The next decade looks like tech vs. governments everywhere. From the article, it seems Apple won’t roll this out worldwide unless forced.
As a user I like Apple’s App Store for security personally, but I wonder how multiple app stores turn out in other regions. I see the EU already allows alternative app marketplaces — has anyone used one and can share their experience?
Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
> Apple’s App Store for security
The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
> Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
Even for web distribution in the EU (which they allowed some time ago) they require you to have had an Apple Developer account for at least 2 years and at least one App with more than 1m annunal downloads in the App Store.
So they're forcing you to have a very successful app in their own store before you can distribute yourself, basically making this impossible to actually use. It's such a blatant case of malicious compliance, it's insane.
> The App Store doesn't do anything to product you in that sense. It's easy to circumvent...
Interesting, their marketing has customers believe otherwise, so I wouldn't have thought that as a noob in cybersecurity.
I've submitted an app to the iOS App Store in the past, and the process is tedious and doesn't seem superficial (unlike the Play Store process, which was completely autonomous at the time), so that's another reason why I wouldn't have thought it.
Specifically from a HOBBYIST perspective, what bothers me about the App Store is not even the 30% thing, but just... the pain of it all. The rejection horror stories, the "Apple told me to change my app's entire model" stories, the "I can't put this little gadget specifically for me and my family on the App Store" problem, and so on and so on. There's really no home but the web for silly little things.
What bothers me is that despite all of that pain, they still let through a ton of low-effort app clones in their store, which sometimes even come up before the original ones. If you search for GTA you get a ton of lookalikes, some of which even use screenshots of GTA V which clearly aren't the actual game.
You can’t even report behavior that should get an app pulled from the App Store.
I know of multiple apps that have malicious ad networks in them, don’t disclose their ad networks, and have no mechanisms to report the ads inside the ad networks or any of the content to them, they just say the ads are “served by one of our partners”.
The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever.
The protection is in the permission system and sandboxing, which is active regardless of the source of the code.
You only need to pass the app review once, then you're free to deploy over-the-air updates for as long as you'd like. Though you'd need to use a framework like React Native, Ionic, Flutter, etc which supports it. Essentially anything where you can change app code without making any changes to the underlying native code (as that would require going through the app review process again to publish those changes).
> It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
But why is that easier? And is it inevitably so or a result of the fact that the boundaries of the one place to install apps from is aggressively policed?
>The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
Different threat models. If you're the mossad and want to go after someone in particular, yes the exploit is the way to go, but if you're running some run of the mill scam, you're certainly not going to spend 6+ figures on a ios 0day that'll get patched within days.
> They also made sure to add scary warnings so one can never offer a normal onboarding flow.
is this any different from Macs also prompting the user when a downloaded binary is suspicious/not signed properly? or windows when installing it'd flash a screen about trusting what you're installing?
It was way worse. They basically made the first install attempt fail. Then they made you go to the Settings app (of course without telling you that you have to go there) to allow it. Then you had to try again to download, which then triggered the scary warnings that you had to accept. This has been changed now though due to EU pressure.
I thought that's also like macos, where we've needed to right click and open and then allow, and sometimes it requires going to system settings to approve it also.
I have Alt, Epic, and Setapp installed. Setapp is something I had to stop paying for while unemployed, but has good stuff if you can afford it. Alt is mostly empty, but now lets you add multiple sources for more sideloading options.
Basically the market is still in an alpha stage. My next app will be on Alt just because I want to support the idea. Hopefully more apps gets on these stores, for now it's mostly nice to have for games, emulators, and some dev tools.
Apple didn't make it friction-free either, but it seems the issue is lack of user demand and/or lack of supply.
For Setapp, I am kind of forced to pay for it since I use NotePlan and Paste. And I use Timing Tracker sometimes. The first two alone cost the same as a Setapp sub for 4 desktops and 4 iOS devices.
Alt isn't very exciting. And for Setapp, consider whether buying the software outright isn't better. After all the time paying for Setapp, once you stop, you've little to show for it. It's akin to using Spotify but owning none of it.
Requires an EU apple account, a faraday bag, two esp32 boards (or other way to spoof hotspots), a VPN with an endpoint in the EU, and an iOS device with a supported OS version.
I hate the security argument when it comes to third party stores or apps. No one is putting a gun to your head to install these things. Imagine trying to apply the same logic to macbooks and not let them install from the web or homebrew.
My employer demands that I have some proprietary 2FA app installed. And while it’s the norm for companies to provide you with a laptop that you install their trojans on, it’s not the norm to provide you with a work phone, so I’m glad there is a middleman limiting the damage I’m exposed to when I install corporate software on my phone. And that’s a device that has access to much more information about me, whom I talk to and what I do with my spare time, when and where.
This is a website where some moron will read a big disclaimer that ChatGPT is a generative AI and can't give you objective facts, click "Yes, I understand", then have a long conversation with it and kill himself and that is supposedly OpenAI's fault. So it's pretty amusing that here the view is "a modal is immunity from fault".
Not put a gun to your head but ring up pretending to be your bank and there’s fraud detected and can you follow these steps to verify your identity and secure your account.
As a user I like Apple’s App Store for security personally, but I wonder how multiple app stores turn out in other regions. I see the EU already allows alternative app marketplaces — has anyone used one and can share their experience?