Oh yeah, they can spread malware for months, but I submit one fucking app that allows you create signs for your business for COVID-19 and all of a sudden I get a 'Sensitive Events Violation Suspension' and get a ding on my Google Play account.
Google has become Apple except worse because at least Apple is reachable.
Apple is pretty much the same, I've been trying to create a developer account for three entire weeks and it still shows as "pending" without info. I saw on the forums that for some people it can take months. It looks like some bureaucratic government body from the 90s.
I now advise my friends to switch to Android if they want to see the app, there's a limit on what I can put with. These companies should just be broken up in pieces.
Apple also uses your GPS data to update its location service (for profit), and unlike Android offers no way to opt out — if you want to get your location on an iDevice, Apple will get it, too. If you want to do something crazy like write apps for your own device without having to reinstall weekly, you have to deanonymize yourself with payment.
That's interesting to know, I was originally convinced by their marketing claiming the walled garden was at least helping a bit for security purpose but even that seems false.
I separate their concept of the sandbox (app permissions) from the walled garden (the App Store & the lockdown of user install). You can totally have a sandbox without a walled garden. It seems that in this case, the walled garden did not help in any ways.
The malware removes information off the device like the device’s name, country, and unique identifiers.
This part is complete conjecture.
According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information.
The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.
>unlike Android offers no way to opt out — if you want to get your location on an iDevice, Apple will get it, too.
As far as I know there is not a way to opt out of this in (Googlified) Android. If you have Play Services installed (which you do, unless you've taken unreasonable steps to avoid it such as rooting and installing a 3rd party ROM), you get a dialog box popup whenever you enable location services which informs you that Google will be watching (it's framed as a consent dialog, but if you decline then location services will not be enabled). And you need location services even to use the GPS.
If you don't like Google, installing a community ROM that doesn't violate your privacy would be perfectly reasonable. If you want a megacorp service but not from a megacorp, I think you won't find that anywhere.
But then all banking apps stop working (including the 2FA apps "required" for using credit cards from some EU Banks; for EC cards you luckily still can use ChipTAN).
Also mobile payment will stop working, normally I wouldn't care about that but currently paying without touching anything is nice.
Then some apps you need for work might stop working.
Not even speaking about hounded of other apps.
The problem is to many app depend strongly on Google services which are not part of Android itself but shipped with every Google Android phone.
And to many institutions except you to either have a Google Android phone or a iPhone.
I could get away most of the time with a non Google Android phone but I will would need a second Google Android phone like 5 times a month or so.
Not true. With things like magisk and systemless root, the banking apps continue to work. At least my 4-5 banking/payment/credit card apps all work, with lineageos and magisk.
But how do you replace FCM? I mean most apps which where not intentional distributed over alternate app stores will just try to send notification through it.
Also I'm not so sure how legal it is to side load a app which is only meant to be distributed over google play.
> And you need location services even to use the GPS.
This is the part that's wrong. Unlike on iOS, you can use the location API directly on Android without Location Services enabled, and the Location Services get location updates API will fall back to using that if Location Services is disabled.
Apps in the iOS App Store are allowed to embed silent spying that you can't disable (also known as spyware) that upload your location and activity data to third parties without your consent.
You're deemed to have agreed to this as a user based on the App Store Terms of Service.
Don't buy Apple's lies about privacy. It's just marketing.
Yes, but the permission is per-app. Let’s say I approve location for the app because the app’s function requires it: the third party spying SDKs embedded in the app send that location data off to third parties without notifying me or permitting me to stop it.
Apple permits this behavior in the App Store.
Furthermore, IP address is coarse location even if you don’t grant the app permission, via GeoIP databases.
Long story short, Apple allows apps in the store to embed silent, nonconsensual spyware that you can’t disable.
If an app's function requires location, how is it Apple's fault that the user decides it's better to enable that app to spy on him?
If I use Waze do I expect privacy from it when it's essential that it knows my location?
Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.
At least on iPhones you have per app control, on Android it's either "location on" or "location off"
> At least on iPhones you have per app control, on Android it's either "location on" or "location off"
Where did you get that notion? Location permission has been per-app since before Android launched. Even better, you can get your location without telling Google, unlike on iOS, which always tells Apple.
> Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.
