Comment by bigyabai
2 days ago
> I agree. They don't want to.
That's not what the parent was saying. Most people don't have any opinion whatsoever on sideloading. You can go confirm this for yourself by asking a Mac or PC owner how scary it is. Most of them will respond that they genuinely never thought about it, not that they're afraid to consider it. To these people, it's a normal feature of their device that you could never remove.
The parent is lamenting that people don't care about this technology - Client Side Scanning, hardware attestation, Push notification surveillance - all of it is enabled not because of fear, but apathy.
> And they shouldn't have to. Yet they live in a world where they do.
This is fearmongering logic that doesn't really defend the App Store. Putting your faith in a centralized software auditor also requires you to pay attention and stay abreast of scams. It's just a different exploit chain to deliver the same payloads: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
I do talk to computer users and they do fear making installations. Many of them have installed something that was adware or a virus, often without meaning to and regretted the results. I have been helping my family and extended family members fix their errors for a long time. This pushes them to big names with names to spoil.
I suspect that the GP is, as you write, lamenting the lack of attention to the topic.
> This is fearmongering logic that doesn't really defend the App Store
I agree it doesn't defend the app store. It wasn't about the app store at all. It is about the social problem of the persistent existence of people who choose to purposely do others harm. The problem for most people isn't the app store but those who attempt to get exploits and quasi-exploits into the app stores.
I also agree that you still have to be cautious when using the app stores. Are you claiming that the app store controls do nothing to reduce the presence of malicious apps in their stores? The article you link starts by noting that the app was removed the day after that post was made. That is exactly why people feel more comfortable using the app store.
> the app was removed the day after that post was made
LastPass has been downloaded in excess of 50 million times in the past 10 years. As many as 10,000 users could have installed the app and turned over their credentials to the trojan version in a 24 hour period. If your manual review takes a day to respond, it's already too late at Apple's scale.
> That is exactly why people feel more comfortable using the app store.
Then why does the App Store represent the minority of software sales on platforms like macOS, where users are given free reign to download whatever they want? It seems like users are overwhelmingly uncomfortable sticking to the App Store, if you take their actions and spending into account.
Apathy seems to be the best explainer here. Users don't care about security at all, they are just consuming whatever is put in front of them. That's why social engineering like LastPass works, and it's why you see people ignore systemic backdoor efforts like Client Side Scanning and Push notifications. They might be afraid of getting hacked, but it's plainly clear that none of them care enough to make a change in their lifestyle.
I would have expected Apple to catch that on review. That was a egregious failure and betrayal of trust on their part. I wonder if they took any responsibility for the consequences of their error.
I'd agree if you wrote that most users don't understand security at all, that users aren't really given the tools they need to maintain security, or that exploits are designed to target people's vulnerabilities. You seem to be blaming the victims of motivated (sometimes) advanced actors. Even serious engineers have been phished for NPM publishing access.