Hey.com exec says Apple is acting like ‘gangsters,’ rejecting App Store updates and demanding cut of sales

[Bombastinator]

I’m remembering some news article or other saying they’re about to be sued specifically because that cut-of-sales thing specifically makes them an accompaniment for any bad behavior by the developer.  This might come back to bite them.

[ThePointblank]

12 hours ago, duncannah said:

I didn't know people still paid for e-mail

People still do. I pay for a private cloud for a Microsoft Exchange web mail service, which is private for me, and I get to use my own personal domain name. If you are a small business, it looks far better to have your branding in your e-mail address, like BobSmith@bobsburgers.com rather than having it like BobsBurgers@gmail.com.

[Kisai]

13 hours ago, HarryNyquist said:

Yes it is in the rules.

 

Unless you're Spotify. Or Netflix. Or Amazon. Or Microsoft. Or other companies that are really big and they've made exceptions for/gotten sued for noncompetitiveness by.

 

They either need to allow it overall or not allow it overall.

 

That's because they aren't trying to circumvent the App store's rules. Netflix, Spotify, Amazon, Microsoft etc, all have their own websites that you can subscribe through.

 

This program "hey", is just a paid "gmail" or so program, and if you notice how gmail and such work on the iphone, the app just frames the website. Just like all webview apps (which spotify, amazon are also.) Hey can completely go this route too, they just choose not to and instead complain about it. Offer a basic level of service, and then just offer the 14.99/mo email to enable the full storage capacity, if you cancel or let it lapse, you just can't search the email archive. Problem solved.

 

Youtube and Netflix do not require you to sign up on the device, and typically you can't sign up through anything but the website.

 

The thing is, there is leverage that some companies (particularly Microsoft and Amazon) have on Apple, since most of the money is to be made through apps are on iPhone/iPad's, not Android devices. 

 

https://www.theverge.com/2020/4/1/21203630/apple-amazon-prime-video-ios-app-store-cut-exempt-program-deal

 

Quote

Apple on Wednesday confirmed the existence of a program for streaming video providers that allows those platforms to bypass its standard 30 percent App Store fee when selling individual purchases, like movie downloads and TV show rentals. The program first became public earlier today when Amazon updated its Prime Video iOS and Apple TV apps to allow in-app purchases for the first time. It is not clear how long the program has existed, but there are at least two other providers, Altice One and Canal+, currently participating, Apple confirmed.

Note this doesn't apply to subscriptions.

 

Kinda hard to claim something is a monopoly when Apple doesn't have 51% of the mobile space.

[dalekphalm]

50 minutes ago, Bombastinator said:

I’m remembering some news article or other saying they’re about to be sued specifically because that cut-of-sales thing specifically makes them an accompaniment for any bad behavior by the developer.  This might come back to bite them.

I wouldn’t put much stock in that unless Apple was knowingly and willingly abiding criminal behaviour. 
 

It would be like saying Walmart could be held liable for supplier criminal behaviour - which they wouldn’t be unless they knew about it or reasonably should have. 

[mr moose]

5 minutes ago, Kisai said:

 

Kinda hard to claim something is a monopoly when Apple doesn't have 51% of the mobile space.

 

It doesn't have to be 51% of anything, it just has to be enough control of any one market that is used in such a way that it disadvantages any one party (another company or consumer).  MS got done simply for having IE preinstalled,  there was no limit to what users could use, they weren't restricted or prevented in any way from using alternatives but they still got done.   Apple has 100% control over every app on iphones, which is basically half of all phones in the US and that control is way more strict than anything windows ever has had or does have.    

 

 

 

The problem does not seem to be the laws though,  the problem seems to be apple has enough money to win every case and when they don't they just get the president to overrule the courts.   If you make an OS you shouldn't have total control over the apps it runs. windows doesn't, android doesn't, Linux doesn't even mac OS doesn't so why would the law allow apple to with so many people trying to take them to court over it?

 

 

[mr moose]

1 minute ago, dalekphalm said:

I wouldn’t put much stock in that unless Apple was knowingly and willingly abiding criminal behaviour. 
 

It would be like saying Walmart could be held liable for supplier criminal behaviour - which they wouldn’t be unless they knew about it or reasonably should have. 

Apple appear to be hedging their bets,  in the case apple v pepper the issue raised in appeal was the question:  is apple a manufacturer or distributor? It seems they play each one depending on which one best suits their needs.  Not much different from how youtube flip flops between being a publisher or platform depending on whether they are defending against being liable for content or being required to censor etc.  And that case was only to determine if a consumer could sue apple.