If you're talking about https://www.cpomagazine.com/data-privacy/apples-new-ios-13-w..., this warning just covers a bug in iOS. Android already requires the app to request location permission to use any API that will allow the location to be inferred (e.g., Bluetooth and WiFi scanning). Therefore, no such warning is required on Android. The app already had to explicitly request location permission.
> If an app's function requires location, how is it Apple's fault that the user decides it's better to enable that app to spy on him
Apple makes the iOS SDK and writes all the app store policies. They could deny apps that embed third party location data mining/spying that is nonessential to the app’s functionality, just as they do that now for checkouts/payments of subscription services that don’t use App Store IAPs.
Apple has taken an aggressive stance regarding the curation (alternately, censorship) of the App Store. Everything that is or isn’t in it is “Apple’s fault”.
They let App Store apps spy and harvest data for shady data and location miner companies.
This argument is very much the same as saying “just don’t install spyware” and literally proves the point that neither store is trustworthy.
On Android you too have this featureset, though the settings app is very limited and also has the same problem as OP mentioned. Just look at whatsapp, constantly trying to launch all other facebook apps in the background (verify this with a freezing app).
On Android (or AOSP, Omni, Lineage and the like) you at least have fdroid as an alternative.
App stores are a trap. As developers we should be doing everything we can to keep the web alive. Every power you cede to a third party gets abused sooner or later.
Let this be another nail in the coffin of the "walled garden" farce.
We learn this lesson again and again. People want someone to trust, but a bureaucracy isn't trustworthy. It has its own agenda and values inconsistent with yours. They take 30% from everybody whether they approve malware or not, and whether they reject legitimate apps or not.
Trust doesn't come from size. If you want someone to vet your apps, it has to be someone whose interests are actually aligned with yours, not just whoever is big enough to force everybody through the tollgate into their store.
I would still prefer to have to trust just one authority for my platform than a multitude of random developers.
> Let this be another nail in the coffin of the "walled garden" farce.
There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.
> which happened because the people found them to be better than the alternative
Walled garden only exists because mobile devices make self-install alternatives very difficult or impossible to get on purpose, otherwise they would not be able to compete in any ways.
Case in point, the Mac App Store and the Windows Store are both moderate failures despite a lot of technical & marketing push.
The only demographic that matters in the long run is the youngest demographic, and that demographic is the most likely to own/use very underpowered hardware (Since they don't have their own money to spend on nicer hardware. Often they use hardware issued to them by their schools, or hand-me-down hardware from older siblings or their parents.) The specific implementations of Stadia/etc may not prove successful, but eventually I expect a service like this to overtake the alternatives for very young users, and subsequently, achieve dominance when those young users come to view those services as normal and familiar.
Most of the apps on my Mac are from the App Store and I wish all of them were.
The Mac App Store is not a failure from the user side, it's where users would look first. Nobody wants to have to go to different websites/repositories every N days to update all of their apps/drivers, or put up with spam from 10 different update notification mechanisms. I still remember that hell from barely 12 years ago. Why do you think gamers flocked to Steam?
As a developer, it's more of a failure of Apple's dismal documentation; I -want- my product to be a nicely sandboxed, well-behaved citizen that only accesses exactly just what it needs, but the state of macOS API documentation was too grim to learn how to do that the last time I tried (like "security bookmarks" and "file providers" from a relatively-simple Swift app).
So much this. Linux distros with popular package managers offer official and 3rd party sources through one API. It's a dream compared to Windows and Mac IMO
I'd say that they are more than moderate failures. I've heard from many acquaintances who aren't as tech literate as myself that one of the major reasons they got rid of their iPhone was not being able to install applications from outside sources.
Myself, I would never want to trust anything centralized.
It enables competition, which keeps everyone honest. If Amazon had an app store which was known to be full of malware then people would stop trusting them, but when there is real competition they need that trust to make money, so they would put in more effort to prevent that. If you find that your platform's app store is full of malware today when there is no competition, what is your alternative? Throw away your phone? Never install any apps?
The exposure is also not any worse when the people you trust are equally trustworthy. If you install ten apps from one distributor or ten apps from ten distributors and all of the distributors are equally trustworthy, the chance of an app you installed being approved even though it was malware is the same. It may even be lower because the distributors have to worry more about their reputations when there is competition.
