{"id":34887,"date":"2022-02-02T16:15:53","date_gmt":"2022-02-02T21:15:53","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34887"},"modified":"2022-02-11T16:49:56","modified_gmt":"2022-02-11T21:49:56","slug":"schneier-on-sideloading","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/02\/02\/schneier-on-sideloading\/","title":{"rendered":"Schneier on Sideloading"},"content":{"rendered":"<p><a href=\"https:\/\/www.schneier.com\/essays\/archives\/2022\/01\/letter-to-the-us-senate-judiciary-committee-on-app-stores.html\">Bruce Schneier<\/a> (<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2022\/02\/me-on-app-store-monopolies-and-security.html\">post<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.schneier.com\/essays\/archives\/2022\/01\/letter-to-the-us-senate-judiciary-committee-on-app-stores.html\">\n<p>I would like to address some of the unfounded security concerns raised about these bills. It&rsquo;s simply not true that this legislation puts user privacy and security at risk. In fact, it&rsquo;s fairer to say that this legislation puts those companies&rsquo; extractive business-models at risk. Their claims about risks to privacy and security are both false and disingenuous, and motivated by their own self-interest and not the public interest. App store monopolies cannot protect users from every risk, and they frequently prevent the distribution of important tools that actually enhance security. Furthermore, the alleged risks of third-party app stores and &ldquo;side-loading&rdquo; apps pale in comparison to their benefits. These bills will encourage competition, prevent monopolist extortion, and guarantee users a new right to digital self-determination.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/02\/02\/epic-appeals-ruling-in-apple-lawsuit\/\">Epic Appeals Ruling in Apple Lawsuit<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/01\/20\/american-innovation-and-choice-online-and-open-markets-acts\/\">&ldquo;American Innovation and Choice Online&rdquo; and &ldquo;Open Markets&rdquo; Acts<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/11\/09\/federighi-and-cook-on-sideloading\/\">Federighi and Cook on Sideloading<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/10\/15\/apples-threat-analysis-of-sideloading\/\">Apple&rsquo;s Threat Analysis of Sideloading<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/06\/25\/apple-attacks-sideloading\/\">Apple Attacks Sideloading<\/a><\/li>\n<\/ul>\n\n<p id=\"schneier-on-sideloading-update-2022-02-08\">Update (2022-02-08): <a href=\"https:\/\/twitter.com\/_inside\/status\/1489930345910779913\">Guilherme Rambo<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/_inside\/status\/1489930345910779913\">\n<p>Apple (and people who defend Apple no matter what) make it out as being a big deal that&rsquo;s going to completely destroy the security of the platform and harm a huge number of innocent users. The reality is way less exciting&#8230;<\/p>\n<p>[&#8230;]<\/p>\n<p>What about malware? Well, if a bad actor has a vulnerability, I bet they could slip it through App Review without any problems. App Review is not composed of infosec experts. They&rsquo;re there to ensure that Apple can make their money out of our apps, mostly<\/p>\n<p>What about private API? Again, private API is not a magical thing that gives an app every power it wants. Besides, many apps you know and love from the App Store are probably using private API in one way or another, that&rsquo;s just the reality of building for a complex platform<\/p>\n<p>[&#8230;]<\/p>\n<p>&ldquo;But then Facebook would force people to sideload so they could spy&rdquo;. It&rsquo;s not that simple. Facebook wouldn&rsquo;t be able to do whatever they want in the app (see above). There&rsquo;s also at least one instance that proves that people are not willing to do that (Fortnite on Android)<\/p>\n<p>[&#8230;]<\/p>\n<p>By putting so much effort into defending that the security of iOS depends on the App Store review process, Apple is basically saying that they&rsquo;re not competent enough to make a secure mobile operating system, and at the same time telling us that macOS is not secure.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/chockenberry\/status\/1490003896445464578\">Craig Hockenberry<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chockenberry\/status\/1490003896445464578\">\n<p>When is Apple going to pull it&rsquo;s head out of its ass and form a bunco squad for App Review?