Tim Cook: Users Who Want to Sideload Apps Can Use Android, While the iPhone Experience Maximizes 'Security and Privacy'

[januarydrive7]

You could begin by explaining why the world's tyrants wouldn't abuse this capability if it existed, given that they're tyrants, or why Apple wouldn't have to let them do it, given that the alternative to following local law would be, for instance, ceasing business activities in China.

OK, I'll bite.

The tyrants wouldn't be able to abuse this capability because of the way the system itself is designed. Some argued that Apple wasn't making this available in every region (US only), but that's a weak argument and undermines the true benefit of the design. If you read the paper from the researchers that tried to out Apple, you'd see that the only way to ensure this is done securely would be something akin to having multiple non-cooperative jurisdictions required to have a set intersection match on CSAM their local CSAM databases prior to the image being tagged as CSAM. This design decision ensures that a singular entity (or even multiple cooperative tyrannical entities) cannot team up to undermine the system.

Another answer to this apparent "gotcha!" comes with a question: why the world's tyrants don't already require Apple to do this? Apple already has software running on iPhones scanning every single file (including images) for other things, and it would be much easier to use existing infrastructure to demand this from Apple --- the convoluted path from CSAM scanning to abuse simply doesn't make sense when these tyrannical governments could demand it now with much less effort.

 

[Mockletoy]

And there’s no way that they did that because the App Store is a money hose that they don’t want to turn off, right? Tim Cook also said they treat all developers equally, and we know that that was a lie. They also said the App Store is safe despite it being riddled with scam subscription apps that don’t do anything.

Untrue! Those scam apps do do something: they make Apple a whole heap of money.

 

[Adarna]

Of course that's how it works in Android.... but Google is NOT making the kind of money that Apple is from the app store. Keep in mind that Google is an ad company. They sell ads. They make a pittance on Google Play. But for Apple the App Store is a significant profit stream.

For real... if you want to have a discussion, please refrain from hyperbole. "be the beginning of the end" is NOT "fall into instant ruin".

I rather be a customer on Apple's App Store rather than the product being sold by Google AdSense to its ad customers.

The choice is largely from the person's cashflow.

 

[januarydrive7]

You said to me,

"I see no way that side loading would not decrease security, even if the toggle was left toggled off."

Any reasonable person would infer from that that you believe I believe it would not decrease security overall. Of course it would. I just don't care.

Your response to me when I said users would not have the choice to a more secure system if they allowed this was:

Sure they could!

They could just find the setting that says, "Allow sideloading" and ...

... not touch it!

I took that to mean that the toggle would not decrease security.

 

[Mockletoy]

OK, I'll bite.

The tyrants wouldn't be able to abuse this capability because of the way the system itself is designed. Some argued that Apple wasn't making this available in every region (US only), but that's a weak argument and undermines the true benefit of the design. If you read the paper from the researchers that tried to out Apple, you'd see that the only way to ensure this is done securely would be something akin to having multiple non-cooperative jurisdictions required to have a set intersection match on CSAM their local CSAM databases prior to the image being tagged as CSAM. This design decision ensures that a singular entity (or even multiple cooperative tyrannical entities) cannot team up to undermine the system.

Another answer to this apparent "gotcha!" comes with a question: why the world's tyrants don't already require Apple to do this? Apple already has software running on iPhones scanning every single file (including images) for other things, and it would be much easier to use existing infrastructure to demand this from Apple --- the convoluted path from CSAM scanning to abuse simply doesn't make sense when these tyrannical governments could demand it now with much less effort.

Others have addressed your concerns, so rather than rehash all of it (poorly), I'll just direct you to what they have to say:

Concerns about misuse of CSAM scanning are vindicated - 9to5Mac

Governments were already discussing how to misuse CSAM scanning technology even before Apple announced its plans, say security researchers ...

9to5mac.com

To your point, some countries are/were considering forcing Apple and others to do this very thing, but for "bad things" they define at their sole discretion.

From that article:

The cybersecurity researchers said they had begun their study before Apple’s announcement. Documents released by the European Union and a meeting with E.U. officials last year led them to believe that the bloc’s governing body wanted a similar program that would scan not only for images of child sexual abuse but also for signs of organized crime and indications of terrorist ties.

A proposal to allow the photo scanning in the European Union could come as soon as this year, the researchers believe.

