1. 22
  1.  

  2. 16

    I agree with a lot of Apple’s points in this paper, and it is on the of the primary reasons I choose iOS year after year. While I am sometimes frustrated with the limitations, the end product meets my needs. As a consumer, I don’t want multiple app stores because I know I will be forced to download an incredibly invasive ticket app to get into a venue or get on a plane or one of the other millions of things I rely on my phone to do.

    That said, as a resident of the EU, this current situation is untenable. When Apple decided to pivot hard into the services space, the incredible power they give themselves for their internal apps vs what external developers have was always going to force this debate. There isn’t a technical reason iCloud backup can do things that Dropbox, Amazon, Backblaze, etc cannot do in terms of system access and making backups of my phone. But because of how Apple has constructed their OS, their internal service has an unbeatable advantage over competitors regardless of technical merit. Apple Music can always beat Spotify on price because they don’t have an insane tariff for being on my phone, same with news, etc etc.

    Were I Tim Cook, I would attempt to give regulators something now to reduce interest in a more aggressive breakup. Who cares about the 30% fee on transactions, give it up, let them put in SAQ D approved payment gateways and not pay you. Now Epic and Spotify care a lot less and now regulators need to debate about APIs, something they don’t understand and is frankly too boring to make a compelling press conference about. You’ll still get to keep the iCloud integration advantage, Apple Music is good enough to compete one on one with Spotify and most of your other services are either duds (Apple News) or integrated too closely with your hardware (Apple Fitness) for competitors to really bother with.

    1. 6

      There’s a tension for Apple between saying that their gatekeeping for the App Stores avoids malicious apps and saying that the strong sandboxing mechanisms on iOS / macOS protect users. If the latter is true, why do I care if I install a malicious app? It shouldn’t be able to do any harm unless I give it a lot of permissions.

      Part of the problem here is that apps, especially without an App Store’s curation, ask for a load of permissions that they shouldn’t need. Both Apple and Google have been getting better at pushing back on this recently but without the threat of being blocked from distribution there’s really very little incentive to not just ask for all permissions. I don’t know how you’d actually implement it in law, but I’d love to see greater liabilities from compromises by applications that ran with more permissions and especially ones that run with more permissions than they should have needed. If you’re going to write a remote proctoring app that needs to be able to enable the camera and microphone while another app is running, then you’d better be thinking really hard about security and have a lot of liability if users are compromised via your app. If you’re writing a video conferencing app and you ask for the permission to enable the camera even when the app isn’t running because you’re too lazy to reinitialise the camera on context switch then you should get even larger liability in case of a compromise. This would maybe set up incentives for apps to request minimal sets of permissions and then users would start to see asking for extra permissions as a scary thing that they should default to denying.

      1. 2

        The App Store is what verifies and restricts the sandboxing settings for an app. It’s what stops an app from having a sandbox that says “give me access to everything”.

        The rules of distribution on the App Store is what requires an app to ask permission to track you, it’s what says that if you have in app subscription you must have an on device mechanism to terminate that subscription.

        1. 5

          The App Store is what verifies and restricts the sandboxing settings for an app. It’s what stops an app from having a sandbox that says “give me access to everything”.

          No it doesn’t. The kernel enforces a sandbox policy. The sandbox policy comes from entitlements metadata on the binary. The kernel uses code signing to prevent this from being tampered with and will not run applications at all that have a metadata flag on the filesystem that indicates that they’ve been downloaded from the Internet without the user explicitly clearing that flag. That mechanism would be trivial to extend to require the user to approve the entitlements that the app requests. There’s no need for this to be coupled to a distribution mechanism, only to a first-launch policy.

          The rules of distribution on the App Store is what requires an app to ask permission to track you, it’s what says that if you have in app subscription you must have an on device mechanism to terminate that subscription.

          That’s certainly true, though I’d prefer that both of these were enforced by laws rather than by contracts that developers have with Apple.

          1. 4

            The kernel enforces the entitlements on the binary, the App Store enforces the rules on what entitlements a binary can have.

            In the absence of the App Store a binary can include whatever entitlements it wants, including photos, calendars, or simply access to everything.

            1. 1

              Yes. As I believe happens on jailbroken devices.

              The OS could be amended to limit the entitlements available to a 3rd party app, so the App Store wouldn’t be needed for that. But that doesn’t fix higher level issues.

              For one thing, 3rd party apps aren’t allowed to call non-public OS functions/methods. This isn’t enforced (enforceable? Not sure) at runtime, it’s an automated part of Apple’s app review. Though one could imagine the same automated scan being built into the OS and running whenever a binary is installed.

