From Guilherme Rambo (who knows every bit of what he's talking about)
An absolute master class on the side loading and iOS/macOS security and side loading situation
His tweet thread is starts below:
? Thoughts on iOS sideloading. Apple (and people who defend Apple no matter what) make it out as being a big deal that’s going to completely destroy the security of the platform and harm a huge number of innocent users. The reality is way less exciting… 1/
First of all, just because an app has been installed directly, that doesn’t mean that it can do whatever it wants. iOS, just like macOS, has strong security measures to prevent apps from reading data from other apps, accessing resources such as camera and GPS, and so on 2/
Sideloading wouldn’t change a thing about the iOS sandbox, which every app lives within. Even running an app directly from Xcode with my iPhone plugged into my Mac, I can’t do whatever I want. I can’t access the camera without asking for permission, just to give an example 3/
What about malware? Well, if a bad actor has a vulnerability, I bet they could slip it through App Review without any problems. App Review is not composed of infosec experts. They’re there to ensure that Apple can make their money out of our apps, mostly 4/
What about private API? Again, private API is not a magical thing that gives an app every power it wants. Besides, many apps you know and love from the App Store are probably using private API in one way or another, that’s just the reality of building for a complex platform 5/
“But then Facebook would force people to sideload so they could spy”. It’s not that simple. Facebook wouldn’t be able to do whatever they want in the app (see above). There’s also at least one instance that proves that people are not willing to do that (Fortnite on Android) 6/
“People would screw up their devices by using untrusted apps”. Grown adults are allowed to screw up, it’s part of life. But also, why isn’t that happening on macOS? 7/
Speaking of macOS, I find it hilarious that to defend its practices Apple has to basically say that macOS is not secure, really funny. 8/
“There would be lots of scammy apps that steal from users”. Yeah, like there aren’t any scams in the App Store, made easier by the quick Touch ID or Face ID to pay for in-app purchases. 9/
You know where else you can find lots of scams? THE WEB! Yes, the web, that doesn’t have App Review, and where each website can do whatever they want. People browse the web on their iPhones every single day, and the world hasn’t collapsed because of all the scams 10/
“But at least if the scam is in the Store, Apple can pull it”. That’s also true of Mac apps distributed outside the App Store. They must be signed and notarized, so Apple can flip the kill switch at any time, they can disable a single app, or all apps from a given developer 11/
By putting so much effort into defending that the security of iOS depends on the App Store review process, Apple is basically saying that they’re not competent enough to make a secure mobile operating system, and at the same time telling us that macOS is not secure. 12/
We know that’s not the case, but they’re trying whatever they can to keep the distribution of apps on the platform under their complete control, and to keep making their cut.
gizmodo.com