There's no reason Apple should willingly build the scaffolding for them and show them how easy it can be. But, I suppose it's too late. It's just a matter of time now.

 

[januarydrive7]

And there’s no way that they did that because the App Store is a money hose that they don’t want to turn off, right? Tim Cook also said they treat all developers equally, and we know that that was a lie. They also said the App Store is safe despite it being riddled with scam subscription apps that don’t do anything.

I don't see there to be a necessary requirement that there stance is only due to privacy/security. I absolutely see Apple's stance on privacy/security to be a money-making stance (both in terms of brand and the effect of a closed store). That doesn't mean that what they say is wrong --- there is objectively more malware on systems that are open in this nature, even when the benefit of successful malware on iOS for attackers is significantly greater. This isn't an issue of market share --- malware authors would love to get into iOS more than they are able to right now, it's a huge opportunity for gain, and yet they are unable to penetrate as easily or deeply as they can on more open systems.

 

[Mockletoy]

Your response to me when I said users would not have the choice to a more secure system if they allowed this was:



I took that to mean that the toggle would not decrease security.

We're talking about two different things here.

I'm saying that if the average user just leaves it alone, their device will be no less practically secure for having the toggle there. The problem is that having the toggle there makes it a target for social engineering or, maybe even some exploit that can flip it into permissive mode silently and at will. But even in that case, iOS apps are sandboxed and the damage a rogue app could do would be minimal.

As long as the sandbox holds, the app would be contained in its little silo, with access to nothing vital. It's more likely the apps would be of the scammer variety, the kind the App Store is already littered with, that try to trick people into signing up for subscriptions of giving up their private information or whatever.

So, yes, overall iOS security decreases in the presence of the toggle, but I maintain that for people who don't mess around with it, nothing substantive would change. The App Store is already riddled with scams, so adding a few more that take extra work to get to hardly seems the end of the world.

 

[januarydrive7]

Others have addressed your concerns, so rather than rehash all of it (poorly), I'll just direct you to what they have to say:

Concerns about misuse of CSAM scanning are vindicated - 9to5Mac

Governments were already discussing how to misuse CSAM scanning technology even before Apple announced its plans, say security researchers ...

9to5mac.com

I've read the article. It doesn't address the concerns.

To your point, some countries are/were considering forcing Apple and others to do this very thing, but for "bad things" they define at their sole discretion.

From that article:



There's no reason Apple should willingly build the scaffolding for them and show them how easy it can be. But, I suppose it's too late. It's just a matter of time now.

The true issue is a lack of understanding of how the proposed technology is supposed to work. The method for CSAM scanning isn't as general as, e.g. object detection (which our phones already do). Our phones already have amazing scaffolding in place for scanning for any arbitrary thing. To get this to work with the proposed CSAM scanning technique would be an insane overhaul of the code, whereas very minor changes could work with existing scaffolding to accomplish much more powerful searches.

 

[spicymints]

Cook drew the comparison of sideloading to a carmaker selling a car without airbags or seatbelt, saying it would be "too risky.

Lmfao so Tesla sells cars with AirBags and Mercedes,BMW, etc. don't wow. What an analogy.

 

[januarydrive7]

We're talking about two different things here.

I'm saying that if the average user just leaves it alone, their device will be no less practically secure for having the toggle there. The problem is that having the toggle there makes it a target for social engineering or, maybe even some exploit that can flip it into permissive mode silently and at will. But even in that case, iOS apps are sandboxed and the damage a rogue app could do would be minimal.

Sandboxes are fundamentally a wonderful concept, but even sandboxes can be broken.

As long as the sandbox holds, the app would be contained in its little silo, with access to nothing vital. It's more likely the apps would be of the scammer variety, the kind the App Store is already littered with, that try to trick people into signing up for subscriptions of giving up their private information or whatever.

This is pushing security back -- when side loading unsigned apps is not allowed, sandboxing becomes a secondary line of defense; with side loading, sandboxing is primary line of defense. The issue is "as long as the sandbox holds."

So, yes, overall iOS security decreases in the presence of the toggle, but I maintain that for people who don't mess around with it, nothing substantive would change. The App Store is already riddled with scams, so adding a few more that take extra work to get to hardly seems the end of the world.

