| ▲ | isodev 20 hours ago |
| Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow. > Apple’s App Store for security The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. |
|
| ▲ | fundatus 19 hours ago | parent | next [-] |
| > Apple complied but maliciously in the EU making it very difficult and very expensive to offer apps on alt stores. They also made sure to add scary warnings so one can never offer a normal onboarding flow. Even for web distribution in the EU (which they allowed some time ago) they require you to have had an Apple Developer account for at least 2 years and at least one App with more than 1m annunal downloads in the App Store. So they're forcing you to have a very successful app in their own store before you can distribute yourself, basically making this impossible to actually use. It's such a blatant case of malicious compliance, it's insane. |
|
| ▲ | r_singh 20 hours ago | parent | prev | next [-] |
| > The App Store doesn't do anything to product you in that sense. It's easy to circumvent... Interesting, their marketing has customers believe otherwise, so I wouldn't have thought that as a noob in cybersecurity. I've submitted an app to the iOS App Store in the past, and the process is tedious and doesn't seem superficial (unlike the Play Store process, which was completely autonomous at the time), so that's another reason why I wouldn't have thought it. |
| |
| ▲ | Ezhik 19 hours ago | parent | next [-] | | Specifically from a HOBBYIST perspective, what bothers me about the App Store is not even the 30% thing, but just... the pain of it all. The rejection horror stories, the "Apple told me to change my app's entire model" stories, the "I can't put this little gadget specifically for me and my family on the App Store" problem, and so on and so on. There's really no home but the web for silly little things. | | |
| ▲ | cruano 17 hours ago | parent | next [-] | | What bothers me is that despite all of that pain, they still let through a ton of low-effort app clones in their store, which sometimes even come up before the original ones. If you search for GTA you get a ton of lookalikes, some of which even use screenshots of GTA V which clearly aren't the actual game. | | |
| ▲ | kotaKat 17 hours ago | parent [-] | | You can’t even report behavior that should get an app pulled from the App Store. I know of multiple apps that have malicious ad networks in them, don’t disclose their ad networks, and have no mechanisms to report the ads inside the ad networks or any of the content to them, they just say the ads are “served by one of our partners”. |
| |
| ▲ | fukka42 19 hours ago | parent | prev [-] | | Don't forget "apple approved my app already but is now blocking bugfixes until I overhaul the entire thing to appease this new reviewer" And then repeat that every few months. |
| |
| ▲ | q3k 20 hours ago | parent | prev | next [-] | | The review doesn't guard against malicious code. You can slip through anything you want, just don't trigger the functionality during review and you're golden. People have been doing that for private framework calls since forever. The protection is in the permission system and sandboxing, which is active regardless of the source of the code. | | |
| ▲ | prophesi 19 hours ago | parent [-] | | You only need to pass the app review once, then you're free to deploy over-the-air updates for as long as you'd like. Though you'd need to use a framework like React Native, Ionic, Flutter, etc which supports it. Essentially anything where you can change app code without making any changes to the underlying native code (as that would require going through the app review process again to publish those changes). |
| |
| ▲ | bigyabai 17 hours ago | parent | prev | next [-] | | > their marketing has customers believe otherwise The marketing is a lie, Apple's manual review process has failed to catch extremely high-profile trojan horse attacks: https://blog.lastpass.com/posts/warning-fraudulent-app-imper... | |
| ▲ | askl 19 hours ago | parent | prev [-] | | > Interesting, their marketing has customers believe otherwise That's the point of marketing. Making yourself look good, not stating facts. |
|
|
| ▲ | alpinisme 20 hours ago | parent | prev | next [-] |
| > It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. But why is that easier? And is it inevitably so or a result of the fact that the boundaries of the one place to install apps from is aggressively policed? |
|
| ▲ | gruez 20 hours ago | parent | prev | next [-] |
| >The App Store doesn’t do anything to protect you in that sense. It’s easy to circumvent and these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. Different threat models. If you're the mossad and want to go after someone in particular, yes the exploit is the way to go, but if you're running some run of the mill scam, you're certainly not going to spend 6+ figures on a ios 0day that'll get patched within days. |
| |
| ▲ | kmeisthax 17 hours ago | parent [-] | | If you're running a run of the mill scam you probably don't even need to ship an app. |
|
|
| ▲ | spike021 20 hours ago | parent | prev | next [-] |
| > They also made sure to add scary warnings so one can never offer a normal onboarding flow. is this any different from Macs also prompting the user when a downloaded binary is suspicious/not signed properly? or windows when installing it'd flash a screen about trusting what you're installing? |
| |
| ▲ | fundatus 19 hours ago | parent [-] | | It was way worse. They basically made the first install attempt fail. Then they made you go to the Settings app (of course without telling you that you have to go there) to allow it. Then you had to try again to download, which then triggered the scary warnings that you had to accept. This has been changed now though due to EU pressure. | | |
| ▲ | spike021 15 hours ago | parent [-] | | I thought that's also like macos, where we've needed to right click and open and then allow, and sometimes it requires going to system settings to approve it also. |
|
|
|
| ▲ | warkdarrior 15 hours ago | parent | prev [-] |
| > these days it’s cheaper to just buy an iOS exploit than go through the trouble of making a shady app. "Look, you do not need a front door, and definitely not one with a lock on it. After all anybody could machine-gun you down through your windows." |
