{"id":35548,"date":"2022-04-12T16:08:43","date_gmt":"2022-04-12T20:08:43","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35548"},"modified":"2022-04-13T19:43:47","modified_gmt":"2022-04-13T23:43:47","slug":"tim-cook-attacks-sideloading-in-privacy-keynote","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/04\/12\/tim-cook-attacks-sideloading-in-privacy-keynote\/","title":{"rendered":"Tim Cook Attacks Sideloading in Privacy Keynote"},"content":{"rendered":"

Joe Rossignol<\/a>:<\/p>\n

Apple CEO Tim Cook today delivered the keynote speech at the Global Privacy Summit in Washington D.C. The conference, hosted by the International Association of Privacy Professionals, is focused on international privacy and data protection.<\/p>

[…]<\/p>

“Here in Washington and elsewhere, policymakers are taking steps in the name of competition that would force Apple to let apps onto iPhone that circumvent the App Store through a process called sideloading,” said Cook. “That means data-hungry companies would be able to avoid our privacy rules and once again track our users against their will. It would also potentially give bad actors a way around the comprehensive security protections we have put in place, putting them in direct contact with our users.”<\/p>

[…]<\/p>

“If we are forced to let unvetted apps onto iPhone, the unintended consequences will be profound,” warned Cook. “And when we see that, we feel an obligation to speak up and to ask policymakers to work with us to advance goals that I truly believe we share, without undermining privacy in the process.”<\/p><\/blockquote>\n\n

Rich Mogull<\/a>:<\/p>\n

Apple largely has itself to blame. Apple didn’t create a walled garden marketplace merely to ensure consumer safety; it also did so to own the billing model and financial transactions, and thus the customer relationship. Until a week ago, a developer wasn’t even allowed to link to or mention their website for prospects to sign up for subscriptions. For over 13 years, Apple refused to budge to pressure from developers, forcing them to turn to the courts and legislatures.<\/p>\n

Let’s distill this down to understand why the App Store is so important for security, how opening iOS up to alternative app stores or sideloading will reduce our safety, and why this now seems inevitable.<\/p><\/blockquote>\n\n

Peter N. Lewis<\/a>:<\/p>\n

\n

Of the entire chain of security listed in the article, the only one that is omitted in sideloading is the app store review.<\/p>\n

Everything automatic in the App Store review can be done before notarising the app as well.<\/p>\n

So the only thing extra is some Apple Employee launching your app and verifying that for the first few minutes that the application vaguely does what it says it does. But nothing stops the application from waiting until next month (or any other signal) and changing its behaviour entirely. So the app review [serves] no security purpose - its purpose is purely to disallow honest developers from breaking Apple’s (often unwritten) rules in how they behave. App Review is entirely to control applications for Apple’s benefit.<\/p>\n

There is no additional security in App Review, and therefore no loss of security in sideloading.<\/p>\n

Meanwhile there are whole categories of applications that will never be written while Apple has absolute control over what applications can be distributed. This is a huge, unknown, loss to all iPhones users, one that is impossible to quantify.<\/p>\n<\/blockquote>\n\n

Ken Harris<\/a>:<\/p>\n

What it’s called now → What we called it for the 50 years before that:<\/p>