I think the fact that so much money goes through iOS users, there would be a substantive change, both in terms of social engineering attacks and in exploits of OS bugs. The app store has flaws, and I agree there needs to be more done to keep it safe, but side loading wouldn't help the app store's problems in any way.

 

[Mockletoy]

I've read the article. It doesn't address the concerns.


The true issue is a lack of understanding of how the proposed technology is supposed to work. The method for CSAM scanning isn't as general as, e.g. object detection (which our phones already do). Our phones already have amazing scaffolding in place for scanning for any arbitrary thing. To get this to work with the proposed CSAM scanning technique would be an insane overhaul of the code, whereas very minor changes could work with existing scaffolding to accomplish much more powerful searches.

Here's the thing: I'm sure you're a smart person, and you mean well.

But lots of super smart people who mean well are telling me the total opposite of what you're telling me.

See, for instance:

Dangers of CSAM Scanning: Princeton Researchers Already Warned Us

If you believe that worries over the dangers of CSAM scanning are rooted in misunderstanding, Princeton researchers have some news for you.

www.macobserver.com

So, I dunno. I could either believe you, random person on the internet I do not know at all, or I could believe, you know, everyone else.

No offense, but that's not really a tough call.

 

[jaygatsby9909]

Having used both products I can tell you that this is ridiculous. Sideloading on Android, although not hard, is hardly a real security risk. Before enabling the permissions to even do it they warn you of the issues. It's not enabled by default. Android is every bit as secure as iOS, it's just Android has options. And the new Pixel 6 has more security than iPhone or any other phone. I understand the website we're on but let's not be ridiculous fanboys and acknowledge that their are decent options on the other side too. At the this point both of the OS are mature and have similar features and security. Anymore it's really just who can make the best camera.

 

[Mockletoy]

Sandboxes are fundamentally a wonderful concept, but even sandboxes can be broken.


This is pushing security back -- when side loading unsigned apps is not allowed, sandboxing becomes a secondary line of defense; with side loading, sandboxing is primary line of defense. The issue is "as long as the sandbox holds."


I think the fact that so much money goes through iOS users, there would be a substantive change, both in terms of social engineering attacks and in exploits of OS bugs. The app store has flaws, and I agree there needs to be more done to keep it safe, but side loading wouldn't help the app store's problems in any way.

But it would help me goof around and install a DOS emulator or something equally useless on my iPhone and iPad and play Duke Nukem and fool around with old software and stuff. And that sounds like fun, so it's a risk I'm totally willing to take.

 

[januarydrive7]

There's no reason Apple should willingly build the scaffolding for them and show them how easy it can be. But, I suppose it's too late. It's just a matter of time now.

I added this to my previous reply, but you already replied, so I'm posting it as an addendum, here:

The scaffolding issue is kind of like this: a tyrant has a particular type of nail it wants to drive. iOS already features a pretty general-purpose hammer. CSAM scanning would provide something akin to jello --- why on earth would tyrannically leaders choose to repurpose the jello for driving the nail when iOS already has a hammer?

 

[januarydrive7]

But it would help me goof around and install a DOS emulator or something equally useless on my iPhone and iPad and play Duke Nukem and fool around with old software and stuff. And that sounds like fun, so it's a risk I'm totally willing to take.

You can already do this.

 

[Mockletoy]

Having used both products I can tell you that this is ridiculous. Sideloading on Android, although not hard, is hardly a real security risk. Before enabling the permissions to even do it they warn you of the issues. It's not enabled by default. Android is every bit as secure as iOS, it's just Android has options. And the new Pixel 6 has more security than iPhone or any other phone. I understand the website we're on but let's not be ridiculous fanboys and acknowledge that their are decent options on the other side too. At the this point both of the OS are mature and have similar features and security. Anymore it's really just who can make the best camera.

No! You're just trying to trick us!

Android is full of ravenous cannibals who want to gnaw at our bones and suck out the delicious bone marrow!

(Does this need a snark tag? It makes me sad that I have to wonder ...)

 

[januarydrive7]

Here's the thing: I'm sure you're a smart person, and you mean well.

But lots of super smart people who mean well are telling me the total opposite of what you're telling me.

