Apples walled garden approach is not necessary for any of this though (nor does it even make it easier). You can introduce sandboxing, fine grained permissions etc without locking devs and consumers into a controlled app store - these are OS features, not app store features.
Fine-grained permissions aren’t useful if an application is going to request access to everything anyway - and non-technical or non-privacy-conscious users will click-through any and all permission prompts so [they can see the dancing bunnies](https://blog.codinghorror.com/the-dancing-bunnies-problem/).
In the case of very popular, aggressively-marketed, apps like TikTok and Facebook’s: the lack of easy side-loading or alternative app-stores (with looser auditing) means they’re forced to comply with Apple’s regs against unnecessary permission prompts, and this means they simply can’t take advantage of users’ ignorance (or overriding desire to see the dancing bunnies) to get them to grant unnecessary permissions.
I don’t think this is the case. The way iOS tells users that an app is tracking location in the background has led to a large increase in users opting out in all the apps I’ve worked on. There are ways to be very effective at this as Apple has shown since that article was written over 15 years ago.
Second, this effectiveness doesn’t require the walled garden and forcing apps to pay 30% of revenue to Apple.
Sounds like it’s working then? If an app asks me for location I personally go wtf no why do you need to know and most apps honestly don’t. I stick with apple for such a reason
The OS can stop an app from using certain APIs. This has nothing to do with the walled garden. ios tells you when an app is using your location in the background, it can do this for side loaded apps as well. It then allows you to disable it for that app, which it an also do for side loaded apps.
Currently, App Store doesn't just review safety and UX, it also reviews whether or not Apple simply likes your idea or if you are competing with a feature they've integrated into the OS.
If the App Store remains the only method for installing apps, and Apple continues to reject apps that they simply don't like, then it's not a healthy platform for consumers in the end.
This isn't a value judgement, but if enough users sideload or use the open market governments will probably have to step in to advocate permissions checking because Apple won't have the influence to regulate developer behavior on their platform(s).
You can sort of see this on other platforms - the Mac App Store has very few quality apps listed on the store and Apple is further moving towards locking down root permissions b/c users can download apps or install software from anywhere on the web. It's typical for users to install anti-malware software on new Android devices, etc.
At least in Android (not familiar with iOS) you can deny apps access to any and all permissions, the features just won't work. I.e. if you deny Snapchat access to the camera you can still browse the app, read messages etc - you just won't be able to take any photos.
That’s not my point: I’m arguing that apps like TikTok and Facebook are big enough that they could convince non-technical users (who are either ignorant-of, or just don’t care about, app permissions and privacy) to switch to an unofficial app-store where they could list their app without it being denied approval by Apple or Google for unreasonable app permission prompts.
...but the fact that unofficial app-stores for unjailbroken iOS devices do not exist makes this impossible for now.
It’s very easy to imagine a TV ad or movie trailer ad for a TikTok or Facebook app with the cheerfully-voiced narrator saying “Just visit the TikTok Android App Store” or “Just open the Facebook iOS App Store” - then when the app is installed and first-opened the app would use a single “grant everything” permission prompt - or if the OS doesn’t allow that it could bombard the user with many prompts all-at-once and if the user denies any of them then a curtly-worded new messagebox would say “you must grant these permissions to use our app” otherwise the app quits. There’s not much Apple or Google could do to stop this that those app developers couldn’t work-around. Apple’s iOS App Store rejections for privacy reasons is a human solution to a non-technical problem, as it’s well-established that technical solutions to non-technical problems are ineffectual.
It can be argued this is possible on Android - which does allow for other app-stores - and I did wonder why this isn’t already happening with Android users - then I realised that probably most Android users have those horrible carrier and OEM locked-down devices that make it harder (if not impossible) to change system settings or add other app-stores.
The scenario you're speaking of hasn't happened on Android.
