| ▲ | r_singh a day ago |
| The next decade looks like tech vs. governments everywhere. From the article, it seems Apple won’t roll this out worldwide unless forced. As a user I like Apple’s App Store for security personally, but I wonder how multiple app stores turn out in other regions. I see the EU already allows alternative app marketplaces — has anyone used one and can share their experience? |
|
| ▲ | isodev a day ago | parent | next [-] |
| Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow. > Apple’s App Store for security The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. |
| |
| ▲ | fundatus 21 hours ago | parent | next [-] | | > Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow. Even for web distribution in the EU (which they allowed some time ago) they require you to have had an Apple Developer account for at least 2 years and at least one App with more than 1m annunal downloads in the App Store. So they're forcing you to have a very successful app in their own store before you can distribute yourself, basically making this impossible to actually use. It's such a blatant case of malicious compliance, it's insane. | |
| ▲ | r_singh 21 hours ago | parent | prev | next [-] | | > The App Store doesn't do anything to product you in that sense. It's easy to circumvent... Interesting, their marketing has customers believe otherwise, so I wouldn't have thought that as a noob in cybersecurity. I've submitted an app to the iOS App Store in the past, and the process is tedious and doesn't seem superficial (unlike the Play Store process, which was completely autonomous at the time), so that's another reason why I wouldn't have thought it. | | |
| ▲ | Ezhik 21 hours ago | parent | next [-] | | Specifically from a HOBBYIST perspective, what bothers me about the App Store is not even the 30% thing, but just... the pain of it all. The rejection horror stories, the "Apple told me to change my app's entire model" stories, the "I can't put this little gadget specifically for me and my family on the App Store" problem, and so on and so on. There's really no home but the web for silly little things. | | |
| ▲ | cruano 19 hours ago | parent | next [-] | | What bothers me is that despite all of that pain, they still let through a ton of low-effort app clones in their store, which sometimes even come up before the original ones. If you search for GTA you get a ton of lookalikes, some of which even use screenshots of GTA V which clearly aren't the actual game. | | |
| ▲ | kotaKat 19 hours ago | parent [-] | | You can’t even report behavior that should get an app pulled from the App Store. I know of multiple apps that have malicious ad networks in them, don’t disclose their ad networks, and have no mechanisms to report the ads inside the ad networks or any of the content to them, they just say the ads are “served by one of our partners”. |
| |
| ▲ | fukka42 20 hours ago | parent | prev [-] | | Don't forget "apple approved my app already but is now blocking bugfixes until I overhaul the entire thing to appease this new reviewer" And then repeat that every few months. |
| |
| ▲ | q3k 21 hours ago | parent | prev | next [-] | | The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever. The protection is in the permission system and sandboxing, which is active regardless of the source of the code. | | |
| ▲ | prophesi 21 hours ago | parent [-] | | You only need to pass the app review once, then you're free to deploy over-the-air updates for as long as you'd like. Though you'd need to use a framework like React Native, Ionic, Flutter, etc which supports it. Essentially anything where you can change app code without making any changes to the underlying native code (as that would require going through the app review process again to publish those changes). |
| |
| ▲ | bigyabai 19 hours ago | parent | prev | next [-] | | > their marketing has customers believe otherwise The marketing is a lie, Apple's manual review process has failed to catch extremely high-profile trojan horse attacks: https://blog.lastpass.com/posts/warning-fraudulent-app-imper... | |
| ▲ | askl 20 hours ago | parent | prev [-] | | > Interesting, their marketing has customers believe otherwise That's the point of marketing. Making yourself look good, not stating facts. |
| |
| ▲ | alpinisme 21 hours ago | parent | prev | next [-] | | > It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. But why is that easier? And is it inevitably so or a result of the fact that the boundaries of the one place to install apps from is aggressively policed? | |