And it also applies the other way. Right now they can reject apps that you want not because the apps are malicious but because they compete with the distributor's own. If there were five other trustworthy distributors then you could install it from any of them. So you could always get e-readers that compete with Amazon from Google, search apps that compete with Google from Microsoft, web browsers that compete with Apple from Mozilla and so on, no matter what kind of device you have.
> acquaintances who aren't as tech literate as myself that one of the major reasons they got rid of their iPhone was not being able to install applications from outside sources
Which applications did they want to install from outside sources? Which sources?
Where does something advertise itself as an iPhone app but not available on the App Store?
You misinterpreted. OP was saying that "Apple has walled garden while Google is open" farce is dying and this another confirmation.
Sadly people in general can't be trusted to make good decisions because of lack of knowledge and preference of short term gratification over long term well-being.
The authority isn't trustworthy though. They're a direct conduit to malware. That's the point here.
And try not to conflate walled gardens with software repositories. The benefits of the latter are available without the wall. The wall is significant because it stops you making your own trust judgements.
> I would still prefer to have to trust just one authority for my platform than a multitude of random developers.
Single point of failure.
> > Let this be another nail in the coffin of the "walled garden" farce.
> There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.
No. The people have no alternative. How many people are able to install F-Droid on theyr phone ?
> There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.
No they haven't. Given a fair choice customers have opted for the alternative the vast majority of the time.
The walled garden models have only worked when companies have engaged in anti-competitive behaviour.
The stores of the console makers use the same anti-competitive platform lock-in as Apple and Google.
Steam is the alternative where you get to choose where to install things from -- one of those places is Steam. Installing Steam doesn't prevent you from installing other software from the developer's website or the Linux package manager or Windows store or wherever you like.
> I would still prefer to have to trust just one authority for my platform than a multitude of random developers.
These are not the only two options. What about multiple authorities, but not random individual developers? That's basically how it works with e.g. game stores on PC (though Steam is certainly the largest), or package repositories on Linux.
Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS). It introduces a single point of failure and gives that authority full control over all software on that platform - for better or worse. Many package managers specifically deal with the issue of consolidating updates to a single system while not relying on a single authority.
> What about multiple authorities, but not random individual developers? That's basically how it works with e.g. game stores on PC (though Steam is certainly the largest), or package repositories on Linux.
> Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS).
You can already do this on Android though. Samsung offers an individual app store for it's phones, and FDroid works on all phones.
When it comes to the system's core sandboxing mechanism, only one authority can sign the certificates and provision capabilities etc.
If multiple authorities can sign apps, it sort of defeats the point and makes the sandboxing less trustworthy.
Right now, I can either: Rest assured that an app is sandboxed (via the App Store or macOS Notarization) or choose to let it run anyway (on macOS.) A dev could notarize their game (or not) and distribute it through Steam or the App Store, or both.
If Steam and GoG etc. could sign apps, then you're back to having multiple authorities of varying trustworthiness.
> Will third-parties have the same standards for checking if an app uses only the authorized APIs and gating privacy/resource access?
You get to choose who the third parties are, so choose ones who do. Some of them may even have higher standards than the platforms do.
> What happens when Apple/Google introduce new OS APIs, will those third-party signing authorities update their standards at the same time?
This was solved decades ago. You introduce new APIs with new operating system versions and provide development releases to developers ahead of time so they're ready by the time the new system is released to the general public.
> What if a third-party goes rogue and starts signing malicious apps? How and how soon will we know?
Presumably the same way you know when Google or Apple does it.
> You introduce new APIs with new operating system versions and provide development releases to developers ahead of time so they're ready by the time the new system is released to the general public.
Even major companies still haven't implemented something as trivial as Dark Mode in all of their apps by now, I wouldn't count on them to keep up with more complex changes.
Google still hasn't implemented Picture-in-Picture on iPads. Others still don't support split-view multitasking. Both these features have been out for years.
My impression was that you were talking about API changes that actually require the developer to use them, e.g. because the old thing doesn't work with the new system anymore. Then you give them some notice and they're ready with the new thing because they want their app to keep working.
The things you're listing are optional features. That doesn't require some kind of coordinated effort. If one distributor requires support for Dark Mode on day one and another gives developers a year and another never requires it at all, so what? If you really love Dark Mode you can decline to install apps from distributors who don't require it. Or just decline to install apps that don't have it, which you could do regardless of what any distributors allow.
