> Apple isn’t perfect. The App Store isn’t perfect. Developers aren’t perfect. The App Store review team isn’t perfect. Everything isn’t perfect.
This is key: because individual centralized actors are imperfect and even corruptible--whether due to intrinsic motivations or extrinsic application of force--it isn't acceptable to concentrate so much power onto them; in a talk I gave at Mozilla Privacy Lab a few years back, I covered a lot of these failure cases throughout our industry with real-world "this actually happened" examples, including (as this would of course be one of my focuses) looking at numerous ways in which Apple's App Store moderation has been the problem instead of the solution.
The Safari team is asking for feedback, after "Safari is the new IE"[1] is getting steam again as an idea. This idea that they want to do better is good, but your arguments really cut into the heart of it.
Even if Safari turns the ship around & decides to support fun & interesting new platform capabilities that make the web interesting, like WebMIDI, WebUSB, the mere fact that Safari is the gauntlet for innovation, that Apple & Apple alone gets to say what parts of the web will work, is highly poisonous to the web. iOS users having no choice, having a centralized actor now & forever gating progress is untennable, is wrong, prevents healthy emergence & discovery. However good they are today, they may drift tomorrow, and having no fallback, no options is a technocratic fascism that society should recognize as structurally sick.
just want to thank you for everything you've done for the iOS user community these last 15 years. I left the platform when Apple's success in fighting its own users became too much of a pain point, but before that your work helped enable developers to do some utterly fantastic stuff.
But as long as we have fairly effective enforcement of IP law, so that e.g. only the publisher of a popular video game can get away with distributing that video game to smartphone users, don't you still have largely the same issue with concentration of power? You still won't have different parties able to compete in how Fortnite is distributed. The publisher of Fortnite can choose how to distribute Fortnite, but that power is still concentrated with the publisher, and arguably even more concentrated since the publisher would not be subject to power from any particular app store.
A) We do not have effectively enforcement of IP law, and to the extent we do it is only because you already helped usher in a dystopia by centralizing power with entities such as Apple.
B) That laws are different in different places and that even in the US there are exemptions to laws should not be casually ignored by assuming one narrow interpretation of a set of laws as you have: Apple controlling the distribution model with cryptographic locks hard-codes in a subset of American IP preferences around the world.
C) Even if we ignore these details and take your argument at the face of it and accept that for "choose how to distribute Fortnite" you merely are deciding between one of two centralized actors, you seem to be carefully trying to perform not one but two sleight of hands on the moral discussion at play.
It isn't like Epic doesn't have legal control over how Fortnite is distributed regardless: if Epic doesn't like Apple's terms for their App Store in the current model, they can choose to just not give you the software at all. You are just hoping to play a super dangerous game by assigning a single negotiator between your community of users and Epic in order to try to convince them to develop their software differently, for which you are apparently willing to pay 36% more for your software (which means you must value it a lot: like, for whatever benefit you think Apple is getting you here you are willing to dig into your own pocketbook and pay multiple extra dollars you otherwise wouldn't have to pay on every purchase or subscription) and--and this is where the tradeoff is unacceptable and the subject of the following #2--give Apple a large amount of control over all software in all jurisdictions... control which they lie about the benefits of, which they have routinely abused, and which can and is take advantage of by external actors.
And really, that is the most important thing in all of this and what I'd hope you would appreciate if you watch my talk: by giving Apple control over all software on the App Store you give them the power to affect what kinds of software is allowed to be built by anyone anywhere while creating a centralized chokepoint for the enforcement of whatever rules that bad actors want (such as the inclusion of end-to-end encryption carbon-copy features in applications or whatever). Giving Epic control over the distribution of Fortnite can't usher in a dystopia.
X) BTW: note that Fortnite is attempting to be some kind of massive metaverse service with a centralized set of servers attempting to provide an ecosystem of content that they would then have centralized control over. If the issues with Apple weren't so dominating and glaringly dangerous today maybe we could be having an argument about whether what Epic is building is moral and whether laws need to exist to stop it (and instead force--either directly or indirectly--such technology to come into existence in a way that is itself decentralized).
> It isn't like Epic doesn't have legal control over how Fortnite is distributed regardless: if Epic doesn't like Apple's terms for their App Store in the current model, they can choose to just not give you the software at all. You are just hoping to play a super dangerous game by assigning a single negotiator between your community of users and Epic in order to try to convince them to develop their software differently
Not exactly. I'm hoping that at least one popular smartphone platform exists that exerts some leverage against software developers on behalf of users, so that users who value that feature can choose that platform. But it's also crucial for customers to be able to choose that platform (in this case, iPhone) for that reason, and to also have viable alternatives if they're not interested in this feature of a smartphone platform. I don't want Apple to do monopolistic things, and I absolutely wish there were more viable smartphone platforms, and I condemn Apple for the things it does to attempt to lock people in to the iPhone platform.
So you’re suggesting a blanket right to redistribution to all property? It feels pretty generally accepted (and non contentious) that the creator of a product has a monopoly on its distribution and can chose to distribute in as many or as few places as they like. Otherwise I’d be well within my rights to ask you to give me the contents of your hard drive at my convenience as you would not be permitted to control the distribution.
It turns out that with the current rules around monopoly rights of creators, many rights holders actually prefer to widely distribute, so I wouldn’t say that this makes it “even more concentrated” as the majority of content would be.
Some content will probably only be available in a first party store, but just the fact that there are competing stores is good for the consumer.
No, I absolutely did not suggest that. What I suggested is that the creator’s monopoly on distribution is inherent concentration of power and thus you don’t solve problems with concentrations of power if you force Apple to allow sideloading on iPhones.
If you want to sideload then buy an Android... they are even cheaper. It's not like they pulled the rug out from under you: you already knew you couldn't sideload when you bought the phone.
Its actually not that bad. A train is stuck on the tracks, only stops at stations. Owned by somebody else. A horse you can own yourself and go anywhere.
For the purposes of comparing a train to a horse in the above metaphor, you can swap in the horse for a personal automobile just as well. And maybe even swap the train for a bus while you're at it.
This is how the world works. I don't like the suburbs, yet people keep building them and I don't really have a choice to not live in them. If I go to the BMW dealership they won't sell my an off-road version of a BMW equivalent to a Jeep. If I go to Wal-Mart and I don't like their prices I can't make them go down, but I can take my business elsewhere.
I see this highlighted all the time. When people agree with how something works then there's no comment. When it doesn't work how they want they believe they're being forced into a novel love-it-or-leave-it scenario, when the reality is they are in those scenarios all the time (daily/hourly even) and support them as well. Don't believe me? Ok I want less battery life on the iPhone and for it to be cheaper. Now what? You'll say "cost is important to you there are cheaper alternatives like X, Y, and Z". Same song.
tl;dr yea just buy an Android phone if sideloading apps is the killer feature for you. If I want the best battery life or the best camera I can base my purchase decision off of those product features. Sideloading apps is no different. That's a fact. Jack.
That assumes that side-loading is the only feature you care about. I care about a lot of other things besides that, and I decided I will be switching platforms because of that.
Ok great! I think this is exactly how things should work. Apple doesn't provide this "feature" in place of other features that it does provide (Apple Pay, sign-in with Apple, etc.). Similarly I could buy a phone that is GoogleFi enabled if that was important to me. I could buy a phone with the most megapixels, or that folds. Each of these devices makes trade-offs that I don't like, so I buy the product with the feature mix that I want the most.
If side-loading is the only feature you care about, Android is for you. If it's one of many, you may have to make a trade off or pick between different mixes of features. This is just how the world works and always will work.
Right now we have a duopoly of mobile platforms, and both of them are hostile to hackers and power users. If the only options are a bad option (Apple) and a somehow even worse option (the latter being Android), that is not a market showing signs of healthy competition. Let's not pretend that power users have a champion here. They don't, and they haven't had one for a long time.
Is this really a suitable analogy? Horses seem pretty vastly inferior to trains in many objective metrics, at least as far as long-range transport for average people goes. I've always used iOS, and while I like it, I can't imagine that Android is so mind-blowingly behind, right? Maybe horses to bicycles would be a better comparison? Which seems like less of a problem.
I've had an android. My social interactions went way down because iPhone users refuse to download messaging apps and SMS is slow as molasses. Apple has locked me into iOS with a fucking messaging app.
Okay, then it's like arguing that a rail cartel is okay because people have cars, which are better in some ways, except for the ways they aren't - that is a mitigating factor, but doesn't make it okay.
>It's not like they pulled the rug out from under you
Situations and therefore opinions are allowed to change over time. I could argue they pulled the rug out from under me when they removed Fortnite from the store, or started blocking apps I want such as Stadia. It's not like it's advertised on the phone "Hey we'll remove any app from the store that we don't like".
My next phone will be an iPhone. I say this as a long-term Android user of over a decade. The Android platform has finally become too toxic and too user-hostile even for the likes of me. And that's quite a challenge.
If I'm gonna be ruled by an authoritarian mobile OS that constantly tries to "engage" me, I might as well go for a nicer one that still cares about UX and being less buggy.
Upgrade is one of the worst parts of Android. I had a Motorola that started with 5 and ended with 6. Custom ROMs got me up to 9 until it was stolen. It was not even a performance thing. If a few devs can hack a kernel, a company can do much more. I bought an iPhone 8 in 2019, and it is still working great today, running the latest OS.
This is less about consumers and more about developers. Many would want to reach iOS users with apps that are outright disallowed on the App Store, such as emulators, VM hypervisors or cloud gaming plattforms.
There is a bigger issue at play here that ties in these platform exclusive software stores with the right to repair movement. These companies have convinced the general public that buying their products only entitles you to have the priviledge of using their products.
This is all done using the excuse that they are curators that want to give you the best possible experience. It has worked wonders too because now we debate not with these companies and their hired help but with others who have been screwed over just like us but are thankful for the experience.
Honestly, speaking as someone who's pretty heavily invested in the Apple ecosystem, I'd like iOS to (be made to?) allow sideloading in order to keep Apple honest.
Assuming it works out the same as on Android, I very much doubt that sideloading would ever be mainstream or popular, but the existence of the option would serve as a constraint on how user/developer-hostile Apple can be.
(And I entirely agree with the article that Apple eliding over the entire internet-sales era of software is highly disingenuous...)
Being able to sideload is a double edged sword. Yes, it would be a barrier for Apple to go to far overboard on monetizing the ecosystem. It would also give companies like Microsoft a means of ONLY distributing their applications via their own app store forcing you to side load this app store with less oversight. Maybe they add a forced installer to push their apps ? It's not that I trust Apple that much. It's that I trust other companies like Google, Facebook, Microsoft and Amazon less.
One difference: Apple is far more developer-hostile (or end-user friendly depending on your perspective) than Google, so someone like Facebook would be heavily incentivized to open their own iOS App Store and tell their users they must install that app from their store, in order to bypass constraints Apple enforces via their store.
Why is that a problem, though? If we assume that the Facebook, Instagram, and Whatsapp apps all have some levels of good behavior and bad behavior, then we can probably assume that the "Meta App Store" would be similar. So what's the big deal if they require you to install it?