As a famous example of a popular app that eventually caved into Google's demands is Fortnite [1] and children are tech savvy (or at least motivated) enough to install from outside the app store. If Fortnite couldn't do it, then no, it's not easy to imagine TikTok doing it, especially given TikTok's market share is made of mobile users mostly, so no PC, no PS 4, no Xbox.
There are indeed alternative app stores from Samsung, Amazon, maybe others, however Google's Play absolutely dominates the Android ecosystem.
I'm an iOS user myself, however this whole reasoning is bullshit. The only reason Apple keeps such a tight control is because they want to keep that 30% commission on all sales, which is highway robbery. And I also suspect them of wanting to have enough reason and leverage to get rid of any app that threatens their own products.
I see grownups and children alike using the web successfully all the time. The web can be secure without a gatekeeper because browsers do a reasonable job at sandboxing. In fact it is the competitive nature of the market that makes it secure, consider that's how extensions and ad blockers happened (in the meantime I still don't have a browser on iOS capable of using uBlock Origin).
And yes the web has dark corners, yet we live with it just fine. Look, we're having this conversation on a web page that's not gated by Apple and we're still alive.
This is true in most parts of the world, but in China where almost all phones are Android and Google apps are not preinstalled on any of them, the alternative app store hijacking definitely happens.
In particular Tencent is notorious for not being the default app store on any phones, but somehow "mysteriously" if you follow links from WeChat or QQ or even certain websites, it will try to make your phone download the Tencent app store to install the app instead of just using your phone's default app store. Even your phone gives a warning not to do it, people still install it. And, sure enough, Tencent app store is now the biggest app store in China, with 25% of the market.
Tiktok is owned by Bytedance, which doesn't even have an app store in China, so i can't see them making a play.
Fortnite, on the other other hand, is owned by Epic who definitely used the popularity and income from Fortnite to leverage their way into the PC gaming marketplace, disrupting the major player (Valve). They might not have won this battle for the phone marketplace, but by the sounds of it they still haven't given up the war.
So, i do think it's fair for the grandparent poster to consider a future where users bypass whatever protections came from their phone manufacturer and end up shooting themselves in the foot. But i also think you're right that it doesn't matter. That's the "price of freedom".
We already see it a little bit now where some people choose Android over iOS (or vice versa) for ideological reasons. Loosening manufacturer restrictions even further seems reasonable to me. Some people would choose ultra-safety through open source, others would choose to use closed source from a company they consider trustworthy. Most would not care and just use whatever environment they are most familiar with, and install whatever plugins and cleaners they need to make them feel more secure. That's basically the PC market right now, and i think it's largely fine.
As extortionate as Apple’s fees are, I’m actually glad that they have a business model that isn’t dependent on invasion of privacy. Without them continually calling attention to it, Google would have little incentive to improve privacy.
Google payed Apple $12 billion in 2019 to remain the default search engine in Safari.
I hear this line about their business model all the time, however it is bullshit. Given the opportunity all companies will take the money. And I fear that it is nothing more than a conspiracy theory, without much evidence, much like anti-vaxxing.
Google these days is a very big target. The EU would love to have reason to slap them with another fine, given all the legal tax evasion they've been doing. Yet they've always been transparent about what they collect and have always been responsible with user data (versus Facebook).
Don't get me wrong, I enjoy the privacy features of my iPhone, it always fared better than Android in that regard, but it has nothing to do with Apple's tight grip of its App Store.
Google payed Apple $12 billion in 2019 to remain the default search engine in Safari.
It's a large amount, even for Apple, but they would survive losing that. Besides that, they are even taunting Google by putting DuckDuckGo in their marketing copy:
I think they are slowly preparing to loosen that tie.
I hear this line about their business model all the time, however it is bullshit. Given the opportunity all companies will take the money.
I agree. Apple's incentives are just temporarily aligned with customer's privacy. Their margins on hardware, services, etc. are so large that they can afford to make privacy a differentiator. If they are not in that comfortable position anymore, they would monetize the vast user data trove.
But while this is the status quo, I am happy to use an iPhone for privacy.