              1. 1

                This isn’t enforced (enforceable? Not sure) at runtime, it’s an automated part of Apple’s app review

                I don’t know if it’s enforced, but it’s definitely enforceable. The Mach-O file format and the XNU linker have supported a two-level namespace for ages. This means that if an app links to library A, and A links to library B, then the app doesn’t see symbols from B, only the ones from A. This means that it’s entirely possible for Apple to have private APIs in B that A can use but that apps can’t. It would need a fairly small tweak for dyld to simply refuse to allow anything that wasn’t in /Frameworks or /Library/Frameworks to link directly to any of the libraries with private symbols.

                Google has added similar functionality to Android. This doesn’t stop the program from poking around in its address space and finding a pointer to the function, though at that point if it breaks then it’s really not the OS vendor’s problem. Google does this to, for example, separate the C++ standard library that the system frameworks from the one that NDK code uses. They may be the same code, but they’re independent versions and so they can update the private one without breaking third-party NDK apps.

                The most egregious example of this kind of poking that I’m aware of was an old version of the Facebook app. Because it was transpiled to Java from something else, it ended up with some very weird classes. One of them hit one of the the Dalvik limits from using 16-bit identifiers. The app started up, ran some native code that inspected the Dalvik interpreter and patched the code, and then loaded the rest of the app. This, of course, broke horrible when the Dalvik implementation changed.

    2. 11

      This is another key point that cannot be overstated. As things stand today, you cannot “mess up” your iOS device by installing the wrong software. You can easily uninstall all traces of any app you do install with a tap-and-hold on the app’s icon. No app you install can entrench invisible background agents that act like system software. And because of this, hundreds of millions of non-technical iOS users install far more software on their iOS devices than they do or did on their PCs — including Macs. This, despite the fact that PCs are far more powerful devices. Typical users install more apps on their less capable phones than they do on their far more capable PCs. This is as close as we can get to proof that Apple’s App Store model on iOS hasn’t just worked, but has proven to be wildly successful and popular with users.

      The conclusion is wrong. A very large part of the reason why iOS is safer is because of OS-level security features - features which would be just as applicable in a side-loading environment (including all of the ones mentioned in the article), and has very little, if anything, to do with the App Store model.

      Sideloading proponents, take note - this is an extremely common fallacy made by those who argue against it.

      1. 7

        The concerns raised are valid, but I have some critques:

        • They can generally be addressed with technical measures that do not restrict the user.
        • Allowing a large multinational corporation final say over what is allowed on phones anywhere in the world is a disproportionate sacrifice for society to gain some extra security. It might be somewhat different if the app store was run by an organization that was more easily accountable to the people who rely on it.
        • The “you can just not use iOS” line is pretty tedious at this point – the fact that people are pushing for this law is kindof case-in-point: if folks really felt like they could just avoid iOS if they weren’t happy with it, nobody would care enough to get the government involved in the first place. The author of the blog post actually points this out in the context of people being expected to install “proctoring” apps and the like – but the reverse is true too, people aren’t really free to avoid Apple’s influence. I don’t think there would be the political will to make this happen if apple wasn’t abusing the control they have in ways that have absolutely nothing to do with privacy and security.

        More on the first point, because I’m a nerd. Possible technical measures:

        • Ransomware attacks, at least the “I will delete your stuff” variety can be mostly neutralized by frequent, automatic backups, a feature that would be useful in its own right. There’s no reason users should ever be worrying about losing data for any reason – we as an industry need to do better here.
        • Network access needn’t be a default permission; apps can have ask for that too, and so an app that claims not to export your data would be unable to hide it if it’s lying.
        • In general, prompting for permissions on use is better than on install, since it gives the user more context for why the app might want that permission. It also allows the user to deny permissions needed for certain features (or superfluous permissions) without opting out of using the app entirely.
        • The claim that the payment infrastructure stuff wouldn’t work if side-loaded apps were allowed is complete nonsense; all of this is system APIs that would work just as well with $misc_app.

        Furthermore, malware can and has slipped past the review process, so to some extent the filter provides a false sense of security.

        Finally, the comparison to desktop operating systems is not really fair – classic desktop OSes include essentially none of the technical protections. Android would be a somewhat more fair comparison, and indeed has a much better track record than say Windows.

