Friday, October 15, 2021

Apple’s Threat Analysis of Sideloading

Apple (PDF, via Hacker News, MacRumors, Slashdot):

iPhone is a highly personal device where users store some of their most sensitive and personal information. This means that maintaining security and privacy on the iOS ecosystem is of critical importance to users. However, some are demanding that Apple support the distribution of apps outside of the App Store, through direct downloads or third-party app stores, a process also referred to as “sideloading.” Supporting sideloading through direct downloads and third-party app stores would cripple the privacy and security protections that have made iPhone so secure, and expose users to serious security risks.

Siguza:

31 pages of fearmongering?

Damn, Apple must actually be scared!

Tim Sweeney:

If automated software analysis or human review were essential for security, iOS could support or even require it for competing stores. Mac notarization shows it’s feasible. Nothing about security requires an Apple monopoly on distribution.

Furthermore, competing stores could do a much better job than Apple of ensuring quality software, going above and beyond Apple’s modest standards for human review - typically a 6 to 12 minute process staffed by only several hundred employees worldwide, most of them not engineers.

Look at the amazing job that Sony, Microsoft, and Nintendo do of quality assurance on console. It’s so good that a sub-par game release is almost a once-in-a-decade news story. If Apple faced competing stores, those companies plus Valve, Epic, and others could step up.

Michael Love:

I don’t think alternate stores make any sense without sideloading; if it’s important sideloaded apps by reviewed by sb you can have a bunch of 3rd party Notarization Authorities or whatever, but the binary should be coming from my server.

Alternate app stores add competition - which is certainly good - but don’t fundamentally change the app distribution model; direct sideloading does because it lets installation happen at the point of discovery, and discovery can happen anywhere; can install an app from a tweet.

Mike Wuerthele:

Thieves have used a combination of social media, dating apps, cryptocurrency, and abuse of Apple's Enterprise Developer program to steal at least $1.4 million from unsuspecting victims.

[…]

After gaining the trust of the victim through the dating apps, scammers start discussing cryptocurrency investments. They are then directed to a website that looks like the Apple App Store, and then told to download a Mobile Device Management profile, giving control of a number of features, and the ability to use signed apps made by the fraudsters.

Previously:

29 Comments RSS · Twitter


Kevin Schumacher

> Look at the amazing job that Sony, Microsoft, and Nintendo do of quality assurance on console.

The only reason that we don't hear more often about "sub-par game release[s]" is because most junk game releases are not named Cyberpunk 2077. Major publishers generally do enough to ensure their games are at least playable, because doing otherwise would eventually be commercial suicide. That is not to say that there isn't a ton of garbage approved from much lesser known publishers and independent developers (especially looking at you, Nintendo, with your "any indie who wants to take a dump on the Switch, feel free" mantra) that made it through the console makers' "amazing...quality assurance."

(I just noticed who the quote is from. Not really sure why I've just wasted several minutes of my life explaining why yet another Tim Sweeney quote is pure and utter crap.)


>Look at the amazing job that Sony, Microsoft, and Nintendo do of quality assurance on console.

"The App Store is too draconian! Also, it needs to be _more_ draconian like those other guys!"

(Tim's argument here doesn't make any sense, and I'm guessing he knows.)


@Sören I do think it’s a coherent argument. It’s akin to saying that there are usability tradeoffs for security, so if I’m going to pay those costs I want actual security, not security theater.


My Mac has all the same sensitive personal information, probably even more than my iPhone (except for location data), and yet I can install any app that I wish with no approval required from Apple and I am still here to tell the tale. They do not have to open the iPhone to side loading by default. Furthermore, sideloaded apps can still be forced to go through the protections already built in to the OS. Not to mention that the App Store is already filled to the brim with scam apps that get past their review. They can warn and fear monger as much as they wish, but it is time to have the option.


From the document:

“ third-party app stores shows that they do not have sufficient vetting procedures to check for apps containing known malware, apps violating user privacy, copycat apps, apps with illegal or objectionable content, and unsafe apps targeted at children. ”

Wait, that sounds like the actual App Store.

“Users could be forced to sideload an app they need for work or school. Users also may have no choice other than sideloading an app that they need to connect with family and friends because the app is not made available on the App Store. For example, if sideloading were permitted, some companies may choose to distribute their apps solely outside of the App Store.”

Can’t companies already distribute apps on their own via the enterprise certificate? Or whatever it’s called. Even ignoring that, why would companies not distribute an app for free through the regular App Store for free anyway, like they already do?

