Tuesday, April 12, 2022

Tim Cook Attacks Sideloading in Privacy Keynote

Joe Rossignol:

Apple CEO Tim Cook today delivered the keynote speech at the Global Privacy Summit in Washington D.C. The conference, hosted by the International Association of Privacy Professionals, is focused on international privacy and data protection.


“Here in Washington and elsewhere, policymakers are taking steps in the name of competition that would force Apple to let apps onto iPhone that circumvent the App Store through a process called sideloading,” said Cook. “That means data-hungry companies would be able to avoid our privacy rules and once again track our users against their will. It would also potentially give bad actors a way around the comprehensive security protections we have put in place, putting them in direct contact with our users.”


“If we are forced to let unvetted apps onto iPhone, the unintended consequences will be profound,” warned Cook. “And when we see that, we feel an obligation to speak up and to ask policymakers to work with us to advance goals that I truly believe we share, without undermining privacy in the process.”

Rich Mogull:

Apple largely has itself to blame. Apple didn’t create a walled garden marketplace merely to ensure consumer safety; it also did so to own the billing model and financial transactions, and thus the customer relationship. Until a week ago, a developer wasn’t even allowed to link to or mention their website for prospects to sign up for subscriptions. For over 13 years, Apple refused to budge to pressure from developers, forcing them to turn to the courts and legislatures.

Let’s distill this down to understand why the App Store is so important for security, how opening iOS up to alternative app stores or sideloading will reduce our safety, and why this now seems inevitable.

Peter N. Lewis:

Of the entire chain of security listed in the article, the only one that is omitted in sideloading is the app store review.

Everything automatic in the App Store review can be done before notarising the app as well.

So the only thing extra is some Apple Employee launching your app and verifying that for the first few minutes that the application vaguely does what it says it does. But nothing stops the application from waiting until next month (or any other signal) and changing its behaviour entirely. So the app review [serves] no security purpose - its purpose is purely to disallow honest developers from breaking Apple’s (often unwritten) rules in how they behave. App Review is entirely to control applications for Apple’s benefit.

There is no additional security in App Review, and therefore no loss of security in sideloading.

Meanwhile there are whole categories of applications that will never be written while Apple has absolute control over what applications can be distributed. This is a huge, unknown, loss to all iPhones users, one that is impossible to quantify.

Ken Harris:

What it’s called now → What we called it for the 50 years before that:

  • “side-loading” → loading
  • “third-party software” → software
  • “app store” → store

Matt Stoller:

Apple’s app store is so full of scams and garbage, and the firm is so inattentive, that one dude on Twitter - @keleftheriou - is constantly embarrassing Apple by showing their claims of protecting users are essentially fraudulent.

Steve Troughton-Smith:

It is incredibly frustrating that Apple has made sideloading a zero sum issue, because they’re pushing regulators to legislate harder than was ever necessary by telling them it’s the only option to curb Apple’s behavior

Michael Love:

25 years ago, Microsoft violated all sorts of laws and lost a decade of innovation in a desperate attempt to stop people from writing apps for Netscape instead of Win32.

Apple is about to let that happen to iOS because they insisted on getting a 30% cut of everyone’s Bag O Gems.


Update (2022-04-13): Mike Rockwell:

Would allowing users to install apps from outside the App Store really hurt user privacy? Because right now, Apple knows every single app I have ever installed on every iOS device I’ve ever owned. It would be cool if I could keep that private.


Mike Rockwell:

If Apple cares so much about privacy, why can’t I backup my iPhone to a Time Machine share on my network?

30 Comments RSS · Twitter

Old Unix Geek

Peter's point is key: app review presumes good faith to claim good faith. It's fundamentally verificationist. The failures of verificationism are well known, which is why Science only admits falsifiable claims that haven't been falsified. Propagating the idea that "app review" prevents evil actors is dishonest.

They're fine with providing stalker hardware but side losing apps is where they draw the line.

It is unfortunate how poor the alternatives are.

Peter's point is valid: All of those things *can* be done by a third party that wants to publish an app. That doesn't mean that they'll all do it though. Having "the rules" doesn't keep all the bad guys from being bad, but it's at least a deterrent.

"That doesn't mean that they'll all do it though"

Apple already doesn't do anything, so that's no loss. We can only win by having sideloading: at worst, it isn't worse than what Apple does now, and at best, it's so much better than what Apple does now.

