1. 38
  1.  

  2. 23

    Even more of a shame is that Apple doesn’t allow other browser engines. So there is little gain in using Firefox on iOS. That being said I also run Firefox on iOS and prefer its UI to Safari.

    1. 14

      While I certainly understand that this is annoying—and I think that Apple should allow other browser engines—it is also a somewhat natural consequence of the iOS security model. JavaScriptCore is one of the few processes that has the com.apple.security.cs.allow-jit entitlement, which allows process memory to be both writable and executable.

      Now that V8 can function in pure interpreted mode (no JIT), it would be great if Apple allowed Blink to be the backend for Chrome on iOS, but it’s relatively unlikely that this will happen. The performance impact would be noticeable. I’m not sure if SpiderMonkey can work in a W^X situation yet or if it would be feasible for Mozilla to swap out WebKit for Gecko in the first place.

      I would personally never be comfortable jailbreaking my phone—the security implications are significant and the entire community seems to have a relatively laissez-faire attitude about releasing source code and security in general. Checkra1n is not only closed-source but the binary is obfuscated to make reverse-engineering difficult. Luckily, unc0ver and checkra1n both support the newest versions of iOS (assuming the hardware is supported by checkra1n), so it’s not a requirement to lag behind on security updates anymore.

      1. 22

        In my opinion, a security model that cuts this deeply into the ecosystem and customisability deserves only criticism. I don’t want to have such a platform for my personal computing needs. Security is nice, but my needs on my own machine come first. A device that is secure but doesn’t do what I want is useless to me. I need root access to make my machine do what I want because that is the only purpose the machine has: To do what I and only I want. I don’t need a machine that does what someone else wants - they should buy and maintain that machine if it serves them! The von Neumann architecture contains a memory that stores data and instructions. I don’t want to go back into computing stone age before von Neumann just because Apple (or anyone else, for that matter) thinks only they know what’s okay to execute. Without these permissions, modern computing is less exciting than the computers that existed 40 years ago.

        1. 14

          I don’t want to have such a platform for my personal computing needs

          Nobody is making you. Contrary to what you appear to be claiming, it’s okay if some people like stuff you don’t personally enjoy. It’s okay if things you don’t personally want exist.

          I already have a desktop that runs everything, but that comes with it’s downsides - notably, that it runs everything. I sure as hell don’t want production ssh keys or banking passwords on it.

          Personally, I quite like the option of a secure device. I know the iphone is more secure - not because I’ve read the source, but because exploit brokers are paying $2m USD for a zero-day that targets the latest version, and I’m not protecting anything worth much more than $2m.

          1. 12

            Nobody is making you.

            That is not entirely true. Due to your readiness to relinquish control of your devices, I have to put up with more and more locked down ecosystems. Rooting gets harder as time goes on, not only on iPhones but also on Android devices. Android now has a quite powerful API to detect root and many popular apps just refuse to work when you have rooted your phone. Additionally, you almost always lose your warranty if you root your device. Vendors only get away with this behaviour because you all tolerate it. I ordered a PinePhone because it seems to me like it is the last bastion of free mobile phone computing, but the situation is actually quite dire, the PinePhone software is in beta version and there really isn’t much choice in open mobile phones at all.

            Contrary to what you appear to be claiming, it’s okay if some people like stuff you don’t personally enjoy.

            I make no such claim. I don’t care if you like My Little Pony but I care if you like locked down foreign-controlled computing platforms. Think about the consequences of your actions. You vote with your wallet, and if you vote for more authoritarianism, I will get it too.

            I know the iphone is more secure

            Frankly, I don’t see the reason why iOS would be any more secure than a properly maintained Linux or OpenBSD installation. The lockdown is largely security theatre and in Apple’s own interest.

            1. 4

              I have to put up with more and more locked down ecosystems

              Or not - as you’ve ordered a pinephone (more power to you - I’m excited to see how that space plays out).

              Frankly, I don’t see the reason why iOS would be any more secure than a properly maintained Linux or OpenBSD installation.

              I’m not nearly expert enough in security to weigh in on that front; however, the relative prices for exploits seem like a pretty damn good proxy for how hard a target something is.

              Given exploits sell for much more on ios, I’m going to default to ‘they cost more to produce because it is more secure’.

              This appears (to be mildly uncharitable) to be wishful thinking based on your dislike of lockdown (eg “lockdown is bad, therefore it doesn’t increase security”).

              if you vote for more authoritarianism, I will get it too

              Honestly? This is actually quite a powerful argument, and I’ll need to dwell on it awhile. Some entities are centralizing power far too much (apple & cloudflare come to mind) - even if they aren’t evil today, who knows what next year will bring.

