Comment by mirzap
2 years ago
Is Macbook less secure because I can install whatever app I want, even my own app? No, it's not. I want to be able to do the same with my iPhone. It's as simple as that.
2 years ago
Is Macbook less secure because I can install whatever app I want, even my own app? No, it's not. I want to be able to do the same with my iPhone. It's as simple as that.
Well, yes, it is less secure. Though Apple has been adding more restrictions around apps having full disk access and stuff.
And yet no one would ever want or think of locking down MacOS like they have locked down iOS. Turns out that grown ups don't need Apple to babysit them for additional "security" when everybody knows that Apple's real reason is just money+greed and the "security" talking point is just a convenient smokescreen.
>And yet no one would ever want or think of locking down MacOS like they have locked down iOS.
https://www.qubes-os.org/intro/, snapd and BSD jails are all forms of locking down a general computer OS ways similar to the way iOS is locked down, and things that individual users choose to do on their own computers. Sure those users can install anything else they want as well, but then there's also a reason why these things are niche, even within the nice of *nix users. Because the administration and management is a headache and people don't generally want to do that.
>Turns out that grown ups don't need Apple to babysit them for additional "security"
I think you have an over estimation of the average "grown ups" ability to judge the safety and security of their computer or the software they run on it. There are plenty of people out there who do not want or need to understand system security and administration and are much better served by having someone else manage that for them. There's a reason why Windows and MacOS are still more popular than Linux, and there's a reason why in the Linux world, Red Hat, CentOS, Debian and Ubuntu are more popular than Arch. People only have a limited amount of time and energy to dedicate to things and not everyone wants to dedicate theirs to our shared hobby.
7 replies →
I wouldn't want it, but I can see both Apple and heads of a lot of IT departments loving the concept of a locked-down MacOS.
4 replies →
I don’t carry my MacBook around with me everywhere I go, though, so it’s different.
1 reply →
This is basically what an iPad with a keyboard attachment is, and iPads sell very well.
3 replies →
> And yet no one would ever want or think of locking down MacOS like they have locked down iOS.
https://en.wikipedia.org/wiki/Security-Enhanced_Linux
the delightful irony is you’re literally so wrong they put it right in the name. Security Enhanced.
The military knows damn well that limiting unprivileged users to running a limited selection of vetted and approved apps and restricting their ability to make tools that might aid their ability to jump the sandbox increases security. They literally built the canonical OS extension to do it. It’s not sufficient for security by itself, but it does additively increase security vs a non-policy-enforced environment with higher freedom.
It is, however, necessary for security. Literally every enterprise sysadmin, every single one, windows or Linux or otherwise, knows that letting users set policies on their own devices decreases security. And in the real world, those policies/access control are either: (a) mandatory, or (b) ineffective. If you allow a mechanism for users to opt out - they will opt out 100% of the time, and it’s ineffective. There is no middle ground, if there is a way to go around then users will do it, it's either a matter of policy or it functionally doesn't exist.
Facebook et al will certainly exploit their network power to push users to do that, just like any other attacker. No different than Chinese agents going after a debt-laden private. They literally already got caught using their dev credentials trying to pull a sneaky and tunnel users data via a VPN for data mining purposes.
https://arstechnica.com/gadgets/2019/01/facebook-and-google-...
But I’m sure you know infosec better than the NSA. This is HN after all.
And again - such escape valves already exist. You can sideload apps on an iphone without paying any extra money. Altstore/Appstore++ exist to refresh your app notarization automatically etc.
Almost as if this is really all about the transaction fees and apple's cut of money that tim sweeney sees as rightfully his, and not user freedom at all... but I'm sure there's a very good, very pro-consumer reason Sony and Microsoft exempted themselves from the DMA?
1 reply →
[flagged]
I don't even let my users have browser extensions without them going through the formal review process. Managing the proliferation of PWAs (potentially unwanted apps) is one of the most unsolvable issues in security. iOS is the gold standard for secure mobile computing due to inability to support alot of these risky use causes.
> we’ve removed all features in the name of security
Wow, gold standard for sure. Is this why iOS zero day costs less than Android one?
https://zerodium.com/program.html
Exactly, this is marketing talk. Pixel is secure, get regular updates, lesser target than iphone and in terms of privacy can be "hardened" just by going over the Google services setting menu and opting out of everything. Rest can be achieved by using Firefox (which actually runs on Android not like FF on iOS which is a shell) with ad blockers and choosing a different search engine.
I would argue it's much more secure and more private this way
1 reply →
i wouldn't put much stake a zerodium numbers as the benchmark of platform security. People who sell these kind of gray market mobile zero days for big bucks aren't going public about it. Mostly because the only buyers that aren't the OEM are nation states, maybe the top end of criminal land and of course the NSO group. Plus android's at least 10x the market when you start talking IOT and point sale etc.
Wouldn't the value of a zero day be the expected return on what you can get from it? So a lower cost on iOS zero days means less buyers want them, presumably because they're less capable than a zero day on Android?
Yes it is, it just isn’t as big of a target for bad actors because it’s a much less personal device with way fewer users.
It’s definitely less secure. IMO that’s an acceptable tradeoff but it’s still true that MacOS allows you to install potentially harmful software in a way that an iPhone doesn’t. With great power comes great responsibility and all.
The problem is that "less secure" is not exactly meaningful without a lot of clarifications.
I'm no security expert, but I know that security is certainly not a linear, at the very least it's some multi-dimensional thing that's exceptionally hard to generalize.
One system can be more or less secure than another for some party or parties, for some particular threat models if you can or cannot install certain apps, etc etc. Skipping all those bits makes the statement vague, increasing the risk of misunderstanding of the implied conditions.
Just a quick example. Installing an app could paradoxically make the device simultaneously more and less secure for the owner. Let's say it's an advanced firewall app. On the one hand it improves the network hygiene, improving the device security against its network peers. On the other hand, it may help in compromising the device, if someone gains access to its control interface and exploits it for nefarious purposes.
Whether or not it's more secure is moot as far as Apple's concerned. For them it's about control of the market, not device security.
[dead]
If you want to treat your phone like a general-purpose computer, that's fine, but the iPhone doesn't work that way, very much by design. I understand that you want a different user experience, but them's the breaks.
Yes. That’s why there is substantially more malware for Mac than iPhone despite iPhone having far, far more users.
Of course it's less secure.
Objectively, yes.
[dead]
It is. That's why I do all of my banking on iOS.