I could go on… Apples arguments here are total BS, describe highly unlikely scenarios, omit the failings of their App Store, blatantly lie about and conflate device security features that aren’t in any way related to how an app is distributed, and/or completely ignore the reasons that people are asking for 3rd party app stores.


Old Unix Geek

iPhone is a highly personal device where users store some of their most sensitive and personal information. This means that maintaining security and privacy on the iOS ecosystem is of critical importance to users.

Yes.

Various CPUs provide a method to encrypt each virtual machine on a shared server. Each such "hyperprocess" has a different encryption/decryption key. If one virtual machine sees the contents of another, it just sees jibberish, since the wrong decryption key will have been used. Apple could do the same on a per process level. Then the only means for one process to access said information would be through an API. And Apple just needs to ensure that API is correctly programmed.

But of course, that's easier if you think before you ship. And it's more profitable to do security theater and require an App store. So it can be done, but you have to want to.


Kevin Schumacher

@Ben G

> Even ignoring that, why would companies not distribute an app for free through the regular App Store for free anyway, like they already do?

The scenario here is a company (like, oh IDK, Facebook, who has literally already been caught abusing the enterprise certificate program you mentioned) wants to distribute the app exactly how they want, without any of Apple's restrictions in place, such as using private APIs for nefarious purposes. And since people by and large don't seem to care enough about their privacy to stop using Facebook en masse, happily they roll along to download it directly from Facebook. Or it's the only way to keep in touch with XYZ important person in their life. Or whatever. Point being, they end up with a far more invasive version of Facebook on their device, either ignorantly willingly or because they feel they have to use it for some reason.

It does also make scenarios like the TeamViewer/screen-sharing scam that's currently very prevalent on PCs much easier.

Apple is of course going to the scorched earth version of this to try to protect their current way of doing business, but just because they're not being honest about their motives doesn't mean that some of the potential issues aren't real.

I don't disagree there are massive problems with the current App Store. I don't think unfettered sideloading or completely independent third-party stores is how it gets fixed safely.


@Kevin If Facebook really wants to do that, why isn’t it distributing its own Android app?


Kevin Schumacher

@Michael I don't know. I have found that very curious. I assume at least some portion of the codebase for their iOS and Android apps is shared, and maybe it would be too much work to do it for one but not the other. But if they could do it for both...

Then again it doesn't have to be Facebook. Insert any number of "legitimate" actors here that would like that chance.

Or bad actors, for that matter. Your post has a quote about scams being currently run using enterprise certificate distribution. Remove the enterprise certificate hoops and suddenly that scam is much, much simpler to get a target to do, as well as obviates some technical knowledge that the scammer needs to have.


"The App Store is too draconian! Also, it needs to be _more_ draconian like those other guys!"

That is the right take. Both of these statements are plainly true.

Also, I'm still salty that Yoot Saito's game was rejected for being "unpleasant," and yet Apple is now making billions in revenue with literal online casinos for underage children.

"I assume at least some portion of the codebase for their iOS and Android apps is shared"

So distributing its own app is so incredibly valuable for Facebook that they would definitely do it, except that a weird unsolvable technical limitation completely prevents them from doing it on Android?

"Remove the enterprise certificate hoops and suddenly that scam is much, much simpler to get a target to do"

This depends on how sideloading on iOS would actually work.

But it also brings up another question: assuming that you are correct, so what? Are you turning off sideloading on your Mac because that makes your Mac a little bit safer? Is the tradeoff worth it?

And what if you could give your kid an iPhone, and actually make it safer for your kid by turning off Apple's App Store, and replacing it with one that *actually* reviews the stuff it shows to your child?


Kevin Schumacher

>> "The App Store is too draconian! Also, it needs to be _more_ draconian like those other guys!"

> That is the right take. Both of these statements are plainly true.

Meanwhile none of those consoles have third-party app stores, commissions are the same if not higher, there is zero sideloading, they all have approved junk games that barely work (including Cyberpunk 2077, which both Microsoft and Sony signed off on and defended before finally realizing they were going to lose the PR war over a half-cooked turd, but also much lesser known shovelware and IAP scams), and they don't allow hardcore adult content.

What exactly is so "right" that Apple should be emulating from them, given everything else you're saying?

> So distributing its own app is so incredibly valuable for Facebook that they would definitely do it, except that a weird unsolvable technical limitation completely prevents them from doing it on Android?

That's actually completely unrelated to I said, but sure, straw man away.

> But it also brings up another question: assuming that you are correct, so what? Are you turning off sideloading on your Mac because that makes your Mac a little bit safer? Is the tradeoff worth it?