See, for instance:

Dangers of CSAM Scanning: Princeton Researchers Already Warned Us

If you believe that worries over the dangers of CSAM scanning are rooted in misunderstanding, Princeton researchers have some news for you.

www.macobserver.com

So, I dunno. I could either believe you, random person on the internet I do not know at all, or I could believe, you know, everyone else.

No offense, but that's not really a tough call.

That's totally valid.

Also, these researchers are the ones I pointed out that contradict themselves, both pointing out that they think Apple's approach is wrong, while their research points out that Apple's method is the only way that it would actually work (look toward their conclusion in their paper).

15-minutes of fame!


Edit: link to the paper: https://www.usenix.org/system/files/sec21summer_kulshrestha.pdf

 

[Mockletoy]

You can already do this.

They removed iDOS2 from the App Store.

Apparently the thought of me firing up WordPerfect 5 on my iPad was just ... it was just too risky! Too dangerous! What if I ... I dunno ... typed something???

 

[januarydrive7]

They removed iDOS2 from the App Store.

Apparently the thought of me firing up WordPerfect 5 on my iPad was just ... it was just too risky! Too dangerous! What if I ... I dunno ... typed something???

Here: https://iemulators.org/idos-2/

 

[imlovinit]

I think people on here forget that the general population does not realize what sideloading can do and will inevitably blame Apple when something they do by sideloading messes their phone or steals information.

if the general population were all more tech savvy and basic common sense, the Side loading issue wouldn’t be as massive.

 

[boss.king]

I don't see there to be a necessary requirement that there stance is only due to privacy/security. I absolutely see Apple's stance on privacy/security to be a money-making stance (both in terms of brand and the effect of a closed store). That doesn't mean that what they say is wrong --- there is objectively more malware on systems that are open in this nature, even when the benefit of successful malware on iOS for attackers is significantly greater. This isn't an issue of market share --- malware authors would love to get into iOS more than they are able to right now, it's a huge opportunity for gain, and yet they are unable to penetrate as easily or deeply as they can on more open systems.

That’s actually fair. I’ve long held the belief that Apple doesn’t actually care about privacy, they just know that they can’t compete against the Google’s and Facebooks of the world at their own game.

I just find it hard to believe that the security element comes even close to profit on any internal discussion they might have about opening up to sideloading.

 

[januarydrive7]

That’s actually fair. I’ve long held the belief that Apple doesn’t actually care about privacy, they just know that they can’t compete against the Google’s and Facebooks of the world at their own game.

I just find it hard to believe that the security element comes even close to profit on any internal discussion they might have about opening up to sideloading.

I agree with your skepticism --- I'd wager quite a bit that the discussion of profit holds a lot more weight, but I think they're entwined: better security leads to more profit, if it were the case that lax security would profit them more (i.e., if they could compete against the Google's of the world), then they'd ditch their security stance immediately.

 

[Mockletoy]

Here: https://iemulators.org/idos-2/

Ha! Like I’m gonna install some random app on my phone from some sketchy website! ?

Like I said, I don’t really care about sideloading. I just hate to see Apple looking more and more like everything I used to hate about Microsoft.

I suppose that is the nature of runaway success. It often changes a person. It often changes companies, too.

 

[840quadra]

I think people on here forget that the general population does not realize what sideloading can do and will inevitably blame Apple when something they do by sideloading messes their phone or steals information.

if the general population were all more tech savvy and basic common sense, the Side loading issue wouldn’t be as massive.

How massive do you think it is?

Most of my non IT savvy friends who use / love Android don't know how to add applications outside of the google play store.

Heck, even with many being avid Amazon fans / customers (books / etc) they don't even have the Amazon App Store on their devices which is arguably as secure as Google's own play store.

Like on MacOS, Android warns you if you attempt to load / open an APK from something outside of their play store.

So if someone is loading something and Apple has a similar popup (likely will, and likely will have you authenticate to some secure settings manager like on Mac) people shouldn't have any issue they can blame Apple for.

Obscurity or lock-in should never be confused with security.

 

[JGIGS]

Say side loading becomes a thing. Maybe Microsoft decides to pull their apps from from the store and only distribute them via side loaded App Store.

Someone who needs the Office apps then goes looking for that store online and finds an infected/tampered with copy of the store. They then proceed to install malware.

Your scenario is an oversimplification of a post-side loading world in iOS

So why is sideloading on Mac Os ok? That makes zero sense.