苹果终于对「小程序」松手了。

就在刚刚，苹果悄然发布了一个可能会改变应用生态的计划——小程序合作伙伴计划（Mini Apps Partner Program），正式宣布为小程序建立制度化的合规框架。

「小程序」是介于网页与 App 之间的轻应用形态——用 HTML5 和 JavaScript 写成，即开即用，轻得像一张网页，却能完成一次支付、一次服务流程、一次游戏体验。

另昨晚彭博社报道，腾讯与苹果达成协议，苹果将可以从微信小程序和小游戏中抽成 15%。小程序合作伙伴计划得以在中国推行，与该协议的关系巨大。

小程序的商业化曾被挡在 iOS 门外

在中国，小程序在微信、抖音、支付宝里已经演化出数以亿计的日活，早已成为移动互联网的基础设施。但在 iOS 上，它一直活得很「边缘」。

开发者可以用 HTML5 把它嵌进一个 App 里，却无法触达系统能力：不能用苹果的内购体系、不能管理年龄层级、不能透明呈现商品目录，也无法建立稳健商业模式。

能做的，往往只有一件事——靠广告吃饭。

轻游戏只能加激励视频，工具类只能上 banner。想要靠内容或服务收费却几乎没有路径。更别说要搞生态、搞分发、搞平台，几乎是天方夜谭。

苹果过去并不欢迎「App 里的 App」，也不希望任何超级 App 在 iOS 内部复制一个「小程序平台」。这让许多开发者困在尴尬地带：小程序的商业化是刚需，但 iOS 的制度无法容纳。

直到今天。

小程序的形态，在苹果那里第一次被正式写下来

在这次发布中，苹果第一次给出官方表达：Mini App 是「基于 Web 技术，如 HTML5 和 JavaScript 构建的自包含体验」，它不直接出现在 App Store，而是分发在一个更大的宿主 App 内，让用户无需安装即可访问内容、服务或小游戏。

也就是说，小程序在 iOS 上终于不是灰色地带，而是被承认、被规范、被商业化的应用形态。

奇妙的是，它看起来像中国人早已熟悉的小程序，但逻辑完全是「苹果式的」。

它所有规则、能力、开放边界都基于苹果过去几年陆续构建的一套基础 API：包括集成高级商务 API、采用声明年龄范围 API。

「Advanced Commerce API」高级商务 API 是苹果过去一年最重要的商业基础设施，专为「内容目录庞大、复杂、动态」的 App 设计。小程序使用它意味着：支付必须走苹果官方通道，商品、价格、内容目录必须透明，购买记录、退款、消费状态必须可追踪。这给了小程序正式商业化能力，也给了苹果监管底层数据的方式。

此外，宿主应用必须支持「Declared Age Range API」来标注年龄范围。过去小程序全靠宿主 App 的年龄分级，而现在系统允许一个 13+ 的 App 托管一个 18+ 的小游戏，只要它使用 Declared Age Range API 进行自动识别与访问控制。系统会在不暴露隐私的前提下根据用户年龄自动放行或拦截，让开发者能提供真正适龄的内容。

另外，苹果还要求宿主 App 必须同时提供 iOS 与 iPadOS 版本——也就是说，一个想托管小程序的平台型应用，不能只在 iPhone 上存在，而必须在 iPad 上保持完整体验。这既保证了用户在不同设备上的一致性，也让小程序的分发能力不再被设备类型割裂。

这套政策组合，几乎等于把小程序拉进了 App Store 的监管系统里。

焦点来了：苹果把抽成直接降到 15%

当宿主 App 满足了苹果上述所有要求，它就能加入 Mini Apps Partner Program。而苹果给的回报非常直接：

小程序（由其他开发者制作）的数字商品收入，只有 15% 抽成。

考虑到传统 App 内购抽成是 30%，而小程序等轻量应用的收入通常来自长尾的服务或小游戏，抽成直接腰斩，会对开发者产生立竿见影的吸引力。

苹果为什么在这个时刻「放行」？

从苹果的角度看，这一步其实是多重力量共同作用的结果。

监管当然是最现实的一条。欧盟的 DMA 要求平台开放支付、开放分发，苹果需要在不失去生态控制权的前提下提供更灵活的应用形态。小程序让用户可以在不侧载、不跳出 App Store 系统的情况下，获得更轻的服务；开发者可以在一个更低成本的体系里分发功能；而所有的支付、审核和关键 API，仍然牢牢掌握在苹果手中。