Speaking as someone whose elderly father fell for one of those scams (though luckily came out of it without losing any money), if I could make his computer as relatively safe as the iPhone I gave him, I would do it in a heartbeat.

We can sit here in our tech-savvy circles all day and discuss this like it's these little trade-offs that we know better than to have to worry about. That's not how 99% of people are. People are, to put it bluntly, stupid, or act stupid, or do stupid things, or some combination of the above. I include my father in that, in terms of doing something stupid.

I said previously there are massive problems with the current App Store that need to be fixed. I am all for fixing those problems as long as the solutions aren't worse than the problems they're "fixing." Turning an iPhone into the palm-sized equivalent of a desktop computer is not the answer.

> And what if you could give your kid an iPhone, and actually make it safer for your kid by turning off Apple's App Store, and replacing it with one that *actually* reviews the stuff it shows to your child?

I don't have kids for two reasons. One, I don't have the patience. But two, I think bringing more people into this godforsaken world is just cruel.

That said, that is something to talk about. That doesn't, however, require unfettered sideloading or a free-for-all with installing anything anytime anywhere. (Which is, for the record, what I was responding to a comment about.)


@Kevin I don’t know what the answer is, but leaving the structure the same and hoping that Apple is going to fix the problems for either users or developers is not a good strategy. We’ve had 13 years of that and seen that they either can’t or won’t. As far as I can tell, the alternatives are either much heavier government involvement or changing the structure to open up some competition. The latter seems more realistic and desirable. The multiple stores idea at least has the potential to address the issue that you raise about some people wanting different safety tradeoffs. No one seems to be suggesting unfettered sideloading. The assumption is that there would be some sort of Gatekeeper or notarization.


>I do think it’s a coherent argument. It’s akin to saying that there are usability tradeoffs for security, so if I’m going to pay those costs I want actual security, not security theater.

The thing is, I don't believe Tim is _actually_ advocating that 1) the App Store should continue to be the exclusive platform and 2) it should become more draconian, not less.

Therefore, I find the argument to be in bad faith. I'm also not convinced the game console model is a good fit for a smartphone platform (and even less so for iPads).

An "Apple TV+"-like boutique store of a curated selection of apps could be appealing, yes, but I don't find it practical for that to be exclusive content delivery mechanism.

>I don’t know what the answer is, but leaving the structure the same and hoping that Apple is going to fix the problems for either users or developers is not a good strategy.

Yup.


The App Store is how Apple gets its licensing fees.

So third party App Stores, IAP payment processing, and sideloading are really just implementation details with (IMO, fairly serious) safety and platform trade-offs.

But really, the real question is:
- is Apple is entitled to get paid for its intellectual property? Why and why not?
- And if so, is 30/15% too much? Why and why not?

How that licensing fee is collected is also really just an implantation detail.


@Fancyham

I believe you are incorrect.

As far as I can see, Apple is fully paid for its IP when a customer buys a device from them: the device comes with all that IP preinstalled on it. Since you are not required to buy any 3rd party software, and since a majority of people do not, the cost of the device is quite sufficient to cover all software development costs.

However, Apple goes on to claim that third party software "uses their IP", and therefore should pay an additional license fee. Yet it is they who require developers to use Apple's IP, for instance so that the UI experience seems consistent to users.

To my eyes, that is double dipping and an abuse of their monopoly.

Furthermore, Apple's "IP" often devalues 3rd party developers' knowledge. Few people could develop computer vision or AR software. Then Apple "commoditized that", and those skills matter suddenly no longer matter in the market. Many of us wish Apple would take their "IP", which is taken from fields they did not invent, and shove it up their proverbial backsides. It is noticeable how happy to embrace other people's ideas, but publish very few papers themselves that advance the state of the art.

Furthermore, Apple skims 30% of revenue, not profits. So Apple's cut increases the chance that the 3rd party software author does not recuperate his investment in the making the software. Apple makes money whether or not the 3rd party software developer goes bankrupt. Therefore it seems clear that in reality, Apple cares less whether developers disappear than whether they fill their own coffers. All their marketing about loving developers and depending on them for their success is actually worth nothing.

Furthermore, the App Store is structured so that "free" out competes paying software which has trained customers to expect something for nothing. This too reduces the chance that third party software providers can survive, since third party software is sold at derisory prices.

Net result: VC backed software that sells you something in the real world, or that monetizes your data, out competes software that is useful to users. Apple's choices thus reduce user choice, and diminish actual privacy, while all the while their marketing convinces people that they champion user rights. It's insane, and most people don't see through it. Of course, like every other tech company, they also spend tons on lobbyists to ensure that no legal sanction is levied against them, yet are happy to wield their patents against anyone that crosses them.

