This isn't a free or safe choose one scenario. As a platform owner Apple could offer a vetting service for known-safe popular applications, make those easy to install, and create a clear scare-screen when enabling installation from other sources, as well as management profile settings for disabling unvetted or 3rd party app installation all together. Then the only education anyone needs is to not install unvetted apps.
As a bonus, they could make the app curation system extendable, so other groups could run vetting programs. By default your device would only have Apple as a trusted vetter, but as part of a management profile or something you could also trust apps vetter by some security research group, or Epic, or Valve, or whoever. That way security isn't all-or-nothing.
And of course, if anything slips through and your layman user OKs all the warnings and installs a malicious app, it's still operating in a sandbox, and can't do much more harm than clicking a shady link and ending up on a scam website can.
It is indeed a difficult problem. It's not just that users cannot be expected to be knowledgable. They cannot know who to trust either. If you show them a warning that says "do not install this add-on unless you trust its publisher", what is a user supposed to do? There are thousands of add-on/app publishers with names that no one has ever heard of.
So I do understand Apple's approach. Unfortunately, Apple muddies the waters by mixing up security protections with their own business interests and the interests of authoritarian regimes. To a degree I fear this is unavoidable.
I think the best solution is to have that very restrictive app store that you can trust to vet things for you, but in addition to that they should permit side-loading for apps and content that you have to vet yourself or rely on a third party vetting system.
I care about security, but that doesn't preclude me from jailbreaking my iphone and running dozens of tweaks that haven't been "vetted by professionals", along with sideloaded apps that haven't been through Apple's vetting process either.
My MacBook runs homebrew which currently lists 84 packages installed plus their dependencies, very few of which will have been professionally vetted, and of the 127 apps in my /Applications folder only a third of them came from the Mac App Store, and I would estimate that a quarter of the others aren't even signed with a paid developer certificate.
I want the apps that I get from Apple directly to be safe. I want to know that when I put my faith in the App Store that I'm not lulling myself into a false sense of security. I want my parents and girlfriend, who are not technical people, to have that same sense of security without them having to learn entire programming languages to vet source code themselves.
The benefits of closed systems don't go away just because you say so.
> Web Distribution means Apple is handing over responsibilities previously handled by the Marketplace directly to the developer. Allowing developers to police themselves is obviously riskier.
Doesn't that depend on who the developer is? Certainly it isn't the case that no one exists who the user might trust at least as much as Apple.
> This is simply not true. Device owners are hopeless at maintaining the security of their devices.
"Device owners" includes substantially all people. Many of them are not hopeless and are entitled to make their own decisions. Some of them are even more qualified to do it than the people Apple has reviewing apps.
The hopeless people may be better off sticking to trusted stores, but they can do that without prohibiting others from doing otherwise.
> There are 2 tiers of "vetting services": 1. Marketplaces determine the appropriate content or type of apps allowed in their listings, 2. Apple determines if an app, developer, or marketplace is an outright threat, e.g. if an app turns out to be a scam, or if a bug in an app exposes an exploit, it is "strictly necessary" for Apple to be able to yank the app immediately.
That doesn't change the question. How is it "strictly necessary" for Apple to do that, rather than whoever the owner of the device chooses to do it? It would obviously be possible for a third party like Symantec, Malwarebytes or the makers of uBlock to do the same thing.
I think it's reasonable for Apple to make it difficult for shady third-parties to get you to install their malware-ridden app store, but I don't agree that the only way to keep users safe is to disallow any third-party app installs entirely.
Apple just currently has little incentive to do the former, because a) it's more difficult, b) they have a financial benefit to keeping everyone in their own app store.
Given that, it's naive to think that Apple's main motivation here is to protect users. Sure, that's a part of it (maybe even a big part!), but they could protect their users in other ways, but those other ways would likely hurt their bottom line.
And I think that is why people cry anti-trust all the time when it comes to this: in a perfect world where no one was motivated by profit (and consumer lock-in), we can imagine that Apple would find a way to open up the platform a bit more.
The main problem is that users can be tricked to do it. Used to happen to my parents all the time on Android. They'd install random apps and the website will "guide" them how to install this app by going to settings and enabling "untrusted developers".
This is my issue with all these devs screaming at apple. Your customers chose a product for whatever reason. Don't like it? I don't care - respect their choices. It speaks volumes to me how much they will respect me and my privacy when they want to optimise for their own profits instead of my XP and privacy.
The huge, HUGE advantage that the App Store brings to the average consumer is a feeling of safety. An app installed from the App store:
- Can be uninstalled easily, and leave no trace behind (remember "Register cleaners"?)
- Cannot interfere with other apps
- Cannot run in the background and spy on your surfing habits
- Cannot steal your credit card information and upload it to Russian mafia servers
For a long time, the standard geek response to these problems is "that's the user's problem -- they should be more careful about what they install". The response appears to be "fuck you, I don't want to waste my time worrying about whether this purple monkey screen saver will secretly empty my retirement account."
If you can find a way to make this "free and open" system also safe, then I think you'll have a winner.