I really think Apple will buy DuckDuckGo at some point. The question is, to what extent will Apple make DuckDuckGo (or whatever they'll rename it to) available for non-Apple platforms?
This is definitely happening already, all the Mac App Store devs that left that store for their various reasons, some of them pushing updates only to their site forcing me to move away from the App Store, and therefore Apples guidelines making them behave properly. So this is happening and it is being abused, see Zoom using preinstall scripts. This wouldn’t have happened if the Mac App Store was the only way to install an app on a mac.
>they could convince non-technical users to switch to an unofficial app-store
They could, but they're absolutely not going to. Every barrier you put between and user and installing your app is a percentage of those installs that you're losing. Doubly so for "non technical" users, who can barely work the app store in the first place. No company of that size is going to lose that many downloads just to steal a few more downloads.
>then I realised that probably most Android users have those horrible carrier and OEM locked-down devices that make it harder (if not impossible) to change system settings or add other app-stores.
Stock android makes you jump through hoops to install third party apps, and for good reason. No, it's not because "OEM locked-down devices", the reason you don't see it on android is because it doesn't make business sense.
This has been my feeling for years, and why I think it'd probably be in Apple's interest to let people sideload apps. They could still require them to be signed, but otherwise be hands-off. The vast majority of users wouldn't go through whatever hoops were necessary to set that up -- even if it's just the single hoop of flipping an "allow non-App Store apps" switch in Settings -- but making it possible to do that gets them out of a lot of the regulatory imbroglio they've been heading toward. (I also can't help but feel it's necessary in the long run if they're serious about the iPad in particular being a general purpose computing device rather than an application console.)
When it comes to a mainstream app like Facebook or TikTok that already has network effects and a critical mass of users, people will put up with significant efforts to alleviate their fear of missing out, including sideloading the app.
You can deny permissions to any runtime permissions beginning with apps built for Marshmallow. You cannot deny other permissions. Some apps will absolutely block you from using them unless the permissions are on (this is by design of the app, not an OS limitation).
Internet is a permission that is required if your app expects to go online. You cannot turn this permission off in the OS. If you modify Android to allow changing this permission (usually via Xposed) or rebuild the app to remove it from the manifest, many apps will actually crash when they try to go online; this is part of the reason why people use a firewall even on devices with Xposed installed. My vague understanding is that this is how Android works when an app tried to do something it can't--it closes the app. IIRC there is an Xposed module that filters by the URL, but I'm guessing it fakes the network response (more complex than simply disabling permission), and it doesn't work with ndk.
With Marshmallow, runtime permissions were introduced for a number of existing permissions, where it would prompt you the first time the app tried to access privileged data. If your app is older than Marshmallow (ie, written for lollipop or KitKat), disabling any of the enabled permissions is liable to crash the app as soon as it tries to use them.
By and large this is true. However, the android Citibank mobile app refuses to do anything useful if you don't give it access to your entire file system upfront.
I don't think Apple would allow that kind of permissions abuse, but apparently Google does.
> However, the android Citibank mobile app refuses to do anything useful if you don't give it access to your entire file system upfront.
Considering Citi’s corporate culture, I’d attribute this to incompetence rather than malice or a desire to spy on users.
I’ll bet they’re using a third-party anti-spyware library to examine the Android FS for keyloggers/etc to protect their users’ security. It’s well-intentioned, but still idiotic.
This is the same Citibank that’s been engaged in an idiotic arms-race with Google about blocking password-safes on their online banking login page for the past 5+ years - while also allowing me to do phone-banking without any real authentication - and STILL haven’t given me an EMV Chip+PIN credit-card, while the EMV Chip+Sign card I do have from them DOES have NFC without a purchase limit... anyone could steal my wallet and “tap” a couple grand off it. Arggghhhhhh.
The “banks who think they’re smarter about security than platform vendors” trope is getting real old.
To the consumer it doesn't really matter if it's malice or ineptitude or laziness. Fact is Apple will remove your app if you try something like that, but it is not uncommon to encounter this on Android.