Of course, this is only my embittered opinion. However the net result is that I no longer develop 3rd party software on iOS and Macs. I'm no longer risking my own money or sanity on developing such apps. I'm not alone in this. For instance, Will Shipley, an icon of the indie movement, now simply works for Apple, instead of developing his own software. So does ex-Unsanity guru Rosyna. Jonathan Rentzsch, someone who knew MacOS pretty deeply, seems to have switched to web development. Aaron Hillegass is off learning ML. But there's nothing to see here, or worry about.


> The App Store is how Apple gets its licensing fees.

Please stop with this 10000% bogus argument.

It’s not true, because free apps exist and pay zero (and arguably many of them use more resources because Facebook, Uber, etc update their apps almost daily [requiring more frequent app review], have bloated app sizes, and are distributed to millions of users — who pays for all of that bandwidth?)

It’s also not true because the price a developer charges has no bearing whatsoever on how much IP/resources/whatever is being used. Just because someone charges $1 for an app, vs $30, does not mean the $1 app uses less of Apples whatever. Yet one dev pays $0.30, and the other pays $10? Why?


"Meanwhile none of those consoles have third-party app stores"

I'm not sure why people keep bringing this up. It's a complete non-sequitur in the context of this discussion, and it's a bad look in general. I'd love to have a third-party app store on my Switch, but my Switch is my Metroid machine that I turn on twice a week for an hour. It's a toy. Your argument is a bit like a farmer asking to be able to repair his tractor, and somebody yelling "meanwhile, your son's RC car doesn't come with schematics, either, why aren't you concerned about *that*!"

"That's actually completely unrelated to I said, but sure, straw man away."

I apologize, I did not intend to strawman you, I genuinely thought I understood your argument correctly. If I did not, then I do not know what your argument actually was.

"elderly father fell for one of those scams"

Nobody is saying that you shouldn't be able to turn off sideloading for your father's phone, but in fact, it might make more sense to install an App Store specifically aimed at people with his needs, and remove the regular Apple App Store, which isn't exactly scam-free.

"The thing is, I don't believe Tim is _actually_ advocating that 1) the App Store should continue to be the exclusive platform and 2) it should become more draconian, not less."

Yeah, I don't believe that's what he's saying, either. He's saying that there should be third-party App Stores, and he's saying that third-party App Stores would do a better job curating their content than Apple. The fact that people keep bringing up Cyberpunk as a counter-argument just proves his point: if Cyberpunk was the worst thing in Apple's App Store, we'd all be way better off than we are now.


@Ben Apple has more than 23 million developers paying $99 membership fees, even for free apps.


Right, every dev pays $99/yr. So what’s Apple’s justification for charging 30% of paid apps, other than the 2% credit card processing fee and maybe another 5% for the IAP development/infrastructure and tax withholdings/payment? 10% would be reasonable and defensible. I’ve never seen a sensible answer for what the other 20% is supposedly paying for.


Old Unix Geek

Oh, and I forgot. Developers also pay Apple for their apps to be found, because the App Store's search is so incredibly awesome.

https://nitter.ir/i/status/1449608262492459011

Obviously, from Apple's perspective, why would one want to fix things, when it's all going so well?



@Kevin Schumacher

While maybe not "hardcore" adult content, there's games filled with violence and mature themes. Have you never played Catherine? It's very sexual. If you fire up the web browser, you can find plenty of hardcore adult content. Also, Microsoft allows side loading in developer mode, so I'm not sure what would happen if someone enabled an "app store" as a sideload. I'd argue the Xbox today is far more open than any iOS device has ever been given I can sideload Retroarch and other emulators. As far as I know, you literally just flip a switch (digitally) to play your sideloaded content, then switch back to play your retail purchases.

As far as scams, there's tons of bad apps on the current iOS app store. Adware, gambling, games masquerading as gambling targeting kids specifically (maybe Chuck E Cheese should partner with Apple), etc. Similarly, my mom has owned Android phones for years and she's only downloaded a questionable app once. The kicker? It was through the Google Play app store (remember side loading is a core tenant of Android). She uses Linux as her daily driver on her laptop and she's never had a problem, so I'm not sure what to think about the safety argument.


MVG covers emulation on Xbox Series X/S is a good look at what an advanced mode could look like on iOS, if Apple cared to empower their users. Apple could simply take a page from Android, by enabling side loading and call it a day, but I think Apple might offer a middle ground option similar to Microsoft.