I'm not sure what we're arguing about. I'm professionally involved in the field, I understand the risks when I press "download" or invoke a third-party script. I run things in temporary VMs. I only have Facebook, WhatsApp and Uber on my personal phone (those may be fraudulent, but on a whole other level).
General population is vulnerable to all sorts of malware and social engineering. I've personally witnessed people dear to me fall for the Clean you Mac javascript scams. That's why I'm pro-walled-garden, as I've expressed in the original response.
The original post was against the review process imposed by the platform owners. I wrote that while not perfect, it helps with security. Then there was one subjective statement on what I'd like for myself. I have limited knowledge of the language; I could have expressed that a little more clearly.
Nobody has yet said the words "lock-in device". Everybody moans about lock-in devices when it's convenient for them, but then they throw away the ability to use anything else by committing full-tilt to these mobile platforms where to install "unapproved" apps you have to literally hack your own device.
Apple and Google got rich doing what we would have lambasted Microsoft for, because our judgement is clouded by brands.
And yet Apple's walled garden is stronger and hasn't had anywhere near the malware problem that Google's has? I don't understand your point.
Privacy is where these companies' interests might not be aligned with users; when it comes to security, they very much are. It's just that for Google that's limited to their own services; they don't care so much when it comes to Android as a broader platform. But even then their interests are not not aligned with users. Just under-incentivized.
This used to be true. But both Google and Apple release badware numbers and independent analysts do as well. Badware rates are similar on both stores and have been for several years. Play used to be considerably worse than the Apple store, but that is no longer the case.
Being late to take security seriously has harmed google though, since this idea is now out there in the wild and keeps getting repeated regardless of the current evidence.
Of course it is of badware they know about. This is why 3rd party analyst reports are useful, since you get a second datapoint. This same issue is present for iOS too, so I don't see why it should lead us to believe that Play is worse.
Why are you shilling for AAPL shareholders? All megacorps are regulated by the same lack of rules other than maximizing their limited liability profits.
This kind of rhetoric has been popular in California at least since the 1970s and it has consistently played the same role, which has been to disguise reality. Bureaucracy is expanding because complex societies need complex bureaucracies. This isn't new. You can trace this far back in history. In some sense, the era of bureaucracy began around 3,300 BC when the first Pharaohs wanted to put up the first pyramids and found that they need hundreds of scribes to keep track of all the material, and payments for the material. And bureaucracy has gotten a lot bigger since that time. There are some totally legitimate criticisms that you can make about civilization, especially the way a complex civilization necessarily infringes on some of our basic rights, and the fact that there is a certain kind of inefficiency to bureaucracy. All the same, bureaucracy also has a kind of efficiency to it, especially when organizing things of immense scale. Lazy libertarianism is popular but it is not an accurate guide to the changes happening in our society or our economy.
The wording of the title is interesting - how it puts all the responsibility onto Play store and none of it onto the people actually developing the software.
We truly live in an age where the mass media demands that corporations censor and police everything we see and use.
I wonder when they'll start targeting Linux and Windows for allowing you to download and run malicious programs without any corporation approving them.
No worries Google fan. arstechnica is a paid Google "news" outlet. In the article, they downplay the damage and reach of the attack. If they titled it "Move along, nothing to see here" their ruse would be too obvious.
It's not the media, that's the stance Google themselves adopt with Google Play by acting as non-neutral gatekeepers.
Few people lack the intuitive understanding of the difference between free platforms and controlled ones. People don't blame Google Search for linking to Stormfront, but they would blame Facebook for hosting it. People don't blame Linux and Windows for allowing you to install malicious apps, because these allow you to install any apps.
>People don't blame Linux and Windows for allowing you to install malicious apps, because these allow you to install any apps.
Ah you've really put your finger on something there. The entire concept of an app store, gatekept through a series of hoops to jump through and from which the company takes n% of profit where n is some shockingly large percentage, is a highly costly departure from the traditional model of "obtain software from third party, install". The justification for this mafia-like intercession between vendor and customer has always been "for your protection". If they don't provide any protection, why do we tolerate this racket at all?
Google advertises their store has "Google Play Protect" which promises to ensure no malware in the apps you download from them. Of course Google is going to get the blame when they make promises like that.
Do you really expect it to say “Google Play Protect is infallible”? It’s obviously pitched as anti-malware and the fact that it’s not working is an issue despite them not saying it’s perfect.