They could also just offer direct app downloads from facebook.com, instagram.com, etc.
So what? This feels like a nothingburger to me. Given how sideloading is a much less pleasant experience on even Android (and we can expect Apple to do worse), Facebook wouldn't leave the main App Store without an earth-shattering reason.
One would argue that the app stores provides a benefit to the consumer that would not be implemented anywhere else since these benefits are not lucrative. One example is the ability to cancel subscriptions from one source, App Privacy Reports, seeing when an app is reading from the clipboard etc.
And no, entitlements mean nothing without enforcement.
> One example is the ability to cancel subscriptions from one source
You pay 40% extra for that. The creator gets $100, Apple gets 40, you see $140 sticker price. It is a nice feature, but how many would pay 40% extra for that? And if many wanted to pay 40% extra for subscriptions to have them cancellable, I'm sure there would already be companies doing that.
Apple’s App Store has very strict privacy rules. Last year Apple implemented the App Tracking Transparency requirements, which Facebook says will cost them $10B in lost revenue this year [0]. If sideloading becomes a thing, I can definitely see Facebook requiring it in order to get around these privacy rules.
That's a dangerous gamble. The data tracking and privacy concerns aside, users are going to be mad at the additional friction that involves. They might get mad at Apple for making the enablement of sideloading an uneasy process (lots of disclaimers about how insecure it is, etc.), but they'll also get mad at Meta for pulling their apps off of the store for no discernible reason. Meta would have to offer more than the existing service they're getting from their current apps, to convince users to do this without losing goodwill.
Developers creates things users wants, developer hostile is ultimately being user hostile when you are large enough. Being developer hostile can create gains short term, but that is mostly when you are a fringe, when dominant parties starts being developer hostile it starts hurting everyone as the tech sector as a whole becomes less effective.
Developers create things users wants, of course, but they also create things they want. Things like user tracking or data harvesting.
There's an inherent trade off here where adding safeguards to protect users will make the life of developers more difficult. Balancing these two concerns is hard.
I find that Apple mostly strikes the balance right, and so I choose to be their customer. People who disagree have other options available on the market today.
I guess I just like my tech stack to be as open and unrestrictive as possible.
The argument that Apple provides more safeguards is a bit flimsy in my opinion. I honestly don't know what people think Apple is protecting them from, especially when Apple's own features have led to people being stalked (air tags).
Also, most iPhone users that I know tend to have bought their iPhone for cosmetic/style related reasons, or the camera. They don't seem to be all that privacy conscious, especially when their phone is loaded up with every social media app on the planet, including Tiktok!
> I guess I just like my tech stack to be as open and unrestrictive as possible.
Note that this is another area where you have this user vs. developer trade off.
- GPL or other copyleft licenses will put the user's rights above the developer's.
- MIT or BSD-style licenses will favor the developer rights above the end user's.
"open and unrestrictive as possible" is all relative depending on whether you are a user or a developer.
> The argument that Apple provides more safeguards is a bit flimsy in my opinion.
My point is that this is a market where people value different things.
I value the safeguards Apple is putting in. I find they do a better job at it than their competition. But I fully understand that other people do not think so, or that they value other things more.
What I don't particularly like is some of these people turning to the State to force Apple to do things differently.
One could imagine that if the platform was opened to side-loading, the first third party app store to gain popularity would not be one from Meta or Google, but an F-Droid analogue for FOSS hobbyists and purists.
If both iOS and Android allowed sideloading this would be a much more attractive option. As it stands something like that isn't really worth while because most high-value consumers of mobile apps use iOS.
As long as the iOS model exists, the sideload store model is only viable on Android, and vendors are forced to support the first-party store model anyway. If both ecosystems allow sideloading, you could easily imagine Microsoft or Epic switching to sideload-only and branding their own stores across Android and iOS. As it is now, if you can get something first-party on iOS but are forced to sideload on Android, it just makes the Android experience for Fortnite (or whatever) seem janky.
This is a good point, though the lack of auto-updates from non-Play stores on non-rooted phones does add enough friction to updating that e.g. Signal won't even distribute via f-droid because of update latency. At least that's my reading of Moxie's reasoning. It seems likely this would dissuade some companies from making their own app stores, though obviously not all.
Google's privacy requirements on the Play Store are a lot less developer-hostile than Apple's. I'm sure it has something to do with the fact that Android and the Play Store are owned by one of the data-harvesting tech giants that Apple's rules just so happen to impact.
I tend to agree with you. Side loading on iOS would be much more lucrative for, say, Facebook who reportedly just lost $200B due to Apple's privacy restrictions. They're likely more happy with Android's play store than Apple's.
I fail to see how that's an issue when other developers can make third-party clients if there's a significant demand for it. If Twitter/Facebook start forcing people to install their third-party store to access their app, then there's a massive opportunity to make a better app that's distributed through the App Store.
> If Twitter/Facebook start forcing people to install their third-party store to access their app, then there's a massive opportunity to make a better app that's distributed through the App Store.
Wouldn’t Twitter, Facebook etc in turn demand that those third-party apps be taken down from the App Store?
And even if they didn’t, how is any third party going to keep up with Twitter/Facebook/etc API changes.
And what about push notifications? Those would not work with a third-party app installed via the App Store unless Twitter/Facebook/etc explicitly made it so that they supported that on their end.
> Wouldn’t Twitter, Facebook etc in turn demand that those third-party apps be taken down from the App Store?
No? Why would they? Third-party clients are alive and well on the App Store today, and have been for years.
> And even if they didn’t, how is any third party going to keep up with Twitter/Facebook/etc API changes.
They've done a fine job of it so far.
> And what about push notifications? Those would not work with a third-party app installed via the App Store unless Twitter/Facebook/etc explicitly made it so that they supported that on their end.
It does? Check out Tweetbot or Apollo for Reddit. Both have push notifications that work fine.
They are not fully "alive and well". Twitter and Reddit have APIs because they are old enough to have made them back when it wasn't clear it would hurt their business. Can you imagine TikTok or even Instagram to add APIs to support third party clients?
Twitter has been gradually killing their APIs.[0] Reddit doesn't offer APIs for the newer features, like polls.
Apple has no incentive to let other companies get away with bad behavior. And so far, their own bad behavior has been much better than other companies.
This argument comes up a lot, and while I ultimately don't agree with it, I still am sympathetic to it and I do think it has a grain of truth embedded in it.
Here's a question though: isn't that also a reason for Apple to hobble web browsers? Everything you're saying about app security and developers refusing to follow Apples rules also applies to progressive web apps unless Apple commits to making its browser meaningfully less powerful than native apps, and (importantly) meaningfully less powerful in ways that Microsoft/Amazon/Facebook actually care about.
That means you've kind of got to commit to the idea that web apps on iOS never get notification support, they never get intent support with other apps or the ability to handle opening resources, they never get support for good background audio or timers/alarms, they never get reliable clientside storage for offline usage without accounts. It's not just that you can't do low-level complicated sensor/GPU stuff, Apple has to hobble browser capabilities that make it good for reading news or setting timers.
Is that a world you're comfortable with? I know a reasonable number of people on HN are comfortable with that idea, just because they don't want the web to have application capabilities in the first place. But a lot of other people bring up the web as an alternative to the app store (Apple itself is fond of making that argument), and it makes me think -- if the web ever is a viable alternative for good apps on iOS, then the situation you're worried about already exists, doesn't it? Instead of the NYT distributing a native app that you subscribe to with Apple's system that gives you easy cancellation, instead you would get a PWA reader app that you pin to your homescreen and you subscribe through their web interface. The only way that doesn't work is if the experience of reading the NYT and getting notifications about new articles and saving your account details is a worse experience inside of a browser.
If what you're describing about companies removing user choice or forcing users to accept worse alternatives -- if what you're describing is an inevitable result of any serious, alternative user-facing app platform on iOS, then the only way Apple avoids that situation with the web is if it consciously commits to Safari being perpetually behind on standards and perpetually systemically and deliberately made worse as an app platform. That could either be through making sure the browser always lacks features or it could be achieved through other UX designs like blocking PWAs from showing up in app lists, making them unreliable to install, blocking their installation entirely in some cases, etc...
Is that an outcome that Apple users are comfortable with?
I have push notifications disabled on my phone for (almost) literally every single app except my email client and Element/Signal.
I don't get why the web is special, push notifications in native apps are just as abused as they are on the web. Even built-in apps abuse them. We could just as easily make an argument that native apps should have them disabled as well.
But regardless, this kind of goes back to my point. Okay, let's say that every web app abuses push notifications. What we're saying is that we're not going to have progressive web apps. Any app that needs push notifications is going to be a native app, even if it's something as simple as a messaging client or a reader app.
There was a really strong movement around phone platforms a while back where people were asking, "why is this an app in the first place, why isn't this a website?" Well, you can't have that if you don't trust alternative app stores to some degree, because the answer is that any version of the web that is powerful enough to provide meaningful substitutes for native apps is an alternative app store that's outside of Apple's control/moderation.
There seems to be a thread of argument where the merits of Apple's App Store model aren't actually discussed or substantiated, but instead what is trotted out is the big scare tactic of "But Facebook!"
Apple is big enough to have network effect to effectively mandate even facebook et alia to play by its rules.
Put it behind 10 hidden menus inside settings and facebook will not be able to explain to your average user that they have to enable this shady looking setting to download facebook. They can of course choose to ignore half of the US market, but that’s hardly a sane decision.
,,Assuming it works out the same as on Android, I very much doubt that sideloading would ever be mainstream or popular''
I don't need sideloading often, but in those cases I really need it. As an example I'm in a part of Mexico where a local app is more used than Uber, but it's not in the Swiss app store that I'm registered in. I just sideloaded the app using the Huawei app store. I'm not sure what's the Apple way to solve these kinds of problems, as I don't have an iPhone.
Apple's solution is to suck it up and deal without. Personally I agree with you, escape hatches are essential. See also, emulators and torrent remote apps.
I'm using uTorrnet for that on Google store, don't need side loading for that...but it's missing on my iPad pro. Also I didn't want to mention adult apps that are all sideloaded.
I thought this was interesting point, way near the end:
"Even if Apple allowed sideloading, I don’t trust Apple to come up with an elegant solution, though. They will put every warning they can to discourage users from sideloading applications. It could make the user experience miserable, worse than it is on macOS. Why? Money is at stake here. A lot of money, actually. Because Apple seems to be run by lawyers and greedy people, we can expect everything."
This is exactly what I (selfishly) want Apple to do. I don’t want Facebook, Google, and co. to require sideloading in order to get around Apple’s privacy rules, but I do want to be able to run emulators without paying $99/year.
Yeah, it sounds like the best case scenario to me. It would let us hobbyists and tinkerers have our fun while still effectively forcing Google and Facebook to obey Apple's strict privacy rules.
I don't know why apple don't just allow third-party app stores but with requirements like the new app store needs to provide the push messaging, with the seriously large investment that would require?
They could then warn users their battery life would be worse, cos 2 persistent connections, and make it scary. Meanwhile I, as an Android user would happily take up the offer.
