Comment by isodev
10 hours ago
Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
> Apple’s App Store for security
The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
> Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow.
Even for web distribution in the EU (which they allowed some time ago) they require you to have had an Apple Developer account for at least 2 years and at least one App with more than 1m annunal downloads in the App Store.
So they're forcing you to have a very successful app in their own store before you can distribute yourself, basically making this impossible to actually use. It's such a blatant case of malicious compliance, it's insane.
> The App Store doesn't do anything to product you in that sense. It's easy to circumvent...
Interesting, their marketing has customers believe otherwise, so I wouldn't have thought that as a noob in cybersecurity.
I've submitted an app to the iOS App Store in the past, and the process is tedious and doesn't seem superficial (unlike the Play Store process, which was completely autonomous at the time), so that's another reason why I wouldn't have thought it.
Specifically from a HOBBYIST perspective, what bothers me about the App Store is not even the 30% thing, but just... the pain of it all. The rejection horror stories, the "Apple told me to change my app's entire model" stories, the "I can't put this little gadget specifically for me and my family on the App Store" problem, and so on and so on. There's really no home but the web for silly little things.
What bothers me is that despite all of that pain, they still let through a ton of low-effort app clones in their store, which sometimes even come up before the original ones. If you search for GTA you get a ton of lookalikes, some of which even use screenshots of GTA V which clearly aren't the actual game.
1 reply →
Don't forget "apple approved my app already but is now blocking bugfixes until I overhaul the entire thing to appease this new reviewer"
And then repeat that every few months.
The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever.
The protection is in the permission system and sandboxing, which is active regardless of the source of the code.
You only need to pass the app review once, then you're free to deploy over-the-air updates for as long as you'd like. Though you'd need to use a framework like React Native, Ionic, Flutter, etc which supports it. Essentially anything where you can change app code without making any changes to the underlying native code (as that would require going through the app review process again to publish those changes).
> their marketing has customers believe otherwise
The marketing is a lie, Apple's manual review process has failed to catch extremely high-profile trojan horse attacks: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
> Interesting, their marketing has customers believe otherwise
That's the point of marketing. Making yourself look good, not stating facts.
> It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
But why is that easier? And is it inevitably so or a result of the fact that the boundaries of the one place to install apps from is aggressively policed?
>The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
Different threat models. If you're the mossad and want to go after someone in particular, yes the exploit is the way to go, but if you're running some run of the mill scam, you're certainly not going to spend 6+ figures on a ios 0day that'll get patched within days.
If you're running a run of the mill scam you probably don't even need to ship an app.
> They also made sure to add scary warnings so one can never offer a normal onboarding flow.
is this any different from Macs also prompting the user when a downloaded binary is suspicious/not signed properly? or windows when installing it'd flash a screen about trusting what you're installing?
It was way worse. They basically made the first install attempt fail. Then they made you go to the Settings app (of course without telling you that you have to go there) to allow it. Then you had to try again to download, which then triggered the scary warnings that you had to accept. This has been changed now though due to EU pressure.
I thought that's also like macos, where we've needed to right click and open and then allow, and sometimes it requires going to system settings to approve it also.
> these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app.
"Look, you do not need a front door, and definitely not one with a lock on it. After all anybody could machine-gun you down through your windows."