              1. 10

                Or not - as you’ve ordered a pinephone

                For many people, this isn’t an option. Some governments require you to use an app (iOS or Android only) to access government services. So do some banks. If you have money or pay taxes, you may actually be trapped in one of the vendor-control-over-user-freedom ecosystems.

                1. 6

                  Given exploits sell for much more on ios, I’m going to default to ‘they cost more to produce because it is more secure’.

                  iOS exploit prices recently fell beneath Android exploit prices.

                  1. 1

                    Thanks for pointing that out (well worth considering when I’m next buying a phone).

                    However, this was in reply to

                    Frankly, I don’t see the reason why iOS would be any more secure than a properly maintained Linux or OpenBSD installation.

                    Both android (2.5m) and ios (2m) remain significantly higher than a properly maintained Linux or OpenBSD install - an OpenSSL RCE goes for 250k and a Chrome RCE+LPE goes for 500k (less for other browsers).

                  2. 3

                    Given exploits sell for much more on ios, I’m going to default to ‘they cost more to produce because it is more secure’.

                    I doubt that is the only parameter for the price. Popularity almost certainly another factor as well.

                    1. 2

                      You seem to be reflecting on this possibility already, but for those who might read this later and need a concrete example of why the popularity of Cloudflare for example might not be the best for the web at large: https://blog.torproject.org/trouble-cloudflare

                    2. 3

                      Frankly, I don’t see the reason why iOS would be any more secure than a properly maintained Linux or OpenBSD installation.

                      The fact that you have to qualify with “properly maintained” is evidence enough: the former offers a more practical form of security for most people than the latter.

                      1. 2

                        OpenBSD would drain your phone battery in about 20 minutes. Same with FreeBSD. They’re not designed to keep the CPU in low power states. Too many drivers and applications cause interrupts and wakeups.

                      2. 1

                        So where do you keep production SSH keys if not on a PC? Maybe a Chromebook or iPad?

                        1. 1

                          In general I think that’s much safer against getting copied away, yeah.

                          Unfortunately it’s not quite as practical. The desktop has all sorts of advantages, like a good keyboard, a copy of the source code etc.

                          The security benefits have to be weighed against the risk of prolonging an outage.

                      3. 13

                        The issue that you are ignoring is that Apple is developing security to the lowest denominator. It’s not users like you they are trying to protect. It’s the end user that has no idea they need to be protected. Apple has chosen to deeply embed security to protect those users. If Apple gave us a way to turn off the security. That would be used by bad actors to disable these users, who would then accuse Apple of not protecting them.

                        So while I do wish that I had more freedom, I do appreciate that I don’t have to deal with the trash ecosystem that is the Google Play store. And in this case I am willing to give up some freedom to not have to worry about getting owned by some random websites or store app.

                        1. 10

                          The issue that you are ignoring is that Apple is developing security to the lowest denominator. It’s not users like you they are trying to protect. It’s the end user that has no idea they need to be protected. Apple has chosen to deeply embed security to protect those users. If Apple gave us a way to turn off the security. That would be used by bad actors to disable these users, who would then accuse Apple of not protecting them.

                          That literally is just Apple Apologist. And “We’re sorry, the user is too stupid to own their hardware that they paid for”. Really now?

                          Fine. If I had bought an Apple phone, I should be able to go into a Apple store and have them provide me root creds. And guess what? They’ll laugh you right out.

                          So while I do wish that I had more freedom, I do appreciate that I don’t have to deal with the trash ecosystem that is the Google Play store. And in this case I am willing to give up some freedom to not have to worry about getting owned by some random websites or store app.

                          And with Android, I can install other app store sources, namely FDroid. Others exist as well. Android devices are more mine… Still, with that pesky Google crap.

                          The one I’m watching is the Pinephone. Real Linux. I’m root, and end of story.

                          1. 6

                            That literally is just Apple Apologist.

                            Not the person your replying to, but from my experience interviewing with their security engineering and architecture team, that is their perspective. Any off-switch is an off-switch that can be socially engineered.

                            1. 9

                              Too true. But that social engineering can occur as complex as a callback from a scam banker on the call with your real banker, and MiTM’ing your conversation, to as something as banal as “can you give me your CC#, expir date, and cvv”

                              I’m not arguing that disabling protections should be easy. But Apple, with IOS, is saying “its impossible, its not your device, go away”. That’s the root of my argument, that keeping away my full and unfettered access is akin to a rental agreement, and not a proper sale.

                              1. 2

                                A genuine question, because the number of times this argument has been had on the internet probably is comparable to the number of devices Apple has sold:

                                Do you honestly believe, at this point, that there is anyone left who is persuadable – either to your viewpoint, or to the viewpoint you think you’re arguing with – and has not yet been persuaded?