Push messaging isn't really that hard. Sure, one connection per device adds up, and you've got to manage the queue of messages, and authenticating devices, etc.
The hidden challenge is tracking connection tracking timeouts in stateful firewalls and NAT gateways, so you can keep connections alive with the minimun of data exchanged. This is like if ISP A has a clean network, you only need to ping once an hour, but any packet sent will be recieved without delay; but ISP B needs a ping every 60 seconds or further packets will be dropped without notification. This isn't that hard either.
Bandwidth of push messaging is nothing compared to app downloads, and probably more of the effort would be on attracting quality applications and vetting applications and maintaining business relationships.
All that said, Google lets non-play apps use Google push, as long as the phone has play services, not sure why Apple would do it differently.
> I don’t want Facebook, Google, and co. to require sideloading in order to get around Apple’s privacy rules, but I do want to be able to run emulators without paying $99/year.
Cannot have it both ways. If it will be possible, FB will use it, and write a detailed sideload instructions.
Yeah I'm fine with apple doing this as long as they don't give in to the temptation to removing sandboxing and moving to ad revenue as primary revenue source (aka google). Soon as they do that I know the dream is over :)
really, if they want to monetize sideloading apps, just do what Microsoft did with their xbox consoles by requiring a small, one-time-purchase additional fee to allow sideloading.
The vast majoring of apps I use on Android come from the Play Store. I've sideloaded maybe five or six apps on Android since the T-Mobile G1. It's not something I keep in the back of my mind. But when I find an app I can only sideload, I really want to do it, and I would be really annoyed if I couldn't use my hardware the way I wanted.
I've said this repeatedly, but what I'd like would be a buy-time option to "enable sideloading" (specifically, to enable the hardware owner to add their own signing certificate to the root keystore, iOS would still enforce full normal trust chaining and such except that Apple wouldn't be the only valid root). Because I think not have sideloading is actively valuable in many cases too and thus should itself remain an option (and probably the default) for purchaser. Leaving the power with Apple has obvious downsides, but it also has upsides in terms of pooling negotiating power of users vs powerful developers and entirely eliminating a large class of possible social engineering attacks. The reason Apple has been able to enforce privacy protections vs Facebook for a current example is that there is no sideloading. Period. Facebook is a powerful enough entity vs its users[products] that if they could demand that users sideload the "Facebook store" and then run root from there they could get a sufficient mass to do so that they could then afford to ignore Apple and do an end run. Can see the same thing play out with stuff like Zoom, Dropbox etc: on iOS all these are applications in the App Store and must abide by all the privacy, disclosure, and so on rules. On the Mac, they demand their own clients which get a lot more powers.
Of course, the MAS is a pile of shit, Apple has utterly fucked up on basic great software business things like "upgrade pricing", and there are lots of examples of fantastic decent small/med size software devs doing their own Mac software same as always. Apple certainly has perverse incentives they have abused, primarily around service integration (can't aim backups at any storage provider for example). Also, it all breaks down when there is an entity MORE powerful than Apple like a major government. Then Apple becomes a single point of failure for censorship and control, and indeed that ties right back into the former. We don't have E2EE encrypted wireless backups for iDevices because of Apple caving to "security" agencies.
But still, it cuts both ways and I really appreciate that less technical (but still very smart!) users, including vulnerable members of my own family and friends, can have a platform in iOS which has much stronger guardrails that they cannot physically be talked into bypassing. I think giving those who ask for hardware, software, or both root cert access that access is enough of a release valve (these are probably all the same people who would jailbreak which is much worse) to help check Apple and bypass the big failing points while still accommodating the hundreds of millions of users whose threat models involve worse from other corporations. And it'd help nudge Apple's incentives in a good direction even for those staying fully within the walled garden by making them balance a bit on keeping them there.
Mostly agree. Rather than a buy-time setting though, I think it should work like Chromebook dev mode. Put the option in the settings, but require a device reset/wipe to activate it. Then while the dev is in this mode show a message on every boot.
>Put the option in the settings, but require a device reset/wipe to activate it.
Hrm. I don't think that actually would be as effective on iOS, reset/wipe is essentially setting up a new phone or a recovery procedure that is meant to be quite easy and near fully automated if time consuming. Which means the bar to social engineering is either very low because it follows the existing workflow and restores from backup ("click this before going to bed that's it"), or if it wouldn't allow restoring a non-root backup to a root device then it really screws the utility for all of us who want root ownership over our normal hardware (me included). This would not at all be a "dev mode" after all, it'd be a more normal Windows/Mac/Linux/BSD use mode including for people who never intend to ever write a single piece of software but do want stuff that Apple doesn't allow/enable.
I think the easy data restore is actually a good feature here. The security concern with sideloading is the potential for social engineering. Having iOS display a “Are you sure you want to enable sideloading? Doing this will delete all data on your iPhone.” sounds like it’d be a good deterrent to non-technical users. They’d be worried about deleting their pictures and chat history. More knowledgeable users would know about the data restore functionality and proceed after pulling any local-only data off their device.
These kinds of monopolistic practically unavoidable parts of our lives should have been regulated long ago already. I'm afraid given the existing political climates and tech lobbies that they will still just circle around the problems though.
The odd thing about this article is that it seems like the author is conceding to removing all restrictions on third-party software being installed on the iPhone because Apple is not currently restrictive enough on what third-party software makes it into their App Store.
I suppose I can understand the appeal of that argument, since it does resolve apparent hypocrisy and lying in Apple's statements about its policies, but crucially this argument doesn't actually address whether allowing sideloading will be good for users, despite the author indicating that they think it will be ("Until today, I thought forbidding applications sideloading on the iPhone was good for users. But…").
All the arguments that preventing sideloading protects users still apply, and haven't actually been addressed in this article.
> All the arguments that preventing sideloading protects users still apply, and haven't actually been addressed in this article.
I'd say the main argument of the article is that the situation with the App Store in actual reality is so far from ideal that arguments about what happens in an ideal situation are irrelevant.
And I'd go further and say that the ideal state is unachievable by any centralized entity, no matter how much energy, money or time it spends on the problem. Therefore we must embrace decentralized discovery and safety, and we're deluding ourselves otherwise.
There is no technical reason that Apple cannot maintain the exact same review processes that they have today, or even more stringent ones (that’d actually be good), BUT instead of then putting the app in the AppStore, they simply sign it with with the AppleBlessed(TM) key, and give the binary back to the developer.
Whatever might happen to that binary between Apple signing it, and the iOS installer getting hold of it DOES NOT MATTER — if the signature is still good, then it’s no worse off than if it was put in the AppStore.
Sure, but it illustrates that Apple's argument that "it would weaken security" is rubbish. It is technically possible to allow side-loading with exactly the same security as provided by the AppStore, if they simply used a signature to indicate that an app had passed review.
It would still use the same sandpit, still use the same permissions system, still able to be disabled by Apple, etc, etc.
Without the argument that "it's less secure", it becomes obvious that the only motivation is commercial.
But then what would be the point if the "anticompetitive" measures are still there? If Apple can still get the final say, they can still refuse to sign any IPA for any reason.
The point is sideloading vs app store isn't a function of security like Apple constantly touts. The point is not that this method in particular answers all possible problems one could have with the lack of side-loading or that this is necessarily the actual method that should be the one implemented.
Uh, the whole point of code signing is a checksum — it's valid only for an exact match to the original executable that got signed. If it changes, the checksum and code signing become invalid.
Code-signing, performed by the developer, means the application can be checked for corruption (and to a degree, that the developer has an ok status with Apple).
But it doesn't indicate that the application has undergone Apple's review process. For that, you'd need a separate signature, signed by an Apple-owned private key rather than a developer key.
I'm not actually advocating this, just pointing out that it would provide the same security as the review process does now, without the need to download apps only from the AppStore. And so ... Apple's "but the security" argument is rubbish.
I'm so utterly torn on this. I want sideloading for my own purposes, like installing classes of apps Apple would never approve (such as a real Unix shell with native code compilers). On the other hand, I absolutely don't want my older relatives to be able to install stuff from wherever. I just know I'll have a Thanksgiving conversation like "hey, could you look at my phone? It's been getting hot after Microsoft called and helped me install the new antivirus."
I don't have an answer for this. I'm all for people being able to get around the garden walls. I just hope and pray that no one in my "you use computers so you're my de facto tech support" circles does it.
I tend to think the issue is, in fact, security. If Apple (or Google or anyone) had a truly secure phone, then there should be no need for curation of apps. But our devices are full of zero-day exploits and dangerous "private APIs." I think the next generation (as in 20 years from today) of devices will embrace a secure-by-default mindset and thus not make users choose between the nanny-state and the wild west.
I think GP is fair when they don't want to support crazy sideloaded app land. We all live by the same rules, and I also would like to be able to install anything, but supporting my family is super hard as it is. It's about removing land mines, not trying to prevent people from doing what they want. I've had three separate relatives get their accounts hacked in the last month. Think of what an unbridled app store full of scammy apps is capable of, and then think about trying to support non-technical people through that.
My parents are tech illiterate, and very scared of being scammed. When I mention like “you can listen to any song you like, amongst millions” because I set up family sharing on their iphones, and ask them to use Apple Music they ask what does it look like. I then send them screenshots of my screen where I point out what Apple Music app icon looks like. Then in a few weeks I have a video call with them where I walk them through the interface.
I. I do want to be able restrict what they can install on their phones and it gives me a small peace of mind that nothing they install would outright steal their bank app’s credentials or all their passwords.
If they have an expectation of me spending time to maintain, cleanup, and update their devices, yes I would like to have some say in minimizing the problems they can create.
And in the same way you can use website blockers to prevent them from accessing phishing sites, or give limited user accounts on a computer, iOS has parental control rules you can setup. It already has a feature to prevent installing (and deleting) apps.
My buddy's a general contractor. He's helped me fix things around the house. If I called him because my front door won't close, and he arrives to find I've taken a chainsaw to it, he's going to chew me out. It's not fascism for him to tell me "don't carve up your house if you expect me to fix it".
Sure, but would you be happy with your buddy installing special limiting power plugs in your home which prevents you from ever powering any technical tool ? That's exactly what is happening here.
Agreed. And I think the article's point about whether or not Apple's store is safe or not is moot. The question really is, how much worse would it be if they weren't there. I'll take a good attempt at safety over the wild west. If you removed the protections today, how much faster do you think the average user would get pwn'd by a rogue app? Because at some point we all will; security isn't black and white. The walled garden has big problems, but the other side of the wall is way uglier.
If iOS was open like traditional computers, its impossible to guess what creative, bright young people could do with it. Instead, it's locked down and we know precisely what they can do: consume.
The appstore does jackshit regarding security. The reason ios is stable and not virus-ridden is the sandbox, which would work exactly the same way with or without apple’s forced filtering of apps.
This. We forget what J2ME was like with all the scamware and billing shit that went down for the better part of a decade. The App Store basically wiped it out in one fell swoop. Sure you couldn't install something you wanted without Apple's involvement but for a certain class of people that's a feature not a bug. I don't think I want the J2ME days back. Even if I could install Dolphin on an iPad without having to go through facacta enterprise certificate bullshit.