这是一种「可控的开放」。

另一股力量来自应用形态本身。全球的超级 App 都在向平台化演变，必然会在它们内部生长出轻应用层。

过去苹果最担心的，是任何一个 App 变成「App Store 内的 App Store」，削弱系统层的主导权。但当生态已经走到这一步，它选择的不是继续阻挡，而是把规则写清楚、把入口设好：你可以托管小程序，但你必须接入我的年龄机制、支付机制、审核机制，你必须告诉我用户买了什么、退了什么，你必须用我能理解、能监管的方式运行。

第三股力量更隐蔽，却可能影响更长远 —— AI。

应用正在被拆解成一个个可调度的 action，而 Mini App 的轻量特征，恰好让它成为系统级 AI 最容易调用的能力单元。当未来的 Siri、未来的系统级智能助手帮用户完成任务时，它们不需要唤醒一个完整 App，有一个小程序式的组件就够了：订一张票、查一个订单、完成一次支付、打开一段小游戏。

小程序不是未来界面的终点，但它很可能是未来「意图层」和「功能层」之间的桥。

对行业有什么影响？

这是一次看似温和、实则深远的变化。Web 技术在移动端沉寂已久，如今又被苹果重新推回舞台：轻量工具、便民服务、小型功能闭环、休闲 H5 游戏，都将迎来新的分发路径。如果说十年前乔布斯说「Web App 才是未来」是一个过早的预言，那么今天，它终于有了重写的可能性。

小游戏行业也会被直接改写。过去 HTML5 游戏在 iOS 上几乎没有商业化空间，如今只要挂靠在宿主应用里，就能用 Web 技术运行，用苹果的支付变现，用 15% 的抽成回收收益，这将让大量国内轻游戏团队在全球市场重新获得机会。

甚至连微信的小程序国际化，也因此出现了新的可能：微信国际版如果选择接入这个计划，就能够在苹果允许的框架下托管小程序，并使用苹果支付来结算。小程序的海外模式，也许会因为这次变化而迎来新的版本。

苹果真正想构建的是新的「生态层级」

所有路径最终都会回到苹果那里。小程序不是另一个微信生态，它是苹果为自己的生态重建的「第二层」：上承 AI，下接 App，轻量、可控、可审查，既吸收来自监管和行业的外部压力，也为未来的交互方式预留了足够的空间。

小程序最终还是进入了 iOS，只是它进入的是一个被苹果重新设计过的世界。

在中国，小程序已经是基础设施；在苹果这里，它也许会成为一个新层级：

原生 App 是厚重的、深能力的层；Mini App 是轻量、快速、可分发的层；而最上层，是苹果正在押注的 AI 调度。

苹果并没有复制微信的小程序生态，而是在 iOS 的技术传统里重新发明了一个轻应用世界。它既像是为监管准备的缓冲区，也像是为 AI 时代铺好的底层胶合层。

而这一切，从一个曾经被迫靠广告维生的小程序，获得正式身份开始。

#欢迎关注爱范儿官方微信公众号：爱范儿（微信号：ifanr），更多精彩内容第一时间为您奉上。

爱范儿 | 原文链接 · 查看评论 · 新浪微博

One of the longstanding joys of the Mac has been how you can customise apps, giving them new icons and, in the past at least, even a few gentle tweaks. What’s unfortunate is that changing apps isn’t just for users. If we can alter them, so can an attacker, and the last thing any of us would want is for Safari or Preview to turn malicious. Over the years the scope for making changes to apps has therefore been reduced. This article explains how, and what we can still do.

To understand how customisation has been limited, we need to know what can and can’t change.

Signature

The most basic requirement of any app is that it’s signed. This provides a set of hashes that can be used to verify that none of its contents have been changed since that app was signed, and those hashes are hashed again to product code directory hashes, CDHashes, that are used to identify and recognise the app. Whatever we might customise in an app, its CDHashes must match its contents.

Certificate

Next comes the chain of trust established by the certificate used to sign the app. Developer certificates are issued by Apple as their Certificate Authority, so they each can be traced back through an Apple Intermediate certificate to Apple’s Root certificate, the chain of trust.