                                And in a larger sense, do you believe that articles like the one at the top of this thread serve any useful purpose? I ask because it just strikes me as saying “It turns out that what Apple claims they do, and what we all knew they do, is in fact what they do”. As such it does not inform, and nor, it seems, does it persuade.

                                1. 1

                                  Yes I honestly believe, even at this point, it is useful. Because “everyone knows” means “today’s lucky 10000”: see https://xkcd.com/1053/.

                                  1. 1

                                    I don’t buy it. Anything involving Apple on a tech forum has been guaranteed repetitive flamewar territory for decades at this point. So the idea that there are mass numbers of people on tech forums who would be encountering this for the very first time in any given thread is not plausible to me (except perhaps for the case where the forum in question is demonstrably growing on the order of hundreds of thousands to millions of new users per day or at most per week, which this site is not).

                                    Or maybe to go with an analogy: I could believe that someone who’d been driving for years might not know what every single possible warning light on the instrument panel means. I would have a harder time believing a claim like “never heard of a steering wheel” or “no idea what a brake is”. Similarly, I could believe someone who frequents tech forums might encounter certain topics for the first time, and might even do so on a regular basis as well-known reposts make the rounds every so often. I have a very very hard time believing that someone who frequents tech forums would never have encountered a flamewar about Apple and thus would be genuinely naîve about them.

                                2. 2

                                  Think of the phone like a Cisco switch/router: you own the hardware, but the firmware/OS is theirs and you cannot sell or redistribute it. They do not have to give you access or tools to replace the firmware/OS either.

                              2. 2

                                You are so deep in the minority of consumers it’s not even a blip on anyone’s radar

                              3. 2

                                I agree. So many people’s lives are on their phones now, it would be irresponsible not to enforce as rigorous as a security regime as possible.

                                1. 6

                                  But that’s not Apple is selling. Apple is selling hardware. Keyword is “selling”.

                                  If you want a dumb terminal or a managed end-user device, then it needs to be sold as a rental or managed device, and not a sale.

                                  1. 10

                                    If you want a dumb terminal or a managed end-user device, then it needs to be sold as a rental or managed device, and not a sale.

                                    why? People seem to be happy to purchase the phones and not worry about the operating system at all. I’m sure people would also buy a iPhone subscription - but that’s in the hands of the business analysts from Apple.

                                    To me it looks like you’re projecting your expectations from soft- and hardware vendors onto other people.

                                    1. 19

                                      Prior to software being incorporated into all sorts of things, things you bought were yours.

                                      If I wanted to use a shovel to shovel dirt, thats my business. Same for cow manure. Same for scooping hot asphalt. And I can also use a shovel for ‘non-shovel-intended’ things, like using it as a prybar. And if the wooden handle broke, I could replace it. And I can sharpen the blade as I choose.

                                      With software, the stuff we bought is controlled by someone else. Its no longer ours, but instead mediated by a 3rd party, whom usually isn’t in your interests. I look at Tesla cars, Apple phones (and creeping to their laptops), all ranges of IoT crap, John Deere, Sonos speakers and the drm timebomb, and more. InternetOfShit on twitter focuses on the IoT side of things… but this realm dwarfs IoT.

                                      To me it looks like you’re projecting your expectations from soft- and hardware vendors onto other people.

                                      No. I’m just tired of having ownership of my stuff being whittled away with software, API, and website lock-in. “Sorry, you bought it but you can’t do X because we didn’t approve it.”. And I would dare-say that most average (non-IT) people aren’t aware of it, UNTIL it bites them in a non-intuitive and terrible way.

                                      1. 1

                                        If I wanted to use a shovel to shovel dirt, thats my business. Same for cow manure. Same for scooping hot asphalt. And I can also use a shovel for ‘non-shovel-intended’ things, like using it as a prybar. And if the wooden handle broke, I could replace it. And I can sharpen the blade as I choose.

                                        Shovels don’t exist in a world where people can use the design flaws in other peoples’ shovels to automate fraud.

                                        1. 8

                                          You took the argument I was making in pretty bad faith there.

                                          The more that software takes over stuff, the less ownership we have in it. My repair-ability is nigh 0 with the further locked down platforms. I’m relegated to running cracks from shady sites in the hopes I can free my hardware/software.

                                          While fraud is a important thing to stop, locking down platforms only serves to further a monopoly at its root. Fraud is only a secondary effect - captive users locked into a platform is the primary goal. And its no wonder why they don’t want to ‘let’ users have the freedom they should have had.

                                          1. 2

                                            People also still fall for all kinds of fraud despite that security model, and malicious apps still get past the app stores review.

                          2. 7

                            Yes I know. I really miss my extensions. But having sync is a bliss and at least something, better than nothing.

                          3. 10

                            Didn’t Microsoft pay out a fat settlement for doing less than this with their browser?