> I just know I'll have a Thanksgiving conversation like "hey, could you look at my phone? It's been getting hot after Microsoft called and helped me install the new antivirus."
Why do we pretend that social engineering scams don't exist outside of installing anti-viruses? There are thousands of vectors of attack, many of which can and have been done on iPhones (bank accounts, gift card scams etc.)
The solution to this problem is EDUCATION, not letting companies monopolize a market just because we're too scared and stupid as a society to teach the elderly and vulnerable about security and privacy.
I wouldn't call teens tech-savvy if all they do is click on apps all day, and I doubt any of them have been educated about computer security or vectors of attack at all. Ask them how to update their firewall to prevent attacks on newly installed App X, and you'll get blank stares. Hell, many young people have no idea what files and folders are[1].
I was reviewing a computer class curriculum for a younger cousin who is in high school. All they're doing is learning how to format documents and use spreadsheets. Being able to use an office app suite does not equal being tech-savvy or being educated about computer security.
> …I doubt any of them have been educated about computer security or vectors of attack at all.
My kids (who go to a public school) have received what I consider thorough instruction on avoiding online scams and other kinds of danger. It sounds like YMMV, unfortunately.
But the main takeaway is that education doesn't make people scam-proof. The link at https://www.bbbmarketplacetrust.org/story/39089233/research isn't working as I type this, but Cracking the Invulnerability Illusion: Stereotypes, Optimism Bias, and the Way Forward for Marketplace Scam Education is a really interesting research paper on this. (I've pinged the author and will post a working link when she responds.)
> Why do we pretend that social engineering scams don't exist outside of installing anti-viruses?
That's was an example, but only an except. I think equally plausible is "my bank called and told me my app was broken and that I needed to redownload it. I tried logging into the new app with my bank username and password, but it didn't work. What's wrong with my phone?" Now, Apple doesn't have a perfect track record for catching and blocking these things. Their security controls are definitely better than not having them, though.
> The solution to this problem is EDUCATION
No, no, no. One of the things drilled into your head at security engineering and management conferences is not to ever trust the human factor. Education is a good thing to have in addition to all your other controls, but is a terrible first line of defense. People make terrible choices all the time. Maybe they're sick, or they've had a drink or three, or they're worried about something that happened at work, etc. etc. etc. Even smart people who've completed security training still make dumb mistakes.
> "my bank called and told me my app was broken and that I needed to redownload it..."
This problem isn't solved by the centralized App Store--even if it were good at blocking any app with functionality that would let it be used as a scam (which it is not)--as it is just as if not even easier to tell the person "your app is broken and you will need to use our website" and then give them the wrong URL.
Like, I don't understand what you are trying to accomplish here: you think your elderly parents are going to go through a number of steps to install software via a different process but won't go to a website? I bet going to a website would even be a prerequisite to sideloading, so why would the attacker bother adding even more steps?
You are thereby helping Apple do something bad for both society and large numbers of other people and you didn't even manage to get the one thing you wanted out of it :(.
If EDUCATION was a solution to things then people wouldn't be patching trivial buffer overflows every other week... (I'm pretty sure the first thing they teach you in C about arrays and malloc is you don't access memory outside the specified bounds.)
I don't like the grandma analogy, some old people are really smart with computers. But in general, if you're in that situation with someone where you're worried that they'll get scammed if you leave them alone for a second, at some point you need to ask whether they should have access to an app store at all.
How many apps per week does your grandma need to install? It would be better if you set her up a phone with the apps she wants, and then disabled all app installation.
Because if someone is in that position, the unfortunate reality is that the official app store isn't safe either. The article gets into this in more detail, but there's enough malware on the official Apple Store to make it dangerous to randomly install apps. There are apps where their whole design is to set you up with big subscriptions in the background that you don't notice, there are malware apps that slip through Apple's review process, there are phishing apps.
Really, you should install the apps your grandma needs, and if she needs more later, then she can ask you about them (or someone else who's an expert). I think people look at the Apple Store as if it's perfectly safe and that opening it up would suddenly let in malware for the first time. But while the Apple Store might have comparatively less malware than Android, that's not the same thing as being perfectly safe, and it doesn't mean you can let a young kid or a naive adult go wild on it and install whatever they want. That's a recipe for disaster.
I've set people up on Linux and had zero support calls or malware problems with them, not because Linux has good security or perfectly curated software sources, and not because there aren't dangerous ways to get malware on a command line, but because they don't open the command line in the first place. Some people are safer and thrive in a computing environment that's set up to do the things they want and that doesn't change after that point -- but I don't think that has much of anything to do with alternative app stores, that's really a question of whether app stores should be allowed at all for those people.
It’s not really an analogy but rather an emotive generalisation to mean ‘technically illiterate loved one’. Grandma might not use the App Store, but what about siblings, parents, nieces and nephews?
Do you monitor her web browser usage to prevent her from going to phishing sites that can steal her life savings? Or do you use features to block such sites?
No one says iOS can't implement similar parental controls for sideloading; they already have parental controls to prevent installing any new apps. Or add a similar phishing prevention systems like Google and Firefox has.
My mom gave birth to me and raised me, and I was a pain in the ass plenty of times. If she wants me to fix her iPad, I'm gonna fix the lady's iPad. It's not my favorite thing in the world to be doing, but she took care of me as a baby. I'm not going to begrudge her that.
I do favors for my friends and family, and vice versa: they help me, and I help them. That doesn't mean I can't dread them going to great lengths to make it harder for me to do so.
One is a privilege escalation, the other is just buying a fake rolex that you thought was real. Except that the rolex costs less than the cost of a hamburger.
People falling for these scams can’t remember ctrl+c after explaining it to them for the 1000th time, they won’t suddenly follow detailed instructions on how to enable this deliberately hidden setting put behind 3 warnings.
So many good solutions to this: require a physical switch to be toggled to enable developer mode. Only allow for this if you provision a developer profile onto the device. Register your account with Apple as a developer and manage which devices allow side loading from their web dashboard. Go to an Apple Store and enable this mode there. Buy a developer edition phone that has this feature enabled.
All of this is already possible if you have an Apple developer account. You just need to re-sign the .app bundle with your own key and you can deploy it from Xcode to your phone. Ok, maybe you need to change the bundle ID too, otherwise it will complain that it's already registered with a different developer account, but that's fine.
iOS developers are sideloading their apps hundreds of times each day...
But it's a time bomb when you do that, your app'll expire and stop working after a short while. My dev friends who've never used an iPhone think I joke when I tell them that.
That's only true for free developer accounts. If you pay the $99 dollar fee for a proper developer account, your apps' signatures won't expiry that quickly.
Google must be pretty lax then. I bought a Google Play license in 2013, and proceeded to upload a handful of shitty apps that have all been auto-removed at this point. My dev account still works just fine, so ymmv.
I've had one for ~8 years now I think and never have? I just use it to get early access to betas and such. Which is a valid use case, if you have internal software you want to test or something.
> iOS developers are sideloading their apps hundreds of times each day…
Exactly. Want to sideload MAME? It's not a big deal. Go to https://github.com/yoshisuga/MAME4iOS and follow the "Building / Installation / Sideloading" instructions.
The instructions could be clearer but if you have access to the compiled binary there are tools for windows/Linux that will sign the binaries using your apple account (altsigner and cydia impacter are two that spring to mind for windows).
Compiling source on anything other than MacOS (at least was - not looked into it in a while) a PITA.
The point remains. Having to jump through a bunch of hoops is the opposite of user-friendly.
And to take the argument more broadly: how many of us here on HN became interested in computing because they screwed around on their PC as a child? What about today's children, who get a smartphone, a tablet and maybe a Chromebook? What are we teaching them?
Oh, I completely agree, I was just pointing out you don't need MacOS to sign and install the binary.
I am for hassle-free side loading on every platform (Even on games consoles). I also dislike how most smartphones and tablets have become "Internet consumption devices".
> Register your account with Apple as a developer and manage which devices allow side loading from their web dashboard.
I'd still put that as a bad solution. It is necessary but not sufficient for the owner of a device to be be able to run arbitrary code. It also must be the case that nobody can prevent the owner from running arbitrary code on their own device. The infrastructure required for Apple to be the intermediate for enabling such a feature would mean that Apple could also block the authorization from going through.
In effect, Apple must not be in a position to perform a man in the middle attack between an owner and the owner's device.
You're the walled garden now. You say, 'if you do anything I didnt tell you to do, you are on your own' and stick to it. Like children, consistency is key.
Your iPhone cannot get hot because of protections built into the platform. Apps are heavily restricted in the damage they can do (and the runtime they can have). No app can render your phone unusable unless it exploits these protections.
The real thing keeping people safe is the operating system itself. The App Store is just a revocation mechanism for when something defeats those platform protections. That is what Developer ID is about on macOS: a revocation mechanism, only activated when platform security is breached.
People think that sideloading means Apple can’t scan for malware… Apple signs every single notarized binary
Of course – Apple's App Store policies go beyond security, which is why it is critical for different stores with different policies to be able to compete. Its role in the threat model, though, is limited to automatic scanning and revocation.
That is also to say that if Apple does open up the platform to alternate stores, I imagine they will still control the security portion.
Well, the real and underlying problem causing this is that they have the final say on what operating systems can run on iPhones. They don't do this for Macs.
Ultimately, though, someone needs to maintain a database of malware. When this malware is attacking the platform, it kinda makes sense for the platform maintainer to maintain the database. Microsoft maintains the Defender database, which does have false positives, and we thank them for it. If you want to override it, you can. Notarization works the same way on macOS.
That said, the neutrality of the database (malware only!), and the ability to override it are both key components.
I like the way android gates access to developer mode.
You have to go through the settings and find your build number, then tap it 7 times. Super easy for someone knowledgeable to intentionally do, but basically impossible for someone to do accidentally / get tricked into.
And even you try to trick someone to. It is not necessary that there build number are on the same place as your phone.
Android manufacturers for some unknown reason always reorder/rename their setting menu randomly. And I seldom see any phone that have exact the same setting menu from different oem.
I'm glad I found this comment because the ones above are filled with the gibberings of neurotic control freaks.
I'm scared that some of these people won't let their relatives answer the front door unless they are present, lest a man with a clipboard empty their savings account.
It’s important to remember that we are not necessarily talking about going back to the broken old Windows model, where any app could do anything as long as you entered the admin password.
Today, iOS has a strong sandbox where apps can’t access data of other apps unless explicit permission is granted (eg. access your location/contacts/photos), and apps can’t access or modify system files at all.
Also consider that sideloaded apps does not mean allowing unvetted apps - Apple could still mandate macOS-style app notarization to prevent malware:
> Notarization is a malware scanning service provided by Apple. Developers who want to distribute apps for macOS outside the App Store submit their apps for scanning as part of the distribution process. Apple scans this software for known malware and, if none is found, issues a Notarization ticket. Typically, developers staple this ticket to their app so Gatekeeper can verify and launch the app, even offline.