For many users is not a problem that there are no alternatives for loading apps.
The main problem is the App Store review process and policies.
The policies are too restrictive and process is too inconsistent and cumbersome.

Way too many legitimate apps with totally reasonable features can not be available because policies do not allow them. Yet the store is full of counterfeits, badly made shameless copycats and scams. That should be the other way around. And it's not the technical limitations, it's the management decisions inside Apple that keep that flipped.

Allowing side-loading will help to partially solve it, but it will create all the risks and problems that Apple is talking about too.

I think it depends a lot on what "sideloading" means in practice. Does it mean macOS Gatekeeper's "allow apps downloaded from identified developers" radio button? Does it still mandate sandboxing (I imagine quite a few are hoping for an option to disable that)? Will there be protection against the scenario where users feel compelled to install creepy apps because they have no alternative?

It's not really accurate to say that "Apple already doesn't do anything". They may not do *enough* in some cases, and some would argue that they do *too much* in some cases.

It also feels a little strange to be complaining about App Store policies now, at least in some sense. When the iPhone came out, everyone said "Yay!", and then when the App Store came out, everyone again said "Yay!", even though Apple said "these are the rules for developers". Now that it's well established, everyone wants to change the rules. That's all fine, and it's OK to ask for change, but should it be *required* for Apple to change something that they built? This is not to say that Apple shouldn't be held accountable for uniformly applying/enforcing the rules.

And I still think that most *users* don't care at all about any of this.

@DJ Not everyone. Some of us predicted how this was going to turn out from the beginning.

Yes, because they are abusing a natural duopoly.

Most users don’t understand how the system actually works (either the business or security side) and have no way of knowing what apps/features they’re potentially missing. Apple’s propaganda campaign has been successful. So of course they don’t care.

Sure, there were some who may have predicted how it would play out, or wished from the start that it was different. No one *likes* having to give up 30% of their revenue for "overhead" or CODB. But they all still wanted in.

@DJ I maintain that in most cases the 30% is really not the biggest problem. And, for a long time, because of the duopoly, it hasn’t really a question of whether you want in. You don’t have much of a choice.

Old Unix Geek

@DJ, yes we wanted to program that pocket computer we bought. Big surprise. It wasn't the first such device (Sharp's Zaurus was similar but it had no keyboard). So we hacked it. Before there even was an AppStore, there was Cydia. And it did what we wanted.

Only then, did Apple open it up to the normies, and when they did it, Steve Jobs said the 30% would only be to cover the cost of running the store. Fair enough. Then Apple spent a lot of time plugging the holes that let Cydia work, and making the AppStore into an enormous revenue center.

If anyone changed the deal, then, it is Apple. The explanations of "security" for users don't pass muster. They are just security theater. What may once have been a reasonable thing, is now a monopoly, in my opinion. IIRC, the Congressional report on monopoly in Tech a year or two ago came to the same conclusion.

But what has changed? The 30% charge is still there, presumably to run the store (infrastructure like that has a real cost). Should you tear down the fence around your pool, just because some of your neighbors want to sneak in?

@DJ In the beginning, at lot of people were inclined to give the benefit of the doubt because this was all new. What has changed is that the platform has become ubiquitous and essential, more like a utility, so different rules apply; from the number of $99/year developer fees, the 30% may not even be necessary at all to run the store; we have seen that race-to-the-bottom-no-upgrades-but-make-up-for-it-with-growth doesn’t actually work; Apple has added new restrictions on non-IAP purchases and new prohibitions on app types and business models; and it has become clear with time that Apple is never going to fix the other problems.

Plenty has changed, but here’s one: When the App Store opened, free apps couldn’t support in-app purchases. That system, in place now, is the system that makes it possible for so many scammy, trashy “free” apps to attempt to rip users off with overpriced subscriptions and poorly-communicated IAP policies. So much of peoples aggravation with the safety and quality of the App Store comes from that change.

But what else has changed? How about our knowledge of what helps and harms software developers. We know the lack of upgrade paths has been extremely detrimental to legitimate developers of good software, who then have to resort to subscriptions that nobody likes. We know this system hasn’t worked out, the anecdotal evidence is everywhere. Yet Apple still won’t institute a upgrade path that indie developers could do themselves 25 years ago.

@DJ the biggest thing that's changed is how absolutely central phones are to everyone's lives. The impact of the App Store rules in a world where it was new and no one depended on it (2008) vs. a world where it's a gatekeeper to many services that have no choice but to pass through it (today) is very different.