                            1. 11

                              Because they were abusing their monopoly, which Apple doesn’t have, they are not even the biggest player in the market.

                              1. 4

                                Windows : PC :: Apple : Mobiles, then sure, no monopoly.
                                Windows : Intel PCs :: Apple : A5 Mobiles, then 😉

                                Or maybe it’s about what we can do with a particular piece of form factor? Was Windows a monopoly because of the network effects of its software ecosystem? Apple has one of its own, complete with exclusives.

                                Microsoft enjoys so much power in the market for Intel-compatible PC operating systems that if it wished to exercise this power solely in terms of price, it could charge a price for Windows substantially above that which could be charged in a competitive market. Moreover, it could do so for a significant period of time without losing an unacceptable amount of business to competitors. In other words, Microsoft enjoys monopoly power in the relevant market.

                                That Apple Tax.

                                It all depends on how we draw the lines of monopoly.

                                1. 2

                                  The Apple Tax is 110% a real thing on desktop/mobile form factors.

                                  On mobile it’s a whole other thing. Compare, for instance, their geekbench scores (in operations per second):

                                  The cheapest iphone ($400 USD iphone SE) scores 1326.

                                  The samsung galaxy ultra at $2000 scores 840 on the same benchmark.

                                  The cheapest iphone is nearly twice as fast (single-core) as the fastest android. On multi-core it’s still faster, but only slightly.

                              2. 3

                                I haven’t read the EULA for iOS in it’s entirety, but if it says that the default browser is not allowed to be changed then that is a solid (legal) defense for Apple. I did just check and it has a clause stating that you aren’t allowed to modify the software. Changing what application is opened when you click a link in the Mail app (for example) would likely constitute modifying the software in a court of law.

                                I don’t understand why people still buy Apple products at this point.

                                1. 6

                                  EULAs are generally unenforceable against private parties in the US* and Apple’s legal has far better things to do than to file frivolous lawsuits against people who jailbreak their phones to change the default browser. The situation with AOL and Microsoft fighting for the dominant browser doesn’t exist today, so an antitrust case against Apple for bundling Safari seems much weaker now. Remember that there are far more Android phones than iPhones today; in the 90s, Windows had over 90% of the market.

                                  *If you’re an iPhone reseller and you jailbreak the phones you’re selling to change the default browser, then Apple might go after you. If you’re a private party, nobody cares.

                                  1. 1

                                    EULAs are generally unenforceable against private parties in the US* and Apple’s legal has far better things to do than to file frivolous lawsuits against people who jailbreak their phones to change the default browser.

                                    This is very true. My point however, was that somebody who tries to sue Apple because they don’t provide this functionality wouldn’t get very far because of the EULA that they (either implicitly or explicitly) agreed to.

                                    Remember that there are far more Android phones than iPhones today; in the 90s, Windows had over 90% of the market.

                                    I believe this is one of the reasons that we haven’t seen any of these lawsuits.

                                    Edit: accidentally posted with an edit for my other comment.

                                  2. [Comment removed by moderator pushcx: Removing troll. Don't insult people like this again.]

                                    1. [Comment removed by moderator pushcx: Don't respond to troll comments like this, just flag them for moderators.]

                                      1. [Comment removed by moderator pushcx: Pruning troll thread.]

                                        1. [Comment removed by moderator pushcx: Pruning troll thread.]

                                        2. [Comment removed by moderator pushcx: Pruning troll thread.]

                                          1. [Comment removed by moderator pushcx: Pruning troll thread.]

                                            1. [Comment removed by moderator pushcx: Pruning troll thread. ]

                                              1. [Comment removed by moderator pushcx: Pruning troll thread.]

                                    2. 7

                                      It still blows my mind that Microsoft lost their antitrust case over bundling IE with Windows, given how far monopolies have pushed their advantages in the decades since. Antitrust enforcement has all but disappeared in the US.

                                      1. 7

                                        I’m unsure why people interpret the Microsoft antitrust case as producing an outcome of “it is illegal in the United States to bundle a web browser with an operating system”.

                                        That was not the outcome the case produced, and there’s basically no valid analogy to be drawn between that case and the present-day Apple hardware/software ecosystem (the Microsoft case was about abuse of an existing monopoly; Apple does not have a monopoly, or anything close to a monopoly, in any category that would be relevant for drawing such an analogy). The only thing they have in common is the anger of a certain subset of the tech community at the companies involved.

                                        1. 6

                                          Tech learned a thing or two about lobby since then.

                                        2. 2

                                          I use Firefox on my iPhone as my “default” browser although it’s not the Default, and this is less of a problem than it would be on a desktop. Apps normally try to display web pages in an inline browser anyway, with a button to launch it in safari. This is right next to the “share” button which has Firefox behind it, so it’s two short taps instead of one.