        1. 6

          By installing Debian I trust it’s maintainers, in a cryptographic sense. All of the maintainer keys are in /etc/apt/trusted.gpg, and by installing from the repositories my system always checks if the packages are signed by one of the keys in the trusted keyring. But Debian trusts me as a user to make additional decisions on who I can trust. I can add other keys to the keyring, with which I gain the ability to install software other repositories and other developers. Apple doesn’t trust me as a user. As such, they do not deserve me trusting them back.

          1. 5
            • Debian is an OS that focuses on developers and power users. iOS is for anyone. Many (most?) people don’t understand the nuances of software security, nor should they have to.
            • Debian doesn’t have commercial closed-source apps that someone might force you to install as a requirement to take a test or access your work calendar, etc. There is a very real problem with this happening on phones (i.e test proctoring apps that violate user privacy.)
            • Debian doesn’t run on your phone. The last thing you want is for a mission critical device like your phone to fail, or drain its battery too soon, or pwn you, because of some software you installed. This is why iOS has always been more locked-down than macOS.

            It’s fine to say “iOS isn’t for me” because of its restrictions. But it’s not a moral high ground about trust.

            1. 2

              Debian is an OS that focuses on developers and power users. iOS is for anyone. Many (most?) people don’t understand the nuances of software security, nor should they have to.

              Ubuntu has the exact same trust system and in their marketing, it’s obvious that they do not target developers or power users specifically, and focuses more on the casual users. Worth noting that most Debian derivatives, most of which are targeted at end users, use the exact same trust system.

              Debian doesn’t have commercial closed-source apps that someone might force you to install as a requirement to take a test or access your work calendar, etc.

              No, those definitely exist, you just might be lucky that you didn’t encounter them. Maybe less rare, but it’s all a question of popularity. While Slack or Teams might be available in browsers at the moment, there’s not much reason for them to not get discontinued there besides a bunch of people getting angry.

              Debian doesn’t run on your phone. The last thing you want is for a mission critical device like your phone to fail, or drain its battery too soon, or pwn you, because of some software you installed. This is why iOS has always been more locked-down than macOS.

              My computer is a lot more mission critical than my phone. I would expect many people that are not under managerial positions to state exactly the same. And yet, nobody is seriously calling for developer machines to be locked down in case they install some software that will pwn their laptop. People trust people they work with to not do things like that.

              It is all a question about trust in the end. And Apple trusts you as much as a 5 year old. If you are not a 5 year old, why should you trust Apple back?

          2. 2

            If you think of the iDevices as something that Apple owns and consumers get to use for a fee, then dis-allowing side-loading makes sense. I think that consumers have been forced into this arrangement over time, and for the most part, they don’t even realize that this is the deal they have been offered. When it comes to ownership of computers, they’ve been slowly boiled like frogs ever since the 90s. So, if you ask consumers what they want, they will give confusing or non-sequitur answers, because their conscious-mind model of what’s going on with their phone is significantly different from what is actually happening.

            I think most people probably have a subconscious simmering unease about the whole situation though, especially considering how the phone has become almost like an extension of the human body and mind. So folks are losing their body autonomy, slowly rights that were supposed to be protected by various national and international laws and conventions are slipping away. But most people don’t have the time, energy, resources etc to actually address these tensions and come to terms with the reality of their existence. So they just carry on with that weight on their subconscious.

            I’m kind of confused about why it’s ok that I’m forced to install whatever software Apple decides, and even have my access to software limited by them, but it’s not ok for Apple to allow some 3rd party in Podunkville to attempt mandate their citizens/students/concertgoers/etc to install a sketchy 3rd party app. Especially when, like folks have mentioned,

            iOS is safer is because of OS-level security features.

            IMO It’s the same problem whether a 3rd party does it or Apple does it, and arguably it’s worse with only Apple, because then there are no less-sketchy alternatives (outside of, you know, not using apple products).

            Ultimately I think that people who want to own their computers have given up on Apple since many years ago. So the question of ownership when it comes to Apple products is a bit of a moot point.

            1. 4

              If you think malware is great, if you think being ordered on pain of losing your livelihood to install surveillance apps is wonderful and should be encouraged as widely as possible, if you think the most important freedom is the freedom to be hurt, badly and repeatedly, and then be told it’s your own fault and you deserved it for not being sufficiently technical, then you might agree with the comment above.

              If, on the other hand, you think that framing a comment in such a way as to try to force a particular hyperbolic framing and set of ideas onto anyone who disagrees is a terrible rhetorical device, then you might not like the comment above. And the commenter above might gain some insight, from the first paragraph of this, into why.