<\/p>\n<p>Took about 30 seconds to identify this as phishing for Facebook credentials that&rsquo;s been active for over a week.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/notes.kateva.org\/2022\/02\/we-need-non-apple-app-stores-because.html\">John Gordon<\/a> (<a href=\"https:\/\/twitter.com\/jgordonshare\/status\/1490035321077125126\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/notes.kateva.org\/2022\/02\/we-need-non-apple-app-stores-because.html\"><p>The best reason I know if for competing App Stores is that Apple&rsquo;s App Store is trash.<\/p><p>Consider the case of the <a href=\"https:\/\/www.luni.app\">Luni<\/a><a href=\"https:\/\/apps.apple.com\/us\/app\/scanner\/id1291962681\">Scanner App<\/a>; #85 in &ldquo;Business&rdquo; in the US App Store. <\/p><p>[&#8230;]<\/p><p>The VPN app has 22.9K ratings with an average of 4.7\/5 by people like &ldquo;yessirbruh&rdquo;. The &lsquo;most critical&rsquo; ratings (only accessible on iOS) make clear it is a scam with clever subscription pattern that tricks users into paying a high weekly rate.<\/p><p>The Scanner App is the similar scam that bit my family. It has <i>174K ratings and 5 stars<\/i>. The vast majority are obviously purchased. The &ldquo;critical&rdquo; reviews mention unwitting subscriptions. A screenshot that appears on first launch shows how it works for the &ldquo;Free&rdquo; app with add-in purchases[&#8230;] This covers the entire screen. It appears that one cannot use the App without clicking Continue. In fact if a user closed this screen the App can be used. Of course most naive users, inducing our family member, will click Continue so they can start their &ldquo;free trial&rdquo;. Except that&rsquo;s NOT what Continue does. Within 3 days charges will start. In our case, not $10 a month, but $5 a week.<\/p><p>The family member has some reading and processing issues, and a trusting nature, that made him particularly vulnerable to a scam. He thought &ldquo;5 stars&rdquo; actually meant something. It didn&rsquo;t occur to him that Apple would allow fake reviews; he trusted Apple.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/chrishannah\/status\/1490080456188080134\">Chris Hannah<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chrishannah\/status\/1490080456188080134\">\n<p>When I think about buying software from a users perspective, it seems a lot clearer.<\/p>\n<p>Let&rsquo;s say you pay &pound;1000 for a mobile computer from a company. Then a separate company spends time to develop software for said device.<\/p>\n<p>Why can&rsquo;t I, as a user, buy that software directly from the developer?<\/p>\n<p>From a developer&rsquo;s perspective, my business is with the user, not with the manufacturer. \nAnd from a user&rsquo;s perspective, my business is with the developer, also not with the manufacturer.<\/p>\n<p>To be more specific, I don&rsquo;t have any issue with the App Store existing, and I wouldn&rsquo;t also mind an option where developers can sell notarised\/sandboxed software outside of the store. But&#8230;<\/p>\n<p>I think there also needs to be a way where you can buy software without Apple being involved at all. Surely after paying &pound;1000 for a phone, I have earned the privilege of installing software on it?\nOr do I not actually own my phone?<\/p>\n<p>Also, why does the manufacturer need to know what software I have installed on my devices? I thought Apple loved privacy?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/EggFreckles\/status\/1490143712978030597\">Tom Brand<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/EggFreckles\/status\/1490143712978030597\">\n<p>You wouldn&rsquo;t tolerate App Store Only on your Mac\/PC. Why should you mobile phone be any different?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/02\/eff-appeals-apples-monopoly-doesnt-make-users-safer\">EFF<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.eff.org\/deeplinks\/2022\/02\/eff-appeals-apples-monopoly-doesnt-make-users-safer\">\n<p>The decision incorrectly presumed that, if customers are aware of the restrictions when purchasing a device, then competition in that market is sufficient to rein in Apple&rsquo;s anticompetitive conduct and users are not locked into the App Store.