Oh, of course - I understand most (if not all?) major banks have serious ethics issues from the top-down - but money-laundering is a business-objective and is distinct and separate from online banking security.
The $70m fine (a joke to a multi-billion-dollar company) is insignificant to the potential damages from a class-action lawsuit from a wide-ranging vulnerability in their online banking platform - hence their focus and over-engineering on their online banking security - while the risks from credit-card abuse and individual identity-theft are much more limited in scope - and are a known-quantity.
That model was pioneered by Apple in iOS long before Android started taking it up with Android 6 (runtime permissions instead of collective install time permissions). Android took a few years to catch up and increase the range of runtime permissions, and apps on Android at that time would actually crash if some permission wasn't given.
Even today, there are apps on Android that ask for needless permissions and refuse to continue unless the permissions or granted. That same app on iOS would provide more functionality (that's possible without having the permissions). There seems to be a very different mindset between Android developers compared to iOS developers.
> Fine-grained permissions aren’t useful if an application is going to request access to everything anyway
If you build it right, it is totally doable. Implement it like in Health so that the app just gets empty data and doesn’t really know if it has access or not.
If the app doesn’t function properly with an empty data set, reject such an app through App Store guidelines.
I wonder if location prompts would be more effective if, instead of asking "Allow 'Example App' to access your location while you are using the app?", they explicitly state "'Example App' would like to know precisely where you are. Would you like to share your exact location?". I feel like those adjectives, "precisely" and "exact", would go a long way toward encouraging people to put more thought into the decision. Similar wording could be used for other permissions, maybe in conjunction with a one-or-two-second timer on the buttons.
This is a neat idea. Also, many apps don't need your EXACT location, just something like a zip code for convenience. AFAIK there is no mechanism for an App to request permissions to get a "rough" idea of where you are as opposed to a precise location
> I saw a post the other day (I'm not sure where, otherwise I'd cite it) that proclaimed that a properly designed system didn't need any anti-virus or anti-spyware software.
Forgive me, but this comment is about as intellegent as "I can see a worldwide market for 10 computers" or "no properly written program should require more than 128K of RAM" or "no properly designed computer should require a fan".
The reason for this is buried in the subject of this post, it's what I (and others) like to call the "dancing bunnies" problem.
> What's the dancing bunnies problem?
It's a description of what happens when a user receives an email message that says "click here to see the dancing bunnies".
The user wants to see the dancing bunnies, so they click there. It doesn't matter how much you try to disuade them, if they want to see the dancing bunnies, then by gum, they're going to see the dancing bunnies. It doesn't matter how many technical hurdles you put in their way, if they stop the user from seeing the dancing bunny, then they're going to go and see the dancing bunny.
> There are lots of techniques for mitigating the dancing bunny problem. There's strict privilege separation - users don't have access to any locations that can harm them. You can prevent users from downloading programs. You can make the user invoke magic commands to make code executable (chmod +e dancingbunnies). You can force the user to input a password when they want to access resources. You can block programs at the firewall. You can turn off scripting. You can do lots, and lots of things.
However, at the end of the day, the user still wants to see the dancing bunny, and they'll do whatever's necessary to bypass your carefully constructed barriers in order to see the bunny
> We know that user's will do whatever's necessary. How do we know that? Well, because at least one virus (one of the Beagle derivatives) propogated via a password encrypted .zip file. In order to see the contents, the user had to open the zip file and type in the password that was contained in the email. Users were more than happy to do that, even after years of education, and dozens of technological hurdles.
All because they wanted to see the dancing bunny.
The reason for a platform needing anti-virus and anti-spyware software is that it forms a final line of defense against the dancing bunny problem - at their heart, anti-virus software is software that scans every executable before it's loaded and prevents it from running if it looks like it contain a virus.
As long as the user can run code or scripts, then viruses will exist, and anti-virus software will need to exist to protect users from them.