> Apple can also issue a revocation ticket for apps known to be malicious—even if they’ve been previously notarized. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. In addition, this protection can be applied to both apps that have been previously and those that haven’t.
It’s important to remember that we are not necessarily talking about going back to the broken old Windows model, where any app could do anything as long as you entered the admin password.
> Today, iOS has a strong sandbox where apps can’t access data of other apps unless explicit permission is granted
That absolutely destroys interoperability, and is not a good thing. If the program that generated a file must give permission for it to be accessed, then a proprietary program can prevent interoperability simply by not actively enabling it.
Passing information between programs must be in the control of the user, not a program.
There is absolutely no productivity program for iOS that doesn’t let you save files to any service registered as a File Provider. A save dialog pops up and you can save to iCloud, Dropbox, Google Drive, Box or your local device. You decide whether another app has access to your files.
Actually android do exact the same thing these days.
So you sometimes see 'XXX app want to access your photos', or a file explore to select which directory you grant for app to access.
There used to be a loop hole that any app can read sd card.
But it is also sealed since android 10. Now every app see different rootfs.
> then a proprietary program can prevent interoperability simply by not actively enabling it
These doesn't really matter, a proprietary program can always break interoperability as long as they want. Did you see the old ms word .doc format? Even other version of ms word can't read it correctly, let alone any third party programs.
Have you heard of a little “reputable” company called Zoom that surreptitiously put a web server on Macs so even when you did remove the app it redownloaded it? You can’t trust developers to do the right thing. I install all kind of random crap on my iPhone since I know they can’t do too much damage. I’m very careful what I install on my computer.
This is what I mean. What you’re describing can happen on the Mac because the sandbox isn’t always enforced, and you can also escalate an app’s privileges to full “root" capabilities if you enter an admin password during an installation.
On iOS this can’t happen, regardless of whether an app was downloaded from the App Store or elsewhere.
> On the other hand, I absolutely don't want my older relatives to be able to install stuff from wherever.
It isn't 2002 anymore, systems have been hardened since the Windows XP days.
Would you feel the same way about handing your older relatives a Mac in 2022? They'd be able to install stuff from wherever on Mac.
I have tons of older relatives using Macs and Windows computers, and the days of Bonzi Buddy and 20 addon toolbars for IE are over. Some of them even have Android phones where sideloading has been a thing for over a decade, and the sideloading apocalypse bringing hordes of malware has yet to occur.
Truthfully, I believe your worry doesn't apply in our current computing era.
> Would you feel the same way about handing your older relatives a Mac in 2022?
I absolutely feel this way about my grandparents and their Mac Mini. They've fallen victim to a few scams involving software installation that would have been much harder to pull off on iOS.
The stuff I’m talking about is, for example, a virus alert popup that downloads ransomware. There is nothing remotely comparable in the App Store, though I have no doubt there’s a vibrant and thriving scam economy on iOS. I’m just saying, the moderation does have some upsides for some people, even if it’s not perfectly applied, and even though it doesn’t align with my personal ideals for software.
>I want sideloading for my own purposes... On the other hand, I absolutely don't want my older relatives to be able to install stuff from wherever.
The Mac preference pane included in the article implements this. My parents aren't going to change that setting unless I tell them to which I won't.
And don't be ageist: my pre teen kid wouldn't either, having already rendered his computer unusable a couple of times in other ways. Once he became a bit older things were different, but by then it didn't matter to me and wasn't really any of my business.
It has been a common thing on Android and I don't really see Android users having a worse experience. The average user is conditioned to using the app/play store.
If you don't know what is sideloading. Without toggle the hidden browser setting, open a apk in browser will just say `the app can't be installed correctly`.
If you know, you just know you need to open the info of browser, and toggle the __Allow this app to sideload other apps__ option.
> such as a real Unix shell with native code compilers
??? macOS does have a real Unix shell. It’s called zsh. And it’s not that hard to get whatever compilers you want.
Shells are not the entire UNIX environment, they’re just one part of it. (And I don’t think you meant it this way, but please don’t say it’s not a “Unix shell” because it doesn’t have GNU extensions.)
I was talking about iOS/iPadOS. If I had a shell on my iPad half as good as the one on my Mac, I’d be using all the time. The current options like iSH and a-Shell are great for what they are, but are very limited compared to the real thing. Blink is an amazing SSH/mosh client that I use daily, but sometimes I’m offline and wish I could run stuff locally.
From other comments it sounds like a free developer account expires builds after a few days. Otherwise you have to pay $100/yr for the privilege. That's a lot of money to run an open source emulator.
Any argument that starts with the Mac entirely misses the point on why iOS is different and why it is more important than ever to protect users on that platform. The userbase of each of those respective products is so different that you can't just take a feature from one and say it makes sense on the other. It's especially arrogant to say that to the company that makes both of them. You can say "gee it would be neat if this thing you did over here could be brought here", but you can't really fight tooth and nail that the company is WRONG to not do it.
No one is putting their mac in their pocket and going everywhere with it. People use their device in different way. And people behaviors are a big part in security models.
Exactly. And the people who don't see this are those with an engineering-like mind that just these as computers with parts and their own relationship to the device. And perhaps for that group there should be another product on the market that satisfies those needs. I think Google wanted Android to be that, but as we all know, as they scale to serve the same addressable market as Apple, the device becomes more Apple like and locked down. There isn't really much that can be done.
I wouldn't even care about side loading if they finally would drop their browser engine requirement for other browsers. I want to use the real Firefox with all of it's sweet addons on iOS and then I'm completely happy. Hell, let people use Chrome. They can even disallow it for non-browser apps.
I think they could make that case, and I'd also love real Firefox, but if that happens it basically removes the last thing keeping “the web” from not meaning “whatever the Chrome developers choose”. There's approximately a 0% chance that all Google properties wouldn't start heavily pushing you to use Chrome or mysteriously developing odd performance or reliability issues in Safari.
Yeah, sure, on some theoretical level sideloading should be a user's right. But we all know what will happen. The only way to install essential platform apps like Facebook, Microsoft Teams, Zoom, etc. will be through the vendors themselves, bypassing all of Apple's privacy protections. In the end this will be a net negative for the user.
I'm not convinced that those tech giants would be able to pull that off from a product execution and business demand perspective. And users will balk, having to deal with yet another membership and do accounts/payment management would add a lot of friction.
I just want New Pipe, firefox with ublock and emulators on my iPhone/iPad. Put the side loading toggle behind a thousand warning screens, make me run 3km in 12 min to prove that I’m worth it.
But please allow it already or I’m out of the apple bandwagon on my next purchase.
I have some questions about how access to Secure Enclave, and in particular hardware keys, would work in a sideloaded app. It would be tremendously helpful if someone knowledgeable here might be able to explain!
Wouldn't sideloading make it possible for one sideloaded app to somehow impersonate another sideloaded app, and thereby trick the PKA/SKP into signing a message with a private key that the imposter shouldn't have access to? And might we even see vulnerabilities whereby a slideloaded app could impersonate an app downloaded from the app store?
If there is no way to securely distinguish between two sideloaded apps, such that one app could impersonate another in getting access to OS- or hardware-level cryptographic services, then that could be a real problem, no? And if you have downloaded an app from a third-party app store, what is stopping that app from somehow getting access to OS resources that it could to use to impersonate another app?
Does anyone know how this issue is dealt with in MacOS?
OK, so the OS has a way to verify the public key and the signature of the app executable, before the Secure Enclave responds to any request? Makes sense.
1. Should Apple allow iPhone users to build their own software (or third-party open source software) and deploy it to their iPhones? The answer here is a resounding yes; in fact it's already possible! Just register a developer account, and you can sign your own apps and deploy them to your phone.
2. Should Apple allow predatory 3rd party vendors (Google, Meta, TikTok, spyware developers, etc.) to circumvent the AppStore review process and deploy their opaque blobs to other people's iPhones? The answer here should be no in my opinion. (unless iOS gets rewritten in Rust with a capability-based ultrasecure watertight microkernel, where accessing dangerous "private" APIs and thus privacy violations are provably impossible - in this hypothetical utopic vision the AppStore review process would become moot from a security point of view, although there are other aspects of the review process that cannot be formalized that easily, c.f. "I know it when I see it")
(of course, the predatory 3rd party vendors love it when people conflate the two issues)
By not allowing sideloading, the apps which fingerprint your device through access to unique elements of your phone (like the number of contacts & contact data, gps data, & wifi signals, network device exploration), makes it easier to expose those app entities sharing out your data and increases liability on Apple for failing to "police" their app store properly, over and above their existing checks.
By allowing sideloading, a new attack vector opens up which reduces the liability on Apple, which is no different to what Microsoft and Google already do.
Facebook/Meta are sort of excluded in some ways because theirs app store runs online on their servers and not on your device which is considered private property and brings different Govt legislations into play.
Meh, I'm on android, but google has castrated several apps I enjoyed (termux,sshelper,etc.). So, being able to sideload is only one aspect of stumbling blocks to user usefulness. Don't get me wrong; the prison of apple is not one I would ever enter, but the grass is getting drier every day over here.
I think there's two types of sideloading that usually inspires fear:
1. The fear of the other big tech giants creating their own app store, forcing users to migrate there to use Facebook/GMail/Amazon/Outlook etc., and then siccing invasive tracking on them for the purposes of serving ads and selling user data.
I think this threat is easily more conceived than realized. While the motivation exists to have easier access to user data, I don't think users will necessarily bite. Having to join a new third party app store just to be able to use Instagram or WhatsApp would alienate, and anger, most users. It's yet another account one would have to manage and keep track of. It breaks the seamless nature of iOS and mobile experiences in general. Everyone would know why they're really doing it.
And these companies are big and old. To create a competing app store takes a lot of effort. Not just on a technical level but on a product and business perspective. To convince users that this added friction is worth experiencing. Based on the anemic state of the Amazon Appstore or the Samsung Galaxy Store app stores on Android, tech giants only end up investing in alternate app stores if it's already tailored for the devices they make, which is a moot point with iOS. And those stores aren't even dynamic, nor contain app exclusivity as far as I know.
Not to mention, running a third party app store means that Meta will have to start wooing other third party developers so it doesn't just end up being the Facebook/Instagram/WhatsApp show. That means they have to start creating their own pocket ecosystems and manage their own platform communities as well. It's a lot of hassle and effort for something that won't necessarily pay off. Just ask Microsoft how their Windows Phone store fared. Or heck, just take a look at the current state of Facebook apps.
Maybe ten years ago when mobile apps were still a fairly new category of products, when there was a lot more room to grow and these companies were less entrenched and nimbler, there was a chance that rival stores could pay off. But nowadays? Sure from a technical perspective they're all capable of building their own cloud gaming service or Clubhouse clone or Snapchat stories knock-off, but how many of those actually stick?
I think the only companies that will want to heavily invest in their own third party iOS app stores will be video game publishers.
2. Installing random app binaries. Dubious files, email attachments, malware, random scripts, all common vectors for viruses and computer problems.
This fear on mobile is overblown because Apple still controls the operating system, and can carefully set the flow to prevent easy access to sideloading. They can enforce all sorts of OS and app binary-level restrictions even without needing to go through the App Store.