An Apple-issued certificate isn’t required for macOS to run an app, though. Because many Mac users build their own apps locally from open source, local or ad hoc certificates are also acceptable. However, anyone can sign an app with an ad hoc certificate, including an attacker, and, apart from the few malicious apps that have been signed using developer certificates, all other malware for the Mac is now ad hoc signed. As ad hoc signatures have no chain of trust, you can’t put any trust in them.

Notarization

Over the last few years, Apple has required developers to get their apps notarized. That involves ensuring the app meets certain security requirements, and is submitted to Apple to be checked to see if it contains any malicious code. Apps that satisfy those requirements are then issued with a ticket, that’s usually stapled inside the app’s bundle. That consists of the app’s set of CDHashes, again used to identify and recognise that app.

Although there’s no reason that you can’t notarize your own apps, and any you have resigned, that requires a paid-for subscription as a developer, putting it out of the reach of most. However, in an enterprise it can prove useful.

Launch constraints

Since macOS 13.3 Ventura, a new set of restrictions have been imposed on all apps and command tools provided as part of macOS, in launch constraints. These are rules that must be met for macOS to launch that app or binary, and include self constraints that the binary itself must meet, parent constraints that must be met by its parent process, and responsible constraints that must be met by the process requesting the launch.

Launch constraints for bundled apps prevent them from being run from anywhere else. If you manage to make a copy of any of those apps, and that’s a challenge in itself, then macOS will prevent you from running that copy. This is made harder to avoid by the fact that these launch constraints are stored in an inaccessible Trust Cache, so the only way you could work round those rules is by turning System Integrity Protection (SIP) off, which in turn reduces Boot Security. That’s explained in more detail here.

Although third-party apps don’t get to use launch constraints or the Trust Cache, some may now have started using environment constraints, which can have similarly restrictive effects. The best way to discover this is using Apparency, which also includes a full guide to the constraints available.

Bundled apps

If you can’t remember which apps are bundled and which are not, look in /System/Applications, as that shows all those in the Signed System Volume, to which you need to add Safari, as that’s sealed in a cryptex.

Sadly, because of all their levels of protection, you can’t customise any of the bundled apps. Even copying them from their read-only SIP-protected location to a folder in your Home folder, which is difficult enough, that copy can’t be run, no matter what you do to it. You can make a Finder alias to the original app and give that a custom icon that will appear in Finder windows. But the app’s original icon will still be displayed everywhere else, including in the Dock, so it’s simply not worth the effort.

If you had ideas that you could replace all Tahoe’s new-style app icons with those from Sequoia, I’m afraid you will be disappointed.

Third-party apps

One customisation you can apply in complete safety is to replace a regular app’s icon. To do that, paste the new icon into the top left of its Get Info dialog, and further information is given here. This doesn’t affect any of the security protection of that app, as the new icon is added as a hidden Icon file at the top level inside the app’s bundle, which isn’t included in its CDHashes.

Any more substantial changes, even to the app’s resources, should break its signature and CDHashes, and macOS won’t like that.

If there’s a really good reason for making a change, and you can justify resigning the app using an insecure ad hoc signature, you could try stripping its current signature, changing the app bundle, then resigning it with an ad hoc signature. There are two cautions, though:

• Any ad hoc signature is inherently insecure, and makes it simple for malicious code to tamper with that app.
• This may break the app’s updating process, and if it doesn’t, any update will undo your customisation.

Before going any further, you’ll need to add Terminal to the list in System Settings > Privacy & Security > App Management, otherwise your commands will be unable to make any changes to the app. Then make a copy of the app you intend to change, so you can readily revert to the original. Once you’ve done that, open Terminal and use the command
codesign --remove-signature MyApp.app
to strip the existing signature from the app MyApp.app. Note that two hyphens precede the remove-signature verb.
When you’ve made your changes, use the command
codesign --sign - MyApp.app
to sign that app with an ad hoc signature.

Summary

• Apps bundled in macOS from 13.3 onwards can’t be copied and run from elsewhere, preventing all customisation, and can’t be given custom icons.
• Third-party apps can have custom icons applied in the normal way.
• Any internal surgery inside the app bundle will break its notarization and signature, and shouldn’t be attempted.
• If it’s an essential change, you may be able to strip the signature, make the change, and resign with an ad hoc signature.
• Ad hoc signatures are inherently insecure, and should be avoided if at all possible.