Except this isn't the first time happening; Google Store was fulled with malware forever. The techies will of course say it doesn't mean anti-malware solution, while greater masses will say it's deff an anti-virus of some sort by looking at it.
> The wording of the title is interesting - how it puts all the responsibility onto Play store and none of it onto the people actually developing the software.
But this is how app stores advertise their only benefit over traditional sales channels.
Besides what other comments noted there is the problem that sometimes Google knowingly tolerates software incompatible with their AGBs and through this endangering the privacy of users.
There's no tinfoil hat needed. It's pretty common for people who get their feelings hurt to lash out against "the enemy" with whatever they have. It doesn't matter how old the news is when they can just post it again and people will upvote it like it's new.
And it doesn't even necessarily have anything to do with Apple themselves. They don't need to spearhead this movement because fanatics will defend them like this anyhow.
The same goes for Google fanatics, and every other kind out there.
I currently have F-Droid installed on my stock phone and Google did nothing to stop me other than a single "unknown app" warning.
Also, that's not how it works with browsers. You have one browser installed. I don't think I've ever seen windows or mac (or any linux distro I've tried) ask which browser should be installed. There's just the default one and the choice to install anything else.
They likely will eventually, but the browser verdict took a long time.
It's also unhelpful that many politicians have realised in retrospect that they quite like having single choke points that can be used to enact legislative control over the public.
It's emotionally difficult to find out about flaws in something you trust. I think humans really like black and white thinking, and crave association with people and institutions with blemish-free reputations. But the truth is that nothing and no-one is blemish free, especially if you zoom in on them enough. If you let it, then this truth can make you feel like you can't trust anything or anyone.
But its not true. You can trust. Although blemishes are universal, the scale of the blemishes are not. The key to trusting again in a world of flaws and faults is perspective. Is the flaw large or small? Does the agent accept it and want to fix it, or do they deny it exists (a much worse problem!)?
Everything has flaws, everyone makes mistakes, often people behave badly. That is never going to change. The thing we have to judge is whether the self-corrective systems in place are doing their jobs to acknowledge and repair the damage. IOW, making a mistake shouldn't determine trust, but failing to address the mistake should. One might call it "second-order trust". If you accept that, then the missing piece of this story is Google's response -- although they removed the offending malware from the Play Store, the journalist didn't apparently contact Google for anything else, like what steps they are taking (if any) to prevent this sort of thing from happening again. Ars didn't say anything about contacting Google, so I'd say that is an indication of lazy journalism, itself a sad but endemic problem in a world where we all have another false belief, that useful screens should be free (as in beer).
126 comments
[ 3.8 ms ] story [ 660 ms ] threadGoogle has become Apple except worse because at least Apple is reachable.
I now advise my friends to switch to Android if they want to see the app, there's a limit on what I can put with. These companies should just be broken up in pieces.
Apple also uses your GPS data to update its location service (for profit), and unlike Android offers no way to opt out — if you want to get your location on an iDevice, Apple will get it, too. If you want to do something crazy like write apps for your own device without having to reinstall weekly, you have to deanonymize yourself with payment.
I have no idea how Apple makes money by collecting location data.
The malware removes information off the device like the device’s name, country, and unique identifiers.
This part is complete conjecture.
According to Palo Alto Networks, it may also have the ability to push dialogue boxes to your iPhone or iPad’s screen. Theoretically, a bad guy could use one of these dialogues to steal your username and password or other personal information. The malware may also be able to open websites in your mobile browser, which could be used for a variety of malicious purposes again including phishing and installing other potentially malicious software.
Can you give us more details on this? Interested.
As far as I know there is not a way to opt out of this in (Googlified) Android. If you have Play Services installed (which you do, unless you've taken unreasonable steps to avoid it such as rooting and installing a 3rd party ROM), you get a dialog box popup whenever you enable location services which informs you that Google will be watching (it's framed as a consent dialog, but if you decline then location services will not be enabled). And you need location services even to use the GPS.
Also mobile payment will stop working, normally I wouldn't care about that but currently paying without touching anything is nice.
Then some apps you need for work might stop working.
Not even speaking about hounded of other apps.
The problem is to many app depend strongly on Google services which are not part of Android itself but shipped with every Google Android phone.
And to many institutions except you to either have a Google Android phone or a iPhone.
I could get away most of the time with a non Google Android phone but I will would need a second Google Android phone like 5 times a month or so.