<\/p>\n<p>[&#8230;]<\/p>\n<p>We also urged the court to not to buy Apple&rsquo;s arguments that it needs to keep control over app distribution to protect users&rsquo; security and privacy. Despite Apple&rsquo;s claim that only its paternalistic approach to security and privacy can protect users, Apple bans apps and features that would serve a wider range of those needs, like VPN apps for international travelers and apps that tell the user if their device has been jailbroken. More broadly, our antitrust laws are based on the principle that competition is the best way to create better, safer products, so Apple&rsquo;s argument that more competition would be harmful to users shouldn&rsquo;t fly with the court.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/take.surf\/2022\/02\/04\/exclusive-leaked-draft-of-contingency-sideloading-guidelines\">Jesper<\/a>:<\/p>\n<blockquote cite=\"https:\/\/take.surf\/2022\/02\/04\/exclusive-leaked-draft-of-contingency-sideloading-guidelines\">\n<p>Take can today reveal a partial draft of developer guidelines aimed at qualifying applications distributed via sideloading, designed as a contigency plan if events force Apple to open up application distribution.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/02\/07\/the-danger-of-sideloading-chromium\/\">The Danger of Sideloading Chromium<\/a><\/li>\n<\/ul>\n\n<p id=\"schneier-on-sideloading-update-2022-02-11\">Update (2022-02-11): <a href=\"https:\/\/numericcitizen.me\/2022\/02\/09\/on-sideloading-on-iphone-its-ok-im-changing-my-mind\/\">JF Martin<\/a> (<a href=\"https:\/\/twitter.com\/apple_observer\/status\/1491456924646359041\">tweet<\/a>, <a href=\"https:\/\/news.ycombinator.com\/item?id=30276657\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/numericcitizen.me\/2022\/02\/09\/on-sideloading-on-iphone-its-ok-im-changing-my-mind\/\"><p>I&rsquo;m changing my mind on the sideloading of apps on the iPhone. I&rsquo;m all in, and it is all Apple&rsquo;s fault. I&rsquo;m the one who wrote, &ldquo;<a href=\"https:\/\/numericcitizen.me\/2021\/06\/05\/a-message-to-apple-developers-we-dont-need-another-android-platform\/\">A Message to Apple Developers: We Don&rsquo;t Need Another Android Platform<\/a>&rdquo;. And yet, I&rsquo;m changing my mind. In a perfect world, I wouldn&rsquo;t want sideloading, but we&rsquo;re not in a perfect world. Apple isn&rsquo;t perfect. The App Store isn&rsquo;t perfect. Developers aren&rsquo;t perfect. The App Store review team isn&rsquo;t perfect. Everything isn&rsquo;t perfect. <\/p><p>If the App Store was scam-free, entirely free of copycats, I would trust Apple&rsquo;s review team in its abilities. It&rsquo;s not the case. Apple can&rsquo;t honestly defend the App Store as being a secure place. It is not. The App Store today is full of crap. Sideloading has nothing to do with this fact. <\/p><p>In a world where sideloading is possible, I expect a proliferation of &ldquo;curated&rdquo; App Stores. Those stores won&rsquo;t be perfect, either. They will probably be full of highly questionable applications. Horror stories involving scams will be inevitable. The world isn&rsquo;t perfect. But it is not the issue at play here. <\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Bruce Schneier (post): I would like to address some of the unfounded security concerns raised about these bills. It&rsquo;s simply not true that this legislation puts user privacy and security at risk. In fact, it&rsquo;s fairer to say that this legislation puts those companies&rsquo; extractive business-models at risk. Their claims about risks to privacy and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-02-02T21:15:56Z","apple_news_api_id":"67d64b11-9adb-4005-9c6a-03e24217d52f","apple_news_api_modified_at":"2022-02-11T21:50:00Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAw==","apple_news_api_share_url":"https:\/\/apple.news\/AZ9ZLEZrbQAWcagPiQhfVLw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2085,91,2036,31,2078,209,355,48,2132],"class_list":["post-34887","post","type-post","status-publish","format-standard","hentry","category-technology","tag-antitrust","tag-appstore","tag-app-store-scams","tag-ios","tag-ios-15","tag-legal","tag-privacy","tag-security","tag-sideloading"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34887","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=34887"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34887\/revisions"}],"predecessor-version":[{"id":34994,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34887\/revisions\/34994"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=34887"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=34887"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=34887"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}