Comment by r_singh
9 hours ago
The next decade looks like tech vs. governments everywhere. From the article, it seems Apple won’t roll this out worldwide unless forced.
As a user I like Apple’s App Store for security personally, but I wonder how multiple app stores turn out in other regions. I see the EU already allows alternative app marketplaces — has anyone used one and can share their experience?
Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
> Apple’s App Store for security
The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
> Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
Even for web distribution in the EU (which they allowed some time ago) they require you to have had an Apple Developer account for at least 2 years and at least one App with more than 1m annunal downloads in the App Store.
So they're forcing you to have a very successful app in their own store before you can distribute yourself, basically making this impossible to actually use. It's such a blatant case of malicious compliance, it's insane.
> The App Store doesn't do anything to product you in that sense. It's easy to circumvent...
Interesting, their marketing has customers believe otherwise, so I wouldn't have thought that as a noob in cybersecurity.
I've submitted an app to the iOS App Store in the past, and the process is tedious and doesn't seem superficial (unlike the Play Store process, which was completely autonomous at the time), so that's another reason why I wouldn't have thought it.
Specifically from a HOBBYIST perspective, what bothers me about the App Store is not even the 30% thing, but just... the pain of it all. The rejection horror stories, the "Apple told me to change my app's entire model" stories, the "I can't put this little gadget specifically for me and my family on the App Store" problem, and so on and so on. There's really no home but the web for silly little things.
3 replies →
The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever.
The protection is in the permission system and sandboxing, which is active regardless of the source of the code.
1 reply →
> their marketing has customers believe otherwise
The marketing is a lie, Apple's manual review process has failed to catch extremely high-profile trojan horse attacks: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
> Interesting, their marketing has customers believe otherwise
That's the point of marketing. Making yourself look good, not stating facts.
> It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
But why is that easier? And is it inevitably so or a result of the fact that the boundaries of the one place to install apps from is aggressively policed?
>The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
Different threat models. If you're the mossad and want to go after someone in particular, yes the exploit is the way to go, but if you're running some run of the mill scam, you're certainly not going to spend 6+ figures on a ios 0day that'll get patched within days.
If you're running a run of the mill scam you probably don't even need to ship an app.
> They also made sure to add scary warnings so one can never offer a normal onboarding flow.
is this any different from Macs also prompting the user when a downloaded binary is suspicious/not signed properly? or windows when installing it'd flash a screen about trusting what you're installing?
It was way worse. They basically made the first install attempt fail. Then they made you go to the Settings app (of course without telling you that you have to go there) to allow it. Then you had to try again to download, which then triggered the scary warnings that you had to accept. This has been changed now though due to EU pressure.
1 reply →
> these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
"Look, you do not need a front door, and definitely not one with a lock on it. After all anybody could machine-gun you down through your windows."
If you want to try it for yourself, you can. https://downrightnifty.me/blog/2025/02/27/eu-features-outsid...
Requires an EU apple account, a faraday bag, two esp32 boards (or other way to spoof hotspots), a VPN with an endpoint in the EU, and an iOS device with a supported OS version.
Sounds grand. I'll have my 80yo grandparent try it tonight.
I have Alt, Epic, and Setapp installed. Setapp is something I had to stop paying for while unemployed, but has good stuff if you can afford it. Alt is mostly empty, but now lets you add multiple sources for more sideloading options.
Basically the market is still in an alpha stage. My next app will be on Alt just because I want to support the idea. Hopefully more apps gets on these stores, for now it's mostly nice to have for games, emulators, and some dev tools.
Apple didn't make it friction-free either, but it seems the issue is lack of user demand and/or lack of supply.
For Setapp, I am kind of forced to pay for it since I use NotePlan and Paste. And I use Timing Tracker sometimes. The first two alone cost the same as a Setapp sub for 4 desktops and 4 iOS devices.
I should try Alt out again with you reminding me.
Alt isn't very exciting. And for Setapp, consider whether buying the software outright isn't better. After all the time paying for Setapp, once you stop, you've little to show for it. It's akin to using Spotify but owning none of it.
I hate the security argument when it comes to third party stores or apps. No one is putting a gun to your head to install these things. Imagine trying to apply the same logic to macbooks and not let them install from the web or homebrew.
I dont even get it. Apps require system prompts for access to local network, files, etc. Whats the security issue?
This is a website where some moron will read a big disclaimer that ChatGPT is a generative AI and can't give you objective facts, click "Yes, I understand", then have a long conversation with it and kill himself and that is supposedly OpenAI's fault. So it's pretty amusing that here the view is "a modal is immunity from fault".
Not put a gun to your head but ring up pretending to be your bank and there’s fraud detected and can you follow these steps to verify your identity and secure your account.
Okay but they can do that right now.