But how do you replace FCM? I mean most apps which where not intentional distributed over alternate app stores will just try to send notification through it.
Also I'm not so sure how legal it is to side load a app which is only meant to be distributed over google play.
This is the part that's wrong. Unlike on iOS, you can use the location API directly on Android without Location Services enabled, and the Location Services get location updates API will fall back to using that if Location Services is disabled.
https://developer.android.com/reference/android/location/pac...
https://support.google.com/accounts/answer/3467281?hl=en
You're deemed to have agreed to this as a user based on the App Store Terms of Service.
Don't buy Apple's lies about privacy. It's just marketing.
Apple permits this behavior in the App Store.
Furthermore, IP address is coarse location even if you don’t grant the app permission, via GeoIP databases.
Long story short, Apple allows apps in the store to embed silent, nonconsensual spyware that you can’t disable.
From a legal perspective they are supposed to indicate as such in their terms and conditions, which you are supposed to read.
Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.
At least on iPhones you have per app control, on Android it's either "location on" or "location off"
Where did you get that notion? Location permission has been per-app since before Android launched. Even better, you can get your location without telling Google, unlike on iOS, which always tells Apple.
> Furthermore, on iPhone you get a warning when an app abuses the location permission, unlike Android.
If you're talking about https://www.cpomagazine.com/data-privacy/apples-new-ios-13-w..., this warning just covers a bug in iOS. Android already requires the app to request location permission to use any API that will allow the location to be inferred (e.g., Bluetooth and WiFi scanning). Therefore, no such warning is required on Android. The app already had to explicitly request location permission.
Apple makes the iOS SDK and writes all the app store policies. They could deny apps that embed third party location data mining/spying that is nonessential to the app’s functionality, just as they do that now for checkouts/payments of subscription services that don’t use App Store IAPs.
Apple has taken an aggressive stance regarding the curation (alternately, censorship) of the App Store. Everything that is or isn’t in it is “Apple’s fault”.
They let App Store apps spy and harvest data for shady data and location miner companies.
On Android you too have this featureset, though the settings app is very limited and also has the same problem as OP mentioned. Just look at whatsapp, constantly trying to launch all other facebook apps in the background (verify this with a freezing app).
On Android (or AOSP, Omni, Lineage and the like) you at least have fdroid as an alternative.
probably someone was just looking for any reason to get rid of this.
We learn this lesson again and again. People want someone to trust, but a bureaucracy isn't trustworthy. It has its own agenda and values inconsistent with yours. They take 30% from everybody whether they approve malware or not, and whether they reject legitimate apps or not.
Trust doesn't come from size. If you want someone to vet your apps, it has to be someone whose interests are actually aligned with yours, not just whoever is big enough to force everybody through the tollgate into their store.
> Let this be another nail in the coffin of the "walled garden" farce.
There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.
Walled garden only exists because mobile devices make self-install alternatives very difficult or impossible to get on purpose, otherwise they would not be able to compete in any ways.
Case in point, the Mac App Store and the Windows Store are both moderate failures despite a lot of technical & marketing push.
Like frogs cooking in water, macOS and Windows users will be eventually realize that all their apps are store based as well.
And for everything else they get Web apps, including AAA games.
Plenty to choose from.
The missing authority the user has over it is.
E.g. you can have no wallet gardens but still sandbox every single application (which btw. I would prefer).
The Mac App Store is not a failure from the user side, it's where users would look first. Nobody wants to have to go to different websites/repositories every N days to update all of their apps/drivers, or put up with spam from 10 different update notification mechanisms. I still remember that hell from barely 12 years ago. Why do you think gamers flocked to Steam?
As a developer, it's more of a failure of Apple's dismal documentation; I -want- my product to be a nicely sandboxed, well-behaved citizen that only accesses exactly just what it needs, but the state of macOS API documentation was too grim to learn how to do that the last time I tried (like "security bookmarks" and "file providers" from a relatively-simple Swift app).
---
[0]: https://formulae.brew.sh/cask/
Myself, I would never want to trust anything centralized.
So... major failure? Is that what's in between moderate and massive?
If so, I'd love to have a major failure. :)
How is that different from trusting multiple sources? You'd just be multiplying your concerns. Any of them could slip in some malware.
The only advantage I can think of is censorship resistance, or access to older versions and discontinued products.
