long time to move to even just GPU based compositing, and full GPU based rendering took longer still. Certainly, if Flash hadn't been killed off so prematurely it seems reasonable that either they'd have done the work to keep up, or users would have organically abandoned the platform.
Indeed, you make a good point that it was really a fight over forcing devs to use Objective C and nothing else. Flash was just roadkill in that fight.
That is, if Chrome churns through battery on a Mac laptop, the typical user is going to just think “Apple laptops have poor battery life”, never realizing that switching to Safari would make a significant difference.
The same people will say Flash was slow by default. I remember running canvas vs flash rendering tests in mobile Safari when the plugin was still available, and Flash blew canvas rendering away. Of course it was all about what you chose to do with it... no one was writing really complicated behaviors in canvas at that point, and wasm didn't exist, so if you wanted special animation or complexity you used Flash. The appropriate thing would have been to have Flash off by default until someone tapped an embed to load it.
It took a few years for plain old HTML/JS sites to be optimized for mobile, and not many of them were then. Given some time, Flash devs would have too. I'd already optimized my own and was optimizing a Flash-based gaming site for mobile when Apple pulled the plug.