Let me sketch a scenario for you. Your grandmother receives an email from a trustworthy-sounding man who asks her to follow these easy steps to get a free app. Granny taps "Allow third-party app stores" and then installs whatever garbage the fraudster is hoping she will install.
Multiply this by tens of thousands of vulnerable users and you have the makings of a significant problem that will cost society a lot of money and lead to much misery.
With the locked-down Apple app store, it's very difficult for granny to install malware even if the trustworthy-sounding man in her inbox is being "helpful". But as soon as you allow a switch of any kind, it will be exploited.
In a different way, you could argue that the Apple Appstore (and similar) are protecting general computer users from malicious software.
There hasn't previously been vetting of software, so novices would download malicious programs from websites unaware. Now Apple performs helpful quality assurance.
People who are precious about security never obtain apps that aren't generally approved and vetted by professionals anyway. Forcing this deciscion onto everybody is just going to push the people who want a free and open platform into places you dont want them. The benefits of openness don't go away just because apple said so.
Indeed the feeling of safety from the app store is important. However I'd rephrase your last sentence as "If you can find a way to make the "free and open" system seem safe enough that average users believe it's safe then you have a winner".
The problem isn't that the vetted app store exists. It is that the vetted app store controlled by the device manufacturer is the only way you are allowed to install applications
The problem is that most people cannot tell the difference between a scam and a legitimate app.
For example, my father wanted to watch some YouTube videos offline. He naively Googled " YouTube video download." The result was obvious: most of the links were scams. When you work on dev every day, your first option will be to search for open-source or a well-trusted source and distrust a scammy-looking website that promises you many things.
After that experience, I started to see the value of Apple's App Store.
Sadly, the chain of trust provided by the App Store is ruled by one company.
I wonder why the industry couldn't agree on a single standard or method to do different chain of trust checks. For example, if all email clients adopt a sender identity check (like GPG), then spam and phishing will be extremely easy to eliminate.
Suppose applications have a sort of group approval. In that case, the OS can warn you before trying to install or run a scammy app. (something like Apple's notarization + user vote, but without the control of a single entity).
Is that a bad idea? What will be the flaws?
Hmm then possibly Apple could simply allow consenting users to install software by means other than their highly-regulated appstore cash grab.
Every major cosumer 'computer' in history has allowed this as far as I can tell. Yet for some reason now in the last few years its unthinkable on specifically Apple devices. I'm sure it's merely a coincidence they make billions of dollars off of this overly draconian "security" framework.
Rubbish. It's about as much of a risk as letting a user do anything. Google even have a service that scans installed apks for known bad ones if you want to share everything you do with them. Apple could do something similar if they decided user choice wasn't evil and bad after all.
If you were a designing an app store that provides apps that are safe for non technical users you would probably want to ensure:
excellent curation where human reviewers can have deep knowledge of all of the apps that have been reviewed/published,
clear provenance so you can be strongly confident of the source/supply of the applications in case of abuse or infra compromise (with a smaller problem blast radius for each app)
alternative app stores so that end users are never beholden to your app store and they can get similar or the same apps from elsewhere if your policies or practices change for the worse.
Some of these help ensure that no third party can maliciously update an app at the behest of a criminal actor without also compromising the app developer, or that no third party can gather invasively detailed information and fingerprinting surface concerning the apps people use and have in case of dissent.
Apple don't seem to have any interest in doing any of this, so I can't understand how their solution would be better for less tech-savvy users.
The incentives for people to trick grandma and anyone else into downloading malware would outweigh any benefit.
Frankly, Google and Facebook would probably be the first to release their own App Store apps and then use their platforms to tell everyone how this was safe.
I do wish Apple gave people the ability to install outside apps like Android does, though. Treat it like Android and Windows do: give people a bunch of warnings (e.g. "this generally isn't safe", "don't do this unless you're actually sure you know what you're doing", etc.), force them to dig through some deeper menus to disable a default a setting, and you'll prevent 95% of people who would otherwise ruin their devices with malware.
I can't imagine an open source app store on iOS like F-Droid being anything but beneficial to end-users. The only reason it doesn't exist is because Apple doesn't want to let it exist.
Well, it's down to who decides that an app is trustworthy. In the open source world, this is done through vetting by the community, whereas in Apple's case they can afford to hire people to do it. I agree that the community approach is likely to be better, but I don't think the Apple approach is inherently evil, just inefficient.
The stated goals of Apple for gatekeeping apps are practically the same as signing packages in the distros: To protect unwary users from installing malicious or broken applications. I think that's a worthy goal.
As a bonus, they could make the app curation system extendable, so other groups could run vetting programs. By default your device would only have Apple as a trusted vetter, but as part of a management profile or something you could also trust apps vetter by some security research group, or Epic, or Valve, or whoever. That way security isn't all-or-nothing.
And of course, if anything slips through and your layman user OKs all the warnings and installs a malicious app, it's still operating in a sandbox, and can't do much more harm than clicking a shady link and ending up on a scam website can.
reply