The exposure is also not any worse when the people you trust are equally trustworthy. If you install ten apps from one distributor or ten apps from ten distributors and all of the distributors are equally trustworthy, the chance of an app you installed being approved even though it was malware is the same. It may even be lower because the distributors have to worry more about their reputations when there is competition.
And it also applies the other way. Right now they can reject apps that you want not because the apps are malicious but because they compete with the distributor's own. If there were five other trustworthy distributors then you could install it from any of them. So you could always get e-readers that compete with Amazon from Google, search apps that compete with Google from Microsoft, web browsers that compete with Apple from Mozilla and so on, no matter what kind of device you have.
Which applications did they want to install from outside sources? Which sources?
Where does something advertise itself as an iPhone app but not available on the App Store?
Sadly people in general can't be trusted to make good decisions because of lack of knowledge and preference of short term gratification over long term well-being.
It's very hard to get that interpretation even after re-reading the OP's comment.
And try not to conflate walled gardens with software repositories. The benefits of the latter are available without the wall. The wall is significant because it stops you making your own trust judgements.
You mean like open source developers?
Single point of failure.
> > Let this be another nail in the coffin of the "walled garden" farce.
> There is no coffin, the walled gardens are not dying, and have long since become the norm, which happened because the people found them to be better than the alternative: getting apps (and manually updating them) from many different sources of varying quality and convenience.
No. The people have no alternative. How many people are able to install F-Droid on theyr phone ?
No they haven't. Given a fair choice customers have opted for the alternative the vast majority of the time.
The walled garden models have only worked when companies have engaged in anti-competitive behaviour.
As in, Steam versus... Buying and downloading directly from the publishers' websites?
The Xbox and PlayStation stores? The Nintendo eShop?
Steam is the alternative where you get to choose where to install things from -- one of those places is Steam. Installing Steam doesn't prevent you from installing other software from the developer's website or the Linux package manager or Windows store or wherever you like.
These are not the only two options. What about multiple authorities, but not random individual developers? That's basically how it works with e.g. game stores on PC (though Steam is certainly the largest), or package repositories on Linux.
Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS). It introduces a single point of failure and gives that authority full control over all software on that platform - for better or worse. Many package managers specifically deal with the issue of consolidating updates to a single system while not relying on a single authority.
> Like you, I like being able to trust an authority to vet the software I install rather than having to judge the trustworthiness of each individual developer, but I'm not a fan of there only being one authority by design (as it is on e.g. iOS).
You can already do this on Android though. Samsung offers an individual app store for it's phones, and FDroid works on all phones.
If multiple authorities can sign apps, it sort of defeats the point and makes the sandboxing less trustworthy.
Right now, I can either: Rest assured that an app is sandboxed (via the App Store or macOS Notarization) or choose to let it run anyway (on macOS.) A dev could notarize their game (or not) and distribute it through Steam or the App Store, or both.
If Steam and GoG etc. could sign apps, then you're back to having multiple authorities of varying trustworthiness.
• Will third-parties have the same standards for checking if an app uses only the authorized APIs and gating privacy/resource access?
• What happens when Apple/Google introduce new OS APIs, will those third-party signing authorities update their standards at the same time?
• What if a third-party goes rogue and starts signing malicious apps? How and how soon will we know?
You get to choose who the third parties are, so choose ones who do. Some of them may even have higher standards than the platforms do.
> What happens when Apple/Google introduce new OS APIs, will those third-party signing authorities update their standards at the same time?
This was solved decades ago. You introduce new APIs with new operating system versions and provide development releases to developers ahead of time so they're ready by the time the new system is released to the general public.
> What if a third-party goes rogue and starts signing malicious apps? How and how soon will we know?
Presumably the same way you know when Google or Apple does it.
Even major companies still haven't implemented something as trivial as Dark Mode in all of their apps by now, I wouldn't count on them to keep up with more complex changes.
Google still hasn't implemented Picture-in-Picture on iPads. Others still don't support split-view multitasking. Both these features have been out for years.
The things you're listing are optional features. That doesn't require some kind of coordinated effort. If one distributor requires support for Dark Mode on day one and another gives developers a year and another never requires it at all, so what? If you really love Dark Mode you can decline to install apps from distributors who don't require it. Or just decline to install apps that don't have it, which you could do regardless of what any distributors allow.