Now, sideloading on Android is not a panacea for every ill. For instance, if one were to run a non Google Play Android device and then tried to sideload an apk that depended on Google Play Services, the app would either fail to run or suffer from reduced functionality. On the flip side, say one were to buy a Fire HD 10 tablet when it goes on sale for $90-$100 and then add the four apks that enable Google Play Store functionality, the non Play device is suddenly 80% or so compatible with the Play Store. There will be some apps that need a newer version of Android, some might have higher minimum spec requirements, and some might need a device that is "certified).


@Old Unix Geek, @Ben G,

It’s Apple’s IP and it’s up to them how they choose to license it. They are certainly allowed to give it away in some instances and charge for it in others.

A concrete analogy is how supermarkets have deep sales on certain products (milk) that they lose money on (“loss leaders”) to get you in the door.

Also, an end user uses very different IP from a developer (compiler, IDE, frameworks, distribution, services, just to name a few examples)

You can look at the Epic lawsuit’s judgement to see how the judge recognized that the App Store’s 30% was a licensing fee collection regime. If there are third-party payments, then Apple has every right (in our current IP regime) to charge a licensing fee — it just gets much more complicated.


@Fancyham

To address some of your points, compilers used to cost $100-300. Now they are very hard to sell... Apple's apps also use those same frameworks, and distribution is not worth 30%.

I'm sure the Robber Barons also felt they could do whatever they wanted. They were wrong. Last year, there was a congressional report on Apple which concluded it behaves like a monopoly. South Korea also has told them to allow other payment methods. At some point the EU will probably fall on Apple like a ton of bricks. So, no, there are limits to the shenanigans companies can get up to.

But hey, I get it. People love Apple, even when what it does goes against their interests as users. Marketing is an amazing thing. And some of their technology actually is not bad. It's rather like Oblivia!

https://www.youtube.com/watch?v=Um7pMggPnug

Guess which "ride" most resembles the lot of the 3rd party developer in this video.


@Fancyham
Wait, wait, wait, which part is Apple IP? The privilege of publishing apps that Apple then takes a cut from after selling you a license for $100 year, selling expensive hardware to develop with, and still taking 30% of your revenue (not profit, revenue)? If Apple didn't have developers making software, so no banking apps, no Netflix, no Kindle, no games, how many devices do we think Apple would sell?

Before the iPhone, when did Apple mandate a cut over every app that is built for their platform? In fact, before the iPhone, which mobile OS platform worked that way? Sure, you could get carrier locked phones where the carrier stores and policies were mandated, but you could also buy the unlocked versions of said phone and sideload apps (sometimes carrier locked phones also allowed sideloading, it just depended on the device and the carrier). Mobile app development and deployment prior to the iPhone was a lot more like computers than game consoles. I remember installing apps on Palm OS, Blackberry OS, Symbian, Nokia S40, and even on more basic devices, and I certainly wasn't required to use the app store to do so.

I'm shocked people think general purpose computing devices should be sold and developed this way. Like actually, honestly, wholeheartedly confused why regular people, not Apple employees, not Apple shareholders, not Apple bloggers that make their money covering a single company, but actual people are constantly arguing against their own self interest.

Here's a compromise, why can't Apple keep their fantastic app store, hosting, and payment processing services in place, but then allow third parties as well? If Apple really offers best in class service, pricing, security, etc. then there is no risk for Apple. Honestly, you can see how much Google dominates Android even though they have the exact same deal in place. You can build an Android device, pay Google nothing, and add your own app store in lieu of Google Play. Or you can add third party apps and app stores to an existing Google Play enabled device and enjoy the best of both worlds. As I mentioned in a previous comment, even Xbox consoles of the last two generations offer developer mode. Apple can and should do better.


"It’s Apple’s IP and it’s up to them how they choose to license it."

But you used the idea that developers were paying licensing fees using the 30% cut as justification for the 30% cut. By your own logic, you're now admitting that this wasn't a very good justification, because the only reason for this is that "Apple chooses to do this." Well, people are unhappy with Apple's choice. Pointing out that Apple's choice is Apple's choice is tautological, and doesn't make anyone any less unhappy. In fact, it just proves that Apple could very easily make different choices.

You're really saying "Apple is justified in doing what they're doing because that's what they choose to be doing," as if the mere fact that Apple was doing something automatically made it justified.

It doesn't. Your argument is self-invalidating.



[…] Michael Tsai: Apple’s Threat Analysis of Sideloading […]

Leave a Comment