Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tonymet 5 days ago

* Mandate 3rd party auditing once an app reaches > 10k users

* App publishing process includes signatures that the publisher must embed in their database. When those signatures end up on the dark web, App Store is notified and the App is revoked

fn-mote 5 days ago | parent | next [-]

> * Mandate 3rd party auditing once an app exceeds 10k users

You have a lot of interesting suggestions.

I would love to see some kind of forced transparency. Too bad back-end code doesn’t run under any App/Play Store control, so it’s harder to force an (accurate) audit.

tonymet 5 days ago | parent | next [-]

also i remember maybe Facebook trying to do this when they acquired Parse. For a while they were promoting developers host their backends on Parse / FB .

The idea has merit. You have to relinquish some control to establish security. Look at App Store, Microsoft Store , MacOS App store -- they all sandbox and reduce API scope in order to improve security for consumers.

I'm more on the side of autonomy and trust, but then we have reckless developers doing stuff like this, putting the whole industry on watch.

tonymet 5 days ago | parent | prev [-]

thanks. Yeah I think there are a lot of ways to decouple App store from publisher and auditor . That way the publisher can retain autonomy / control , while still developing trust with the consumer.

We could do better in our trade at encouraging best practices in this space. Every time there's a breach , the community shames the publisher . But the real shame is on us for not establishing better auditing protocols. Security best practices are just the start. You have to have transparent, ongoing auditing and pen-testing to sustain it.

idkfasayer 5 days ago | parent | prev [-]

[dead]