—————
This was written 2005, before the iPhone and iPad. One could argue that the whole AppStore/Gatekeeper/Notarization system itself is a big giant patronizing Anti-malware-Software by Apple or focus on the last sentence, that on iOS the user can’t run non-sandboxed scripts and code.
But it is also the case were Apple again did “think different”.
> I saw a post the other day that proclaimed that a properly designed system didn't need any anti-virus or anti-spyware software.
Forgive me, but this comment is about as intellegent as "I can see a worldwide market for 10 computers" or "no properly written program should require more than 128K of RAM" or "no properly designed computer should require a fan".
my Android phone warns me if an app is trying to use features that require permission while in background and asks me if I want to revoke the permissions, enable it only while the app is active or let it use it always.
pretty easy to use and anyone can guess that the bus or car sharing app doesn't need to use GPS all the time
When the controller is a "smart" app store, you know what they delete, but you don't know what they keep and why they do it.
they chose for you and never ask you if you're okay with it or not, so basically it's not your phone, it's their phone.
"-This clock app needs to access your photos, contacts, all the hardware the phone has and all your cloud accounts
-No
-The app can not function without the required permissions."
That's a bit of a stretch. On play store permission bombing is so prevalent and no one is installing any apps with less than 4 stars so I doubt the "malware" makes enough money to sustain this.
Yes it is, because devs aren't going to respect it.
Even Android is going into this direction, locking down APIs, access to Linux syscalls (not even considered part of NDK official APIs), background execution modes and file access.
In this respect, I see your point - a properly designed and secure OS, with a user and installer in "non admin" mode, should be able to do these things without locking the source of an app down to one location.
- Fine-grained permission control that offers more than iOS: control whether apps can access the network, which directories an app can access, if it can print, and even whether or not it can access PulseAudio.
- Cross-platform: runtimes are OCI container images and can be targeted on any distro that supports Flatpak (which is almost all of them).
It's gained adoption from a number of recognizable FOSS and proprietary names: Zoom, Spotify, Steam, Firefox, VLC, Discord, Libreoffice, Skype, Inkscape, both Minecraft and Minetest, Microsoft Teams, Krita, IntelliJ IDEs (both Community and Professional), and Blender are available as Flatpaks through Flathub.
GNOME and KDE release almost all their apps as Flatpaks through the `gnome` and `kdeapps` Flatpak repos, and copy them over to Flathub when they're confident that Flatpak-ing didn't introduce any bugs.
Flatpak also clutters your hard disk with gigabytes of copied libraries and other data. I had to deinstall it to prevent a system crash, because my root partition went out of space rapidly - source of the problem: Two flatpak apps.
Isn't this the problem with iOS apps too? They can't share libs or .so between them, which is why each iOS app is colossal for no good reason, eg. Google Sheets 180MB alone, Google Docs also 180MB, YouTube 280MB..... insane sizes for these.
Similar in character, but it's probably a factor of 10 worse with Flatpak. With your examples on iOS, the bloat is stuff that's common to the google apps but not part of the platform. With flatpak, it includes stuff that is part of the platform but can't be relied on to be the right version.
It would be nice if Apple would let packages signed by the same key share versioned libraries between them, but I suspect relatively few developers would be able to take advantage of that. Maybe only google and microsoft, to a rough order of approximation.
Does its sandboxing support fake (or altered) access? That might be the additional permission control needed. For example, to grant fake access to the audio, the program will work but there will be no audio output (and all audio input will be silent); or you can specify to save audio to a file instead of making it immediately audible, or change the volume control for that program only.
Android has. (Also I assume a pile of other, no longer available/not very successful mobile OSes, but the ecosystem is just Apple and Android at the moment).
Android has far too many apps that refuse to work unless you give certain permissions. One of my banking apps needs the camera permission to work at all. The permission prompt states it's to digitally cash checks, but it asks at startup and if you deny permission the app quits immediately. Most delivery apps won't work without giving GPS permission. The iOS app store does not allow this kinda bs.
