29 comments

[ 4.8 ms ] story [ 72.3 ms ] thread
I'm not seeing what the "catastrophic" issue is. A site can include a link to install an app from a third-party marketplace and, when the user affirmatively acts to proceed with the install, that marketplace can see which site the install request came from.

That's it?

It looks like they basically created an immutable identifier that gets exposed. Sort of like a persistent third party cookie, but with fewer access controls as it isn’t domain bound.

That’s just my read of the article, I haven’t reviewed the code myself.

However, I will say that the way SV companies tend to operate is they refuse to do any compliance work until forced by circumstance, then they have to do a rush job and a bunch of stuff gets fucked up that would have been fine if they planned ahead based on statutory requirement.

So from a human/corporate behavior perspective this is exactly what I’d expect.

Likewise, Apple in particular has a holier than thou attitude, especially in regards to privacy, so I think there’s a bit of them being blinded by their own arrogance in this case.

(comment deleted)
Sweet, UE can now legitimately take 4% of Apple’s global income for uniquely identifying all users on Earth, having undeletable cookies and not having the cookie banter and thus, breaking GDPR.
Having worked in this sector for a very long time I just don’t think GDPR is an effective regulatory tool. Primarily because Ireland is a regulatory/tax haven for American companies and they have to enforce GDPR…and they refuse to.

Whereas DMA was written to totally avoid that problem; so I think a DMA action is WAY more likely as the Irish can’t block it.

EU* and it’s up to 10% of global revenue.
GDPR is 4% and technically EEA rather than EU. DMA is 10%.
Where do you get "affirmatively acts to proceed with the install"? The original advisory suggests that any website can fire off these marketplace requests in response to any user action.
Not "any user action". The user has to click the link. The fact that a link can be styled to look like anything isn't very damning.
According to the advisory the user can click on a button and the event handler issues the request. There isn't a link. The user has no indication of what's going to happen beyond whatever the page chooses to tell them.
Apple claims allowing users to install software from 3rd parties is a security problem, and then when forced to allow it they introduce security problems. Hmmm..
Luckily there are obvious solutions to this and the EU has technically competent people that will explain how stupid this is.
The suggestion that Brave might be a better alternative is hilarious, and places into doubt everything else that video suggests.

Brave is a crypto wallet and advertising platform that happens to come with a web browser.

I don't really trust Brave myself, but:

- Yes crypto bad, so what? Don't use the wallet?

- Aren't ads disabled by default?

Why not choose a browser that doesn't have those things built-in in the first place, rather than choosing a browser full of things you don't want and then turning them off.

Especially as Brave, the company, has a history of being less than honest about its browser decisions.

The opinion "crypto bad" isn't universally held.

For those who don't share that opinion the inclusion of features like the built-in wallet, the native(-ish) support for IPFS, and domain name resolution for cryptocurrency-based TLDs is valuable functionality.

Why use a Chromium fork that has those things over just Chromium?

I see my coworker use Brave every day and each time they open a new tab it’s some crypto ad. Why would anyone want that?

The article is talking about iOS. Apple doesn't let you run Chromium on iOS. Are there any iOS Safari wrappers that can match Brave's ad-blocking abilities?
Takes 3 seconds to disable
(comment deleted)
Default Firefox installs also show you random websites on the new tab page that basically amount to ads. We can quibble over whether or not the quality of the content is worse or better in one browser but it’s not fundamentally different. And in both browsers you can disable it permanently in a few clicks. I really don’t see how anyone can complain about one and not the other
Malicious compliance in action: make things worse and blame the regulations.
* The limiting factor of this attack is that a marketplace must first be approved by Apple before it can undertake this sort of tracking. *

Seems like a Catch-22 that Apple is required to support these other marketplaces out of their control but simultaneously expected to prevent them from behaving badly.

This design is Apple's choice, including their approval process.