| ▲ | gruez 21 hours ago | parent | prev | next [-] | | >The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. Different threat models. If you're the mossad and want to go after someone in particular, yes the exploit is the way to go, but if you're running some run of the mill scam, you're certainly not going to spend 6+ figures on a ios 0day that'll get patched within days. | | |
| ▲ | kmeisthax 19 hours ago | parent [-] | | If you're running a run of the mill scam you probably don't even need to ship an app. |
| |
| ▲ | spike021 21 hours ago | parent | prev | next [-] | | > They also made sure to add scary warnings so one can never offer a normal onboarding flow. is this any different from Macs also prompting the user when a downloaded binary is suspicious/not signed properly? or windows when installing it'd flash a screen about trusting what you're installing? | | |
| ▲ | fundatus 21 hours ago | parent [-] | | It was way worse. They basically made the first install attempt fail. Then they made you go to the Settings app (of course without telling you that you have to go there) to allow it. Then you had to try again to download, which then triggered the scary warnings that you had to accept. This has been changed now though due to EU pressure. | | |
| ▲ | spike021 16 hours ago | parent [-] | | I thought that's also like macos, where we've needed to right click and open and then allow, and sometimes it requires going to system settings to approve it also. |
|
| |
| ▲ | warkdarrior 17 hours ago | parent | prev [-] | | > these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. "Look, you do not need a front door, and definitely not one with a lock on it. After all anybody could machine-gun you down through your windows." |
|
|
| ▲ | port11 20 hours ago | parent | prev | next [-] |
| I have Alt, Epic, and Setapp installed. Setapp is something I had to stop paying for while unemployed, but has good stuff if you can afford it. Alt is mostly empty, but now lets you add multiple sources for more sideloading options. Basically the market is still in an alpha stage. My next app will be on Alt just because I want to support the idea. Hopefully more apps gets on these stores, for now it's mostly nice to have for games, emulators, and some dev tools. Apple didn't make it friction-free either, but it seems the issue is lack of user demand and/or lack of supply. |
| |
| ▲ | skinnymuch 16 hours ago | parent [-] | | For Setapp, I am kind of forced to pay for it since I use NotePlan and Paste. And I use Timing Tracker sometimes. The first two alone cost the same as a Setapp sub for 4 desktops and 4 iOS devices. I should try Alt out again with you reminding me. | | |
| ▲ | port11 16 hours ago | parent [-] | | Alt isn't very exciting. And for Setapp, consider whether buying the software outright isn't better. After all the time paying for Setapp, once you stop, you've little to show for it. It's akin to using Spotify but owning none of it. |
|
|
|
| ▲ | extraduder_ire 17 hours ago | parent | prev | next [-] |
| If you want to try it for yourself, you can. https://downrightnifty.me/blog/2025/02/27/eu-features-outsid... Requires an EU apple account, a faraday bag, two esp32 boards (or other way to spoof hotspots), a VPN with an endpoint in the EU, and an iOS device with a supported OS version. |
| |
|
| ▲ | pprg1996 a day ago | parent | prev [-] |
| I hate the security argument when it comes to third party stores or apps. No one is putting a gun to your head to install these things. Imagine trying to apply the same logic to macbooks and not let them install from the web or homebrew. |
| |
| ▲ | dgjhu669 11 hours ago | parent | next [-] | | My employer demands that I have some proprietary 2FA app installed. And while it’s the norm for companies to provide you with a laptop that you install their trojans on, it’s not the norm to provide you with a work phone, so I’m glad there is a middleman limiting the damage I’m exposed to when I install corporate software on my phone. And that’s a device that has access to much more information about me, whom I talk to and what I do with my spare time, when and where. | |
| ▲ | andoando 18 hours ago | parent | prev | next [-] | | I dont even get it. Apps require system prompts for access to local network, files, etc. Whats the security issue? | | |
| ▲ | renewiltord 18 hours ago | parent [-] | | This is a website where some moron will read a big disclaimer that ChatGPT is a generative AI and can't give you objective facts, click "Yes, I understand", then have a long conversation with it and kill himself and that is supposedly OpenAI's fault. So it's pretty amusing that here the view is "a modal is immunity from fault". |
| |
| ▲ | owisd 20 hours ago | parent | prev [-] | | Not put a gun to your head but ring up pretending to be your bank and there’s fraud detected and can you follow these steps to verify your identity and secure your account. | | |
|