I would strongly prefer having a free-for-all platform because I have some basic knowledge of information security. Most people don't.
https://www.theguardian.com/games/2018/aug/10/fortnite-on-an...
Back in the day would you have installed an app from a supposed trustworthy source like SourceForge?
https://www.information-age.com/hotbed-malware-another-blow-...
Or even further back, would you have trusted downloading software from CNet owned Download.com?
https://malware.wikia.org/wiki/Download.com
General population is vulnerable to all sorts of malware and social engineering. I've personally witnessed people dear to me fall for the Clean you Mac javascript scams. That's why I'm pro-walled-garden, as I've expressed in the original response.
That's why I'm pro-walled-garden, as I've expressed in the original response.
Jibe with this?
"I would strongly prefer having a free-for-all platform"
Apple and Google got rich doing what we would have lambasted Microsoft for, because our judgement is clouded by brands.
Privacy is where these companies' interests might not be aligned with users; when it comes to security, they very much are. It's just that for Google that's limited to their own services; they don't care so much when it comes to Android as a broader platform. But even then their interests are not not aligned with users. Just under-incentivized.
Being late to take security seriously has harmed google though, since this idea is now out there in the wild and keeps getting repeated regardless of the current evidence.
This kind of rhetoric has been popular in California at least since the 1970s and it has consistently played the same role, which has been to disguise reality. Bureaucracy is expanding because complex societies need complex bureaucracies. This isn't new. You can trace this far back in history. In some sense, the era of bureaucracy began around 3,300 BC when the first Pharaohs wanted to put up the first pyramids and found that they need hundreds of scribes to keep track of all the material, and payments for the material. And bureaucracy has gotten a lot bigger since that time. There are some totally legitimate criticisms that you can make about civilization, especially the way a complex civilization necessarily infringes on some of our basic rights, and the fact that there is a certain kind of inefficiency to bureaucracy. All the same, bureaucracy also has a kind of efficiency to it, especially when organizing things of immense scale. Lazy libertarianism is popular but it is not an accurate guide to the changes happening in our society or our economy.
We truly live in an age where the mass media demands that corporations censor and police everything we see and use.
I wonder when they'll start targeting Linux and Windows for allowing you to download and run malicious programs without any corporation approving them.
Few people lack the intuitive understanding of the difference between free platforms and controlled ones. People don't blame Google Search for linking to Stormfront, but they would blame Facebook for hosting it. People don't blame Linux and Windows for allowing you to install malicious apps, because these allow you to install any apps.
Ah you've really put your finger on something there. The entire concept of an app store, gatekept through a series of hoops to jump through and from which the company takes n% of profit where n is some shockingly large percentage, is a highly costly departure from the traditional model of "obtain software from third party, install". The justification for this mafia-like intercession between vendor and customer has always been "for your protection". If they don't provide any protection, why do we tolerate this racket at all?
But this is how app stores advertise their only benefit over traditional sales channels.
If I remember correctly TickTock was such a case.
And it doesn't even necessarily have anything to do with Apple themselves. They don't need to spearhead this movement because fanatics will defend them like this anyhow.
The same goes for Google fanatics, and every other kind out there.
Also, that's not how it works with browsers. You have one browser installed. I don't think I've ever seen windows or mac (or any linux distro I've tried) ask which browser should be installed. There's just the default one and the choice to install anything else.
It's also unhelpful that many politicians have realised in retrospect that they quite like having single choke points that can be used to enact legislative control over the public.
But its not true. You can trust. Although blemishes are universal, the scale of the blemishes are not. The key to trusting again in a world of flaws and faults is perspective. Is the flaw large or small? Does the agent accept it and want to fix it, or do they deny it exists (a much worse problem!)?
Everything has flaws, everyone makes mistakes, often people behave badly. That is never going to change. The thing we have to judge is whether the self-corrective systems in place are doing their jobs to acknowledge and repair the damage. IOW, making a mistake shouldn't determine trust, but failing to address the mistake should. One might call it "second-order trust". If you accept that, then the missing piece of this story is Google's response -- although they removed the offending malware from the Play Store, the journalist didn't apparently contact Google for anything else, like what steps they are taking (if any) to prevent this sort of thing from happening again. Ars didn't say anything about contacting Google, so I'd say that is an indication of lazy journalism, itself a sad but endemic problem in a world where we all have another false belief, that useful screens should be free (as in beer).