Though now that I've laid out the two topics, I suppose one potential worst case scenario is the tech giants act greedily and stupidly, force essential apps to be downloadable only on their third party app store, so users resort to sideloading those apps from shady sources.
But on the other hand, maybe people will use resort to mobile web instead. Or just quit using those apps altogether. We're already see Facebook adoption drop precipitously.
238 comments
[ 3.3 ms ] story [ 273 ms ] threadThis is key: because individual centralized actors are imperfect and even corruptible--whether due to intrinsic motivations or extrinsic application of force--it isn't acceptable to concentrate so much power onto them; in a talk I gave at Mozilla Privacy Lab a few years back, I covered a lot of these failure cases throughout our industry with real-world "this actually happened" examples, including (as this would of course be one of my focuses) looking at numerous ways in which Apple's App Store moderation has been the problem instead of the solution.
https://youtu.be/vsazo-Gs7ms
Even if Safari turns the ship around & decides to support fun & interesting new platform capabilities that make the web interesting, like WebMIDI, WebUSB, the mere fact that Safari is the gauntlet for innovation, that Apple & Apple alone gets to say what parts of the web will work, is highly poisonous to the web. iOS users having no choice, having a centralized actor now & forever gating progress is untennable, is wrong, prevents healthy emergence & discovery. However good they are today, they may drift tomorrow, and having no fallback, no options is a technocratic fascism that society should recognize as structurally sick.
[1] https://news.ycombinator.com/item?id=30277179
B) That laws are different in different places and that even in the US there are exemptions to laws should not be casually ignored by assuming one narrow interpretation of a set of laws as you have: Apple controlling the distribution model with cryptographic locks hard-codes in a subset of American IP preferences around the world.
C) Even if we ignore these details and take your argument at the face of it and accept that for "choose how to distribute Fortnite" you merely are deciding between one of two centralized actors, you seem to be carefully trying to perform not one but two sleight of hands on the moral discussion at play.
It isn't like Epic doesn't have legal control over how Fortnite is distributed regardless: if Epic doesn't like Apple's terms for their App Store in the current model, they can choose to just not give you the software at all. You are just hoping to play a super dangerous game by assigning a single negotiator between your community of users and Epic in order to try to convince them to develop their software differently, for which you are apparently willing to pay 36% more for your software (which means you must value it a lot: like, for whatever benefit you think Apple is getting you here you are willing to dig into your own pocketbook and pay multiple extra dollars you otherwise wouldn't have to pay on every purchase or subscription) and--and this is where the tradeoff is unacceptable and the subject of the following #2--give Apple a large amount of control over all software in all jurisdictions... control which they lie about the benefits of, which they have routinely abused, and which can and is take advantage of by external actors.
And really, that is the most important thing in all of this and what I'd hope you would appreciate if you watch my talk: by giving Apple control over all software on the App Store you give them the power to affect what kinds of software is allowed to be built by anyone anywhere while creating a centralized chokepoint for the enforcement of whatever rules that bad actors want (such as the inclusion of end-to-end encryption carbon-copy features in applications or whatever). Giving Epic control over the distribution of Fortnite can't usher in a dystopia.
X) BTW: note that Fortnite is attempting to be some kind of massive metaverse service with a centralized set of servers attempting to provide an ecosystem of content that they would then have centralized control over. If the issues with Apple weren't so dominating and glaringly dangerous today maybe we could be having an argument about whether what Epic is building is moral and whether laws need to exist to stop it (and instead force--either directly or indirectly--such technology to come into existence in a way that is itself decentralized).
Not exactly. I'm hoping that at least one popular smartphone platform exists that exerts some leverage against software developers on behalf of users, so that users who value that feature can choose that platform. But it's also crucial for customers to be able to choose that platform (in this case, iPhone) for that reason, and to also have viable alternatives if they're not interested in this feature of a smartphone platform. I don't want Apple to do monopolistic things, and I absolutely wish there were more viable smartphone platforms, and I condemn Apple for the things it does to attempt to lock people in to the iPhone platform.
It turns out that with the current rules around monopoly rights of creators, many rights holders actually prefer to widely distribute, so I wouldn’t say that this makes it “even more concentrated” as the majority of content would be.
Some content will probably only be available in a first party store, but just the fact that there are competing stores is good for the consumer.
I see this highlighted all the time. When people agree with how something works then there's no comment. When it doesn't work how they want they believe they're being forced into a novel love-it-or-leave-it scenario, when the reality is they are in those scenarios all the time (daily/hourly even) and support them as well. Don't believe me? Ok I want less battery life on the iPhone and for it to be cheaper. Now what? You'll say "cost is important to you there are cheaper alternatives like X, Y, and Z". Same song.
tl;dr yea just buy an Android phone if sideloading apps is the killer feature for you. If I want the best battery life or the best camera I can base my purchase decision off of those product features. Sideloading apps is no different. That's a fact. Jack.
If side-loading is the only feature you care about, Android is for you. If it's one of many, you may have to make a trade off or pick between different mixes of features. This is just how the world works and always will work.
Not all get to have a market specifically for them.
Situations and therefore opinions are allowed to change over time. I could argue they pulled the rug out from under me when they removed Fortnite from the store, or started blocking apps I want such as Stadia. It's not like it's advertised on the phone "Hey we'll remove any app from the store that we don't like".
If I'm gonna be ruled by an authoritarian mobile OS that constantly tries to "engage" me, I might as well go for a nicer one that still cares about UX and being less buggy.
iOS is straying further and further from that path with every release, though. It's not Android-level, but it's far from what it used to be.
The fastest Android SoC is as fast as the A12, a three year old chip.
Android phones are lucky to get 1 major version upgrade in it's lifetime and that's usually 6-12s months after the latest version is released.
This is all done using the excuse that they are curators that want to give you the best possible experience. It has worked wonders too because now we debate not with these companies and their hired help but with others who have been screwed over just like us but are thankful for the experience.
Assuming it works out the same as on Android, I very much doubt that sideloading would ever be mainstream or popular, but the existence of the option would serve as a constraint on how user/developer-hostile Apple can be.
(And I entirely agree with the article that Apple eliding over the entire internet-sales era of software is highly disingenuous...)
They could also just offer direct app downloads from facebook.com, instagram.com, etc.
So what? This feels like a nothingburger to me. Given how sideloading is a much less pleasant experience on even Android (and we can expect Apple to do worse), Facebook wouldn't leave the main App Store without an earth-shattering reason.
And no, entitlements mean nothing without enforcement.
I expect that to be a operating system feature that works regardless of how the application was developed or installed.
You pay 40% extra for that. The creator gets $100, Apple gets 40, you see $140 sticker price. It is a nice feature, but how many would pay 40% extra for that? And if many wanted to pay 40% extra for subscriptions to have them cancellable, I'm sure there would already be companies doing that.
[0]: https://hothardware.com/news/facebook-claims-10b-revenue-hit...
There's an inherent trade off here where adding safeguards to protect users will make the life of developers more difficult. Balancing these two concerns is hard.
I find that Apple mostly strikes the balance right, and so I choose to be their customer. People who disagree have other options available on the market today.
The argument that Apple provides more safeguards is a bit flimsy in my opinion. I honestly don't know what people think Apple is protecting them from, especially when Apple's own features have led to people being stalked (air tags).
Also, most iPhone users that I know tend to have bought their iPhone for cosmetic/style related reasons, or the camera. They don't seem to be all that privacy conscious, especially when their phone is loaded up with every social media app on the planet, including Tiktok!
We've not seen iOS ransomware yet.
https://www.wired.com/story/android-ransomware-worrying-evol...
Although we have seen things that impersonate iOS ransomware.
https://medium.com/macoclock/ransomware-on-ios-a-clever-tric...
Note that this is another area where you have this user vs. developer trade off.
- GPL or other copyleft licenses will put the user's rights above the developer's.
- MIT or BSD-style licenses will favor the developer rights above the end user's.
"open and unrestrictive as possible" is all relative depending on whether you are a user or a developer.
> The argument that Apple provides more safeguards is a bit flimsy in my opinion.
My point is that this is a market where people value different things. I value the safeguards Apple is putting in. I find they do a better job at it than their competition. But I fully understand that other people do not think so, or that they value other things more.
What I don't particularly like is some of these people turning to the State to force Apple to do things differently.
https://www.fsf.org/news/2010-05-app-store-compliance
Maybe? Might have changed since then.
https://opensource.stackexchange.com/questions/9500/is-apple...
One could imagine that if the platform was opened to side-loading, the first third party app store to gain popularity would not be one from Meta or Google, but an F-Droid analogue for FOSS hobbyists and purists.
iOS has a lower-cost of support, with lower fragmentation and higher churn.
With enough profit on the line, more companies would be willing to suffer the lower user acquisition rate that would come from side-loading.
Wouldn’t Twitter, Facebook etc in turn demand that those third-party apps be taken down from the App Store?
And even if they didn’t, how is any third party going to keep up with Twitter/Facebook/etc API changes.
And what about push notifications? Those would not work with a third-party app installed via the App Store unless Twitter/Facebook/etc explicitly made it so that they supported that on their end.
For example, here’s a blog post from 2016 about how the Riot app for iOS is able to get push notifications when you self-host a Matrix server. https://thomask.sdf.org/blog/2016/12/11/riots-magical-push-n...
No? Why would they? Third-party clients are alive and well on the App Store today, and have been for years.
> And even if they didn’t, how is any third party going to keep up with Twitter/Facebook/etc API changes.
They've done a fine job of it so far.
> And what about push notifications? Those would not work with a third-party app installed via the App Store unless Twitter/Facebook/etc explicitly made it so that they supported that on their end.
It does? Check out Tweetbot or Apollo for Reddit. Both have push notifications that work fine.
Twitter has been gradually killing their APIs.[0] Reddit doesn't offer APIs for the newer features, like polls.
[0] - https://blog.twitter.com/official/en_us/topics/product/2018/...
This is a key feature stopping 3rd party apps being competitive.
https://developer.apple.com/documentation/xcode/allowing-app...
Apple has no incentive to let other companies get away with bad behavior. And so far, their own bad behavior has been much better than other companies.
Here's a question though: isn't that also a reason for Apple to hobble web browsers? Everything you're saying about app security and developers refusing to follow Apples rules also applies to progressive web apps unless Apple commits to making its browser meaningfully less powerful than native apps, and (importantly) meaningfully less powerful in ways that Microsoft/Amazon/Facebook actually care about.
That means you've kind of got to commit to the idea that web apps on iOS never get notification support, they never get intent support with other apps or the ability to handle opening resources, they never get support for good background audio or timers/alarms, they never get reliable clientside storage for offline usage without accounts. It's not just that you can't do low-level complicated sensor/GPU stuff, Apple has to hobble browser capabilities that make it good for reading news or setting timers.
