this post was submitted on 15 Jan 2024
468 points (98.5% liked)
Technology
59030 readers
4914 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I think that's exactly the problem. The real user benefit will be very small, but in order to enable those changes, functionality will be implemented on everyone's phones to support sideloading. In my eyes, this increseas the attack surface against iPhones. Time and time again alt stores have been used to distribute fake apps and malware on Android, and the victims are often those users who haven't asked for sideloading and are unlikely to use it intentionally.
Yes, maybe this will enable an F-droid equivalent on iPhone and it will be great to have direct access to open-source apps. But is this niche addition worth potentially reducing the security of all iPhones? I'm not convinced.
But here's the thing - side loading, even on android, is an opt-in feature. The user has to actively go out of their way to sideload an app. Even if an app tries to do it behind your back, you must first enable its ability to do so.
Yes, this doesn't exist when ADB is involved, but in that case you have to go out of your way to enable USB debugging (and be stupid enough to plug your phone into someone else's computer). The vast majority of iPhones will never have sideloading enabled by their users. The EU isn't grabbing their balls and saying that all users must have it enabled by default, otherwise they'd be going after Android too.
Sure, I get that. The issue is that as soon as you introduce the ability to install apps from outside the App Store, it becomes possible to trick unsuspecting users into clicking buttons they don't understand. By designing a web page to look like an actual Apple page, a malicious party could convince users to "opt in" to outside sources, in a similar way in which phishing websites harvest users' online banking credentials. Currently, this kind of attack is entirely impossible on iPhone.
Sure, but at that point we're getting into the weeds of fake webpages, which really isn't anything apple could control anyway. Nothing's to say that if sideloading didn't exist, that page wouldn't just direct them to a form to fill out your banking information. All it does is change the method. Apple could simply maintain a hash database of files that are known as dangerous and package it into a built-in AV for iOS (like most OSes do)
Nothing's also to say that the page wouldn't just abuse one of the hundreds of vulnerabilities that currently exist in WebKit currently.
For your average user, they're probably only visiting legit sites on that browser anyway. My grandparents both have Android phones and to my knowledge have never been "tricked" into installing an APK. I can probably say the same for the vast majority of people.
I believe the benefits outweigh the costs here. Apple loses their grip on the walled garden which is punishing for developers and makes Apple judge, jury and executionor on not only what apps can run on iOS, but also how much developers have to give up to Apple (they could up their cut to 90% at anytime and currently developers can't do shit about it).