Also, as mentioned above, Apple has changed many of their App Store policies over the years.

Ghost Quartz

Apple is stretching their arguments to the point of absurdity. The more they dig in their heels the more transparently obvious it is that they’re simply unwilling to give up their services revenue. I am cautiously optimistic that their stubbornness will ultimately backfire, to everyone else’s benefit.

The thing is, I don’t think they’re even wrong about the potential for users to be coerced or tricked into installing malicious apps that Apple cannot block or revoke (eg Facebook’s Onavo VPN). But they have zero incentive to design technical safeguards to account for these possibilities on an open platform, which I suppose is why the government must step in. It’s fine if they don’t want to distribute HKmap Live, or vaping apps, or 18+ videogames. But don’t restrict what software I’m allowed to run on what is ostensibly a “computer” while claiming that such an arrangement is for my own good. It’s insulting.

"It's not really accurate to say that "Apple already doesn't do anything"."

You're right, I should have been more precise, when I said that Apple didn't do anything, I gave them way too much credit. What they're doing is actively harmful, because they regularly punish good devs and reward scams, so we'd be much better off if they just did nothing.

"When the iPhone came out, everyone said "Yay!", and then when the App Store came out, everyone again said "Yay!"

So now when we all get abused by Apple, we should again say "Yay"?

> and then when the App Store came out, everyone again said "Yay!"

I don't think that's a fair portrayal. Concerns about Apple inserting themselves as the arbiter basically arose on day one. Jailbreak-based app development already existed, and at the time (iPhoneOS 2.0), there were major things iOS flat-out could not do that were perfectly possible for third parties to add. SBSettings instead of Control Center (which didn't arrive until 7.0), for example.

"Concerns about Apple inserting themselves as the arbiter basically arose on day one."

Yep. Michael's "rejection" tag has entries all the way back to 2009.

Nice pool! I'm just gonna insert these heating elements so I can boil some shrimp, mmkay?

First and foremost, the core functionality of the iPhone needs to work. Phone, Mail, Messages, Safari, Camera, Photos, App Store, Settings, etc. should not break and should always work, no matter what. I'm okay with any barriers, rules, policies, sandboxes, etc. that protect those core functions. Not sure what to do to fix the App Store, but it needs some work. I don't think third-party app stores are the answer though.

@DJ I don’t see people suggesting anything that would affect the core functionality. (And, frankly, I’m having a lot of reliability problems with it at present due to Apple bugs.)

No one is suggesting that they want to break anything, but I've seen people suggest that they would like to be able to remove and replace core apps (e.g., "if I want to use Outlook for email, I should be able to remove Mail"). People also lament the sandbox, but what are the chances of something breaking outside of that restriction, intentionally or not?

@DJ Replacing Mail in the sense of putting some other icon on the home screen and making mailto links open in Outlook by default has nothing to do with breaking or removing the Mail part of the system. The sandbox already has lots of bugs that are being exploited to break out, without even installing an app. A sideloaded app running in the sandbox is not more dangerous than an App Store app running in that same sandbox.

A better solution, though, is to fix the sandbox, not take it out. Make that bulletproof, and many of the on-device technical/security problems would improve.

I would still rather see a single, Apple-run App Store and payment system, both personally and for the large organization I work for. It's just cleaner all around.

@DJ I don’t think anyone is saying they shouldn’t fix the sandbox. A single system that works well is a nice idea in theory, but if anything we are farther away from that now than ever. Without any competition, the incentives and structures that could lead that to happen just aren’t there. And, in fact, the natural hypothesis for why Apple isn’t cracking down on obvious abuses, even after they are pointed out, is that they are making somebody’s revenue number go up.

I would be curious as to your experience with computing prior to the iPhone release. Was the iPhone your first cell phone? Or at least smart phone?

As a pre iPhone cellular/mobile device user, I can tell you I did not particularly care for the app store, even if I accepted its limitations, assuming it ensured an easy to use, safe app download environment. I kind of view it as a repository, similar to what I used on my Linux boxes. However the limitations were clear from the start, if Apple got a bug up their ass about your app, it would be pretty much impossible to ship it for users. That problem has been around since within the first couple years of the iOS app store's existence. Also, remember when Apple started blocking competitor book and media apps from allowing linking out to purchase content when the iPad and iBooks ebook service shipped in 2010? That showed what Apple planned for the future pretty clearly. After all, Apple isn't paying themselves a 30% cut for every eBook sold… and now the apps could not avoid the fee by linking customers out to their web portals. Either they paid Apple or they simply couldn't sell anything on the platform, not easily anyway. Either way, Apple benefits.