Is that a world you're comfortable with? I know a reasonable number of people on HN are comfortable with that idea, just because they don't want the web to have application capabilities in the first place. But a lot of other people bring up the web as an alternative to the app store (Apple itself is fond of making that argument), and it makes me think -- if the web ever is a viable alternative for good apps on iOS, then the situation you're worried about already exists, doesn't it? Instead of the NYT distributing a native app that you subscribe to with Apple's system that gives you easy cancellation, instead you would get a PWA reader app that you pin to your homescreen and you subscribe through their web interface. The only way that doesn't work is if the experience of reading the NYT and getting notifications about new articles and saving your account details is a worse experience inside of a browser.
If what you're describing about companies removing user choice or forcing users to accept worse alternatives -- if what you're describing is an inevitable result of any serious, alternative user-facing app platform on iOS, then the only way Apple avoids that situation with the web is if it consciously commits to Safari being perpetually behind on standards and perpetually systemically and deliberately made worse as an app platform. That could either be through making sure the browser always lacks features or it could be achieved through other UX designs like blocking PWAs from showing up in app lists, making them unreliable to install, blocking their installation entirely in some cases, etc...
Is that an outcome that Apple users are comfortable with?
I have push notifications disabled on my phone for (almost) literally every single app except my email client and Element/Signal.
I don't get why the web is special, push notifications in native apps are just as abused as they are on the web. Even built-in apps abuse them. We could just as easily make an argument that native apps should have them disabled as well.
But regardless, this kind of goes back to my point. Okay, let's say that every web app abuses push notifications. What we're saying is that we're not going to have progressive web apps. Any app that needs push notifications is going to be a native app, even if it's something as simple as a messaging client or a reader app.
There was a really strong movement around phone platforms a while back where people were asking, "why is this an app in the first place, why isn't this a website?" Well, you can't have that if you don't trust alternative app stores to some degree, because the answer is that any version of the web that is powerful enough to provide meaningful substitutes for native apps is an alternative app store that's outside of Apple's control/moderation.
Put it behind 10 hidden menus inside settings and facebook will not be able to explain to your average user that they have to enable this shady looking setting to download facebook. They can of course choose to ignore half of the US market, but that’s hardly a sane decision.
Apple's weak privacy stance is a farce, especially when ios lets any app have unfettered network access.
Additionally its own software does a lot of not-good-for-me things I'd like to prevent.
You should be able to restrict apps from any network access, not just local. Like contacting graph.facebook.com
put another way: Little Snitch for iOS.
I don't need sideloading often, but in those cases I really need it. As an example I'm in a part of Mexico where a local app is more used than Uber, but it's not in the Swiss app store that I'm registered in. I just sideloaded the app using the Huawei app store. I'm not sure what's the Apple way to solve these kinds of problems, as I don't have an iPhone.
"Even if Apple allowed sideloading, I don’t trust Apple to come up with an elegant solution, though. They will put every warning they can to discourage users from sideloading applications. It could make the user experience miserable, worse than it is on macOS. Why? Money is at stake here. A lot of money, actually. Because Apple seems to be run by lawyers and greedy people, we can expect everything."
They could then warn users their battery life would be worse, cos 2 persistent connections, and make it scary. Meanwhile I, as an Android user would happily take up the offer.
I'll tell you why: money.
The hidden challenge is tracking connection tracking timeouts in stateful firewalls and NAT gateways, so you can keep connections alive with the minimun of data exchanged. This is like if ISP A has a clean network, you only need to ping once an hour, but any packet sent will be recieved without delay; but ISP B needs a ping every 60 seconds or further packets will be dropped without notification. This isn't that hard either.
Bandwidth of push messaging is nothing compared to app downloads, and probably more of the effort would be on attracting quality applications and vetting applications and maintaining business relationships.
All that said, Google lets non-play apps use Google push, as long as the phone has play services, not sure why Apple would do it differently.
Cannot have it both ways. If it will be possible, FB will use it, and write a detailed sideload instructions.
F Droid is only possible because of side loading
Of course, the MAS is a pile of shit, Apple has utterly fucked up on basic great software business things like "upgrade pricing", and there are lots of examples of fantastic decent small/med size software devs doing their own Mac software same as always. Apple certainly has perverse incentives they have abused, primarily around service integration (can't aim backups at any storage provider for example). Also, it all breaks down when there is an entity MORE powerful than Apple like a major government. Then Apple becomes a single point of failure for censorship and control, and indeed that ties right back into the former. We don't have E2EE encrypted wireless backups for iDevices because of Apple caving to "security" agencies.
But still, it cuts both ways and I really appreciate that less technical (but still very smart!) users, including vulnerable members of my own family and friends, can have a platform in iOS which has much stronger guardrails that they cannot physically be talked into bypassing. I think giving those who ask for hardware, software, or both root cert access that access is enough of a release valve (these are probably all the same people who would jailbreak which is much worse) to help check Apple and bypass the big failing points while still accommodating the hundreds of millions of users whose threat models involve worse from other corporations. And it'd help nudge Apple's incentives in a good direction even for those staying fully within the walled garden by making them balance a bit on keeping them there.
Hrm. I don't think that actually would be as effective on iOS, reset/wipe is essentially setting up a new phone or a recovery procedure that is meant to be quite easy and near fully automated if time consuming. Which means the bar to social engineering is either very low because it follows the existing workflow and restores from backup ("click this before going to bed that's it"), or if it wouldn't allow restoring a non-root backup to a root device then it really screws the utility for all of us who want root ownership over our normal hardware (me included). This would not at all be a "dev mode" after all, it'd be a more normal Windows/Mac/Linux/BSD use mode including for people who never intend to ever write a single piece of software but do want stuff that Apple doesn't allow/enable.
Still an interesting different potential path.
"Sideloading is dangerous. Just look at Windows."
I suppose I can understand the appeal of that argument, since it does resolve apparent hypocrisy and lying in Apple's statements about its policies, but crucially this argument doesn't actually address whether allowing sideloading will be good for users, despite the author indicating that they think it will be ("Until today, I thought forbidding applications sideloading on the iPhone was good for users. But…").
All the arguments that preventing sideloading protects users still apply, and haven't actually been addressed in this article.
I'd say the main argument of the article is that the situation with the App Store in actual reality is so far from ideal that arguments about what happens in an ideal situation are irrelevant.
Whatever might happen to that binary between Apple signing it, and the iOS installer getting hold of it DOES NOT MATTER — if the signature is still good, then it’s no worse off than if it was put in the AppStore.
The security argument is total BS.
It would still use the same sandpit, still use the same permissions system, still able to be disabled by Apple, etc, etc.
Without the argument that "it's less secure", it becomes obvious that the only motivation is commercial.
That's the only reason they even created it.
But it doesn't indicate that the application has undergone Apple's review process. For that, you'd need a separate signature, signed by an Apple-owned private key rather than a developer key.
I'm not actually advocating this, just pointing out that it would provide the same security as the review process does now, without the need to download apps only from the AppStore. And so ... Apple's "but the security" argument is rubbish.
I don't have an answer for this. I'm all for people being able to get around the garden walls. I just hope and pray that no one in my "you use computers so you're my de facto tech support" circles does it.
I think you're missing something important, which is that the App Store is part and parcel of Apple's (mostly successful) layered security model.
I. I do want to be able restrict what they can install on their phones and it gives me a small peace of mind that nothing they install would outright steal their bank app’s credentials or all their passwords.
https://support.apple.com/en-us/HT201304
Why do we pretend that social engineering scams don't exist outside of installing anti-viruses? There are thousands of vectors of attack, many of which can and have been done on iPhones (bank accounts, gift card scams etc.)
The solution to this problem is EDUCATION, not letting companies monopolize a market just because we're too scared and stupid as a society to teach the elderly and vulnerable about security and privacy.
Nobody is pretending that.
> The solution to this problem is EDUCATION…
Nope. Educated, tech-savvy people fall prey to scams all the time: https://www.cnbc.com/2021/08/10/tech-savvy-teens-falling-pre...
I was reviewing a computer class curriculum for a younger cousin who is in high school. All they're doing is learning how to format documents and use spreadsheets. Being able to use an office app suite does not equal being tech-savvy or being educated about computer security.
[1] https://www.theverge.com/22684730/students-file-folder-direc...
https://www.techtarget.com/searchsecurity/news/252495750/How...
My kids (who go to a public school) have received what I consider thorough instruction on avoiding online scams and other kinds of danger. It sounds like YMMV, unfortunately.
But the main takeaway is that education doesn't make people scam-proof. The link at https://www.bbbmarketplacetrust.org/story/39089233/research isn't working as I type this, but Cracking the Invulnerability Illusion: Stereotypes, Optimism Bias, and the Way Forward for Marketplace Scam Education is a really interesting research paper on this. (I've pinged the author and will post a working link when she responds.)
That's was an example, but only an except. I think equally plausible is "my bank called and told me my app was broken and that I needed to redownload it. I tried logging into the new app with my bank username and password, but it didn't work. What's wrong with my phone?" Now, Apple doesn't have a perfect track record for catching and blocking these things. Their security controls are definitely better than not having them, though.
> The solution to this problem is EDUCATION
No, no, no. One of the things drilled into your head at security engineering and management conferences is not to ever trust the human factor. Education is a good thing to have in addition to all your other controls, but is a terrible first line of defense. People make terrible choices all the time. Maybe they're sick, or they've had a drink or three, or they're worried about something that happened at work, etc. etc. etc. Even smart people who've completed security training still make dumb mistakes.
This problem isn't solved by the centralized App Store--even if it were good at blocking any app with functionality that would let it be used as a scam (which it is not)--as it is just as if not even easier to tell the person "your app is broken and you will need to use our website" and then give them the wrong URL.
Like, I don't understand what you are trying to accomplish here: you think your elderly parents are going to go through a number of steps to install software via a different process but won't go to a website? I bet going to a website would even be a prerequisite to sideloading, so why would the attacker bother adding even more steps?
You are thereby helping Apple do something bad for both society and large numbers of other people and you didn't even manage to get the one thing you wanted out of it :(.
> my "you use computers so you're my de facto tech support" circles
and you hate it. Stop doing that.
How many apps per week does your grandma need to install? It would be better if you set her up a phone with the apps she wants, and then disabled all app installation.
Because if someone is in that position, the unfortunate reality is that the official app store isn't safe either. The article gets into this in more detail, but there's enough malware on the official Apple Store to make it dangerous to randomly install apps. There are apps where their whole design is to set you up with big subscriptions in the background that you don't notice, there are malware apps that slip through Apple's review process, there are phishing apps.
Really, you should install the apps your grandma needs, and if she needs more later, then she can ask you about them (or someone else who's an expert). I think people look at the Apple Store as if it's perfectly safe and that opening it up would suddenly let in malware for the first time. But while the Apple Store might have comparatively less malware than Android, that's not the same thing as being perfectly safe, and it doesn't mean you can let a young kid or a naive adult go wild on it and install whatever they want. That's a recipe for disaster.
I've set people up on Linux and had zero support calls or malware problems with them, not because Linux has good security or perfectly curated software sources, and not because there aren't dangerous ways to get malware on a command line, but because they don't open the command line in the first place. Some people are safer and thrive in a computing environment that's set up to do the things they want and that doesn't change after that point -- but I don't think that has much of anything to do with alternative app stores, that's really a question of whether app stores should be allowed at all for those people.
No one says iOS can't implement similar parental controls for sideloading; they already have parental controls to prevent installing any new apps. Or add a similar phishing prevention systems like Google and Firefox has.
I do favors for my friends and family, and vice versa: they help me, and I help them. That doesn't mean I can't dread them going to great lengths to make it harder for me to do so.
[1] https://www.theverge.com/2021/2/8/22272849/apple-app-store-s...
Bad solution: disallow this entirely.
iOS developers are sideloading their apps hundreds of times each day...
(Accounts that were inactive from publishing apps/games to the store. The accounts may have well been “active” for side loading/dev work)
Why isn't it free, or a nominal one-time $20 fee like the Microsoft Xbox developer program? Very good question.
Exactly. Want to sideload MAME? It's not a big deal. Go to https://github.com/yoshisuga/MAME4iOS and follow the "Building / Installation / Sideloading" instructions.
(And what if you don’t own a Mac? Create an entire macOS VM just for the purpose of installing an app on your phone?)
Compiling source on anything other than MacOS (at least was - not looked into it in a while) a PITA.
And to take the argument more broadly: how many of us here on HN became interested in computing because they screwed around on their PC as a child? What about today's children, who get a smartphone, a tablet and maybe a Chromebook? What are we teaching them?
I am for hassle-free side loading on every platform (Even on games consoles). I also dislike how most smartphones and tablets have become "Internet consumption devices".
I'd still put that as a bad solution. It is necessary but not sufficient for the owner of a device to be be able to run arbitrary code. It also must be the case that nobody can prevent the owner from running arbitrary code on their own device. The infrastructure required for Apple to be the intermediate for enabling such a feature would mean that Apple could also block the authorization from going through.
In effect, Apple must not be in a position to perform a man in the middle attack between an owner and the owner's device.
The real thing keeping people safe is the operating system itself. The App Store is just a revocation mechanism for when something defeats those platform protections. That is what Developer ID is about on macOS: a revocation mechanism, only activated when platform security is breached.
People think that sideloading means Apple can’t scan for malware… Apple signs every single notarized binary
That is also to say that if Apple does open up the platform to alternate stores, I imagine they will still control the security portion.
Ultimately, though, someone needs to maintain a database of malware. When this malware is attacking the platform, it kinda makes sense for the platform maintainer to maintain the database. Microsoft maintains the Defender database, which does have false positives, and we thank them for it. If you want to override it, you can. Notarization works the same way on macOS.
That said, the neutrality of the database (malware only!), and the ability to override it are both key components.
You have to go through the settings and find your build number, then tap it 7 times. Super easy for someone knowledgeable to intentionally do, but basically impossible for someone to do accidentally / get tricked into.
Android manufacturers for some unknown reason always reorder/rename their setting menu randomly. And I seldom see any phone that have exact the same setting menu from different oem.
I'm scared that some of these people won't let their relatives answer the front door unless they are present, lest a man with a clipboard empty their savings account.
Today, iOS has a strong sandbox where apps can’t access data of other apps unless explicit permission is granted (eg. access your location/contacts/photos), and apps can’t access or modify system files at all.
Also consider that sideloaded apps does not mean allowing unvetted apps - Apple could still mandate macOS-style app notarization to prevent malware:
> Notarization is a malware scanning service provided by Apple. Developers who want to distribute apps for macOS outside the App Store submit their apps for scanning as part of the distribution process. Apple scans this software for known malware and, if none is found, issues a Notarization ticket. Typically, developers staple this ticket to their app so Gatekeeper can verify and launch the app, even offline.
> Apple can also issue a revocation ticket for apps known to be malicious—even if they’ve been previously notarized. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. In addition, this protection can be applied to both apps that have been previously and those that haven’t.
https://support.apple.com/guide/security/protecting-against-...
AKA, a "computer."
My computer.
That absolutely destroys interoperability, and is not a good thing. If the program that generated a file must give permission for it to be accessed, then a proprietary program can prevent interoperability simply by not actively enabling it.
Passing information between programs must be in the control of the user, not a program.
Actually android do exact the same thing these days. So you sometimes see 'XXX app want to access your photos', or a file explore to select which directory you grant for app to access.
There used to be a loop hole that any app can read sd card. But it is also sealed since android 10. Now every app see different rootfs.
> then a proprietary program can prevent interoperability simply by not actively enabling it
These doesn't really matter, a proprietary program can always break interoperability as long as they want. Did you see the old ms word .doc format? Even other version of ms word can't read it correctly, let alone any third party programs.
On iOS this can’t happen, regardless of whether an app was downloaded from the App Store or elsewhere.
It isn't 2002 anymore, systems have been hardened since the Windows XP days.
Would you feel the same way about handing your older relatives a Mac in 2022? They'd be able to install stuff from wherever on Mac.
I have tons of older relatives using Macs and Windows computers, and the days of Bonzi Buddy and 20 addon toolbars for IE are over. Some of them even have Android phones where sideloading has been a thing for over a decade, and the sideloading apocalypse bringing hordes of malware has yet to occur.
Truthfully, I believe your worry doesn't apply in our current computing era.
I absolutely feel this way about my grandparents and their Mac Mini. They've fallen victim to a few scams involving software installation that would have been much harder to pull off on iOS.
That's not a given, given the multimillion dollar scams on the iOS App Store[1].
[1] https://www.theverge.com/2021/2/8/22272849/apple-app-store-s...
Are you really saying that ransomware is not a problem? There is nothing stopping anyone from downloading anything on Macs and Windows.
The Mac preference pane included in the article implements this. My parents aren't going to change that setting unless I tell them to which I won't.
And don't be ageist: my pre teen kid wouldn't either, having already rendered his computer unusable a couple of times in other ways. Once he became a bit older things were different, but by then it didn't matter to me and wasn't really any of my business.
It should be added to iOS and tvOS.
It should have never been a valid reason against restricting everyone’s freedoms.
If you don't know what is sideloading. Without toggle the hidden browser setting, open a apk in browser will just say `the app can't be installed correctly`.
If you know, you just know you need to open the info of browser, and toggle the __Allow this app to sideload other apps__ option.
??? macOS does have a real Unix shell. It’s called zsh. And it’s not that hard to get whatever compilers you want.
Shells are not the entire UNIX environment, they’re just one part of it. (And I don’t think you meant it this way, but please don’t say it’s not a “Unix shell” because it doesn’t have GNU extensions.)
Speaking personally, the only thing I want to sideload is Mame (assuming an iOS version exists).
It does, and you can sideload it by following the "Building / Installation / Sideloading" instructions at https://github.com/yoshisuga/MAME4iOS.
At the center of each is a CPU, GPU, and storage. Software is the primary differentiator.
https://news.ycombinator.com/item?id=30280457
But please allow it already or I’m out of the apple bandwagon on my next purchase.
Wouldn't sideloading make it possible for one sideloaded app to somehow impersonate another sideloaded app, and thereby trick the PKA/SKP into signing a message with a private key that the imposter shouldn't have access to? And might we even see vulnerabilities whereby a slideloaded app could impersonate an app downloaded from the app store?
If there is no way to securely distinguish between two sideloaded apps, such that one app could impersonate another in getting access to OS- or hardware-level cryptographic services, then that could be a real problem, no? And if you have downloaded an app from a third-party app store, what is stopping that app from somehow getting access to OS resources that it could to use to impersonate another app?
Does anyone know how this issue is dealt with in MacOS?
Sideloading is part of it, and I can also mention JIT compilation.
1. Should Apple allow iPhone users to build their own software (or third-party open source software) and deploy it to their iPhones? The answer here is a resounding yes; in fact it's already possible! Just register a developer account, and you can sign your own apps and deploy them to your phone.
2. Should Apple allow predatory 3rd party vendors (Google, Meta, TikTok, spyware developers, etc.) to circumvent the AppStore review process and deploy their opaque blobs to other people's iPhones? The answer here should be no in my opinion. (unless iOS gets rewritten in Rust with a capability-based ultrasecure watertight microkernel, where accessing dangerous "private" APIs and thus privacy violations are provably impossible - in this hypothetical utopic vision the AppStore review process would become moot from a security point of view, although there are other aspects of the review process that cannot be formalized that easily, c.f. "I know it when I see it")
(of course, the predatory 3rd party vendors love it when people conflate the two issues)
https://news.ycombinator.com/item?id=30280457
By allowing sideloading, a new attack vector opens up which reduces the liability on Apple, which is no different to what Microsoft and Google already do.
Facebook/Meta are sort of excluded in some ways because theirs app store runs online on their servers and not on your device which is considered private property and brings different Govt legislations into play.
1. The fear of the other big tech giants creating their own app store, forcing users to migrate there to use Facebook/GMail/Amazon/Outlook etc., and then siccing invasive tracking on them for the purposes of serving ads and selling user data.
I think this threat is easily more conceived than realized. While the motivation exists to have easier access to user data, I don't think users will necessarily bite. Having to join a new third party app store just to be able to use Instagram or WhatsApp would alienate, and anger, most users. It's yet another account one would have to manage and keep track of. It breaks the seamless nature of iOS and mobile experiences in general. Everyone would know why they're really doing it.
And these companies are big and old. To create a competing app store takes a lot of effort. Not just on a technical level but on a product and business perspective. To convince users that this added friction is worth experiencing. Based on the anemic state of the Amazon Appstore or the Samsung Galaxy Store app stores on Android, tech giants only end up investing in alternate app stores if it's already tailored for the devices they make, which is a moot point with iOS. And those stores aren't even dynamic, nor contain app exclusivity as far as I know.
Not to mention, running a third party app store means that Meta will have to start wooing other third party developers so it doesn't just end up being the Facebook/Instagram/WhatsApp show. That means they have to start creating their own pocket ecosystems and manage their own platform communities as well. It's a lot of hassle and effort for something that won't necessarily pay off. Just ask Microsoft how their Windows Phone store fared. Or heck, just take a look at the current state of Facebook apps.
Maybe ten years ago when mobile apps were still a fairly new category of products, when there was a lot more room to grow and these companies were less entrenched and nimbler, there was a chance that rival stores could pay off. But nowadays? Sure from a technical perspective they're all capable of building their own cloud gaming service or Clubhouse clone or Snapchat stories knock-off, but how many of those actually stick?
I think the only companies that will want to heavily invest in their own third party iOS app stores will be video game publishers.
https://news.ycombinator.com/item?id=30204012
2. Installing random app binaries. Dubious files, email attachments, malware, random scripts, all common vectors for viruses and computer problems.
This fear on mobile is overblown because Apple still controls the operating system, and can carefully set the flow to prevent easy access to sideloading. They can enforce all sorts of OS and app binary-level restrictions even without needing to go through the App Store.
https://news.ycombinator.com/item?id=30199125
Though now that I've laid out the two topics, I suppose one potential worst case scenario is the tech giants act greedily and stupidly, force essential apps to be downloadable only on their third party app store, so users resort to sideloading those apps from shady sources.
But on the other hand, maybe people will use resort to mobile web instead. Or just quit using those apps altogether. We're already see Facebook adoption drop precipitously.