Apple promised a lot when the iPhone came out, how it would revolutionize mobile computing, but it really isn't much of a computer system today and the damn thing didn't even support third party apps at launch anyway… I just don't get it. I remember chafing when carrier locked phones, pre-iPhone, required carrier control of downloading apps, media, and being forced to use their billing network, which was one of the reasons not to use a carrier branded phone. Now we have millions of people who basically sidegraded into another walled garden that honestly has not improved much in the intervening 14 years.

I think building a safe system is totally a good idea. Mitigating how much damage a rogue app can do makes sense to me. No one is really arguing against a well designed operating system, they are instead chafing at what the limitations of the current system when it comes to app distribution and app development itself. Is it not crazy iOS still can't self host? Why can't iOS be used to truly develop software, compile it's own kernel, etc. Seems crazy to me honestly. Like seriously, imagine if you still needed a Lisa to write Mac software in 1999!!!! Everything is so backwards today.

To recap:
Sane defaults, good!
Secure Operating System, good!
Easy app distribution and updating, good!
A good default payment option, good!
Forcing one to only use specific mechanism no matter how many times the platform owner has let us down or destroyed innovation, bad!

@Nathan That takes me back to my memories of the original Palm Pilot—before it was a phone, too. There was a thriving ecosystem of third-party software, despite not having a centralized store.

My "experience with computing" started with PDP-11 (RSTS/E) and then VAX (VMS and Unix) systems, where connectivity was a serial line running directly to the system for every dumb terminal. Every system came with a wall of printed documentation, in 3-ring binders for easy updates, and there was no Internet. I later built pretty sizable services around a couple of racks of Xserves and XSAN, including a large Podcast Producer service with over 100 distributed Mac Minis recording hundreds of classes a week.

I've had various cell phones as they came along, including a Motorola StarTAC, which was pretty cool at the time. I played around with Palm and Newton devices, but the iPhone was my first smart phone. I still have the original model around here somewhere.

So I'm really strong on infrastructure, including developing cost models for justifying it, and I know my way around end-user devices (specs, operations, deployment, support), but I only dabble in development. Most people don't even do that. They're not very technical at all, and they're going to be better off with as much protection as we can give them while still making it possible for them to do what they want to do.

@Ken Harris has it freaking right man! We let the platform owners redefine terms to fit their narrative of computing to our own detriment. We should be more vigilant about such things. Normal users didn't fail us, the tech cognoscenti failed the users. We were so eager to rush forward with the new shiny, we were not diligent stewards to the future of computing. I cop to being the problem as much as anyone.

@Michael Love is also someone worth listening to, he's only been selling mobile software since before the iPod was even a thing (circa 2000). He understands the ends and outs of the various mobile platforms that has arisen and fallen in the last two decades pretty darn well.

@DJ That's really interesting. I'm surprised someone who cut their teeth with such flexible systems would be happy with such terribly simple products (that are of course not simple at all, have many "black box" failures, and are hideously expensive to boot). Protections are good, but you would admit the app stores are rife with terrible apps ranging from bad software, to scams, to very close to straight malware.

My mom has had zero problems with her Linux PC I configured for her when it comes to security and safety, but when it comes to smart phones, she was very likely to just download whatever app pops up first in the app store, whether it be sponsored or not, whether it be good or not, whether it be safe or not. I think the "app store" model has actually given her a false sense of security because she assumes it is populated with good actors while the truth is neither the platform owners (Apple, Google, Amazon, etc) nor the software developers have proven that level of trust. If we all like walled gardens for security why don't we simply revert back to the carrier backed walled gardens for our mobile phones? Can't get much simpler, right? I think iOS users would be really unhappy if all their content came from T-Mobile, Verizon, AT&T (North American carriers) and rightfully so.

I actually have more faith in people and I think it is our responsibilities as unofficial gate keepers of technology to explain important core concepts to others. Free of marketing, free of platform vendors' desire for lock-in. Lock-in is not safer, it's just a heck of a lot more restrictive and often more expensive.

Leave a Comment