 

https://en.wikipedia.org/wiki/Apple_Inc._v._Pepper

 

It also appears that the US has a strong history of corporate success in the courts.  Little man v big man is rarely a little man win.  When little man does win big man appeals and has it over turned or just keeps going until the little man has no more money and gives up broke.

 

 

[SpaceGhostC2C]

  

14 hours ago, HarryNyquist said:

They either need to allow it overall or not allow it overall.

I'd say they either need to allow it overall or sit in court.

 

12 hours ago, Zodiark1593 said:

If Apple would allow a reasonably accessible capability to side load apps

Or that. But even then, it better becomes really mainstream, because

14 minutes ago, mr moose said:

 MS got done simply for having IE preinstalled,  there was no limit to what users could use, they weren't restricted or prevented in any way from using alternatives but they still got done. 

so just allowing it may not be enough.

 

Then again, the whole mobile industry is based on two companies going IE^10000 when it comes to pre-installed (non-removable, mind you) software and market share and somehow get away with it...

[mr moose]

1 minute ago, SpaceGhostC2C said:

so just allowing it may not be enough.

 

Then again, the whole mobile industry is based on two companies going IE^10000 when it comes to pre-installed (non-removable, mind you) software and market share and somehow get away with it...

As far as I am concerned they are operating systems on a personal computing device,   Therefore if the rules apply to one OS on a personal device they should apply to all.    Imagine buying a laptop and only being able to use windows on it and only being allowed to buy form the windows store.  The outcry would be huge.   

[Bombastinator]

20 minutes ago, dalekphalm said:

I wouldn’t put much stock in that unless Apple was knowingly and willingly abiding criminal behaviour. 
 

It would be like saying Walmart could be held liable for supplier criminal behaviour - which they wouldn’t be unless they knew about it or reasonably should have. 

They vet the code “reasonably should have” seems like an easy toss.  It will be years though

[hishnash]

As a developer on apple platforms let me say this.

Apple is being a complete and utter dick!

1. The rules should be much clearer:
* should include examples of what is `ok` and what is `not` rather than just legal fudge
* should include screenshots as well fo the above so when there is an issue we can dispute it
* when they change all developers that it might impact should be told that in 6 months (or whatever) they will start to enforce them (currently it is guess work when the rules change as to if they will enforce them)

2. The 30% (and then 15% after a year) is to high:
* should be 10% to be competitive with services like Paddle (that handle sales tax globally)

* and an option to handle your own sales tax paperwork and only pay 2-3% (card processing) for developers who only want to distribute in parts of the world were they are legal accountable for tax (has subsidiary etc), maybe charge a flat rate per update review in this case if they feel they need to.

What i do not want is apple to let apps start to ask for credit cards for non physical goods as this will be a massive nightmare as users start to assume every single app is a evil scam (there will be evil scams) at the moment if apple detect a scam within 1 month of it hitting the app store they are able to fully refund the users and not pay out the developer but if the dev captures the users card details apple cant do much.. I as a developer on the platform do not want users to feel scared that they cant trust paying me money so apple bing the gate keeper for me is good.

I also understand that the legal nightmare of tax law globally means (having writing tax software systems to tackle this before) that if apple were to let developers handle their own sales tax most developers (if not all) would be breaking the law somewhere in the world if they were to sell apps globally, and given that nations states would overnight notice that apple stops paying them millions in collected sales tax those nation states would go after apple for `helping` these developers break the law as going after a developer who is not in your country is a lot harder than going after apple who are. So if apple did provide a `do your own sales tax` i'm ok with that requiring that you only distribute your app in regions of the world were you have a legal entirety that handles this (aka were the local governments can take you the developer to court for tax violation and not apple). I know  in the US sales tax is normally on the consumer to pay but i the rest of the world it is normally on the retailer to collect and pass on to the local gov of where the consumer lives if a retail (even if they are not based in that nation) does not do this they are breaking the law, however doing this is very very costly and complex.

 

--

However I would also say I do not want  apple to permit out of app store installs (side loading) since as a developer who wants to make money on the platform I look at other platforms as see how these systems are used mostly for one thing installing pirated software were the license checks have been bypassed. I want to get paid and I don't want to spend all my time building pointless complex licensing systems, I prefer to write features and fix bugs for paying suers and also I also don't want to do a big gamer company move (EA) and require that users are always online etc.

[Kisai]

1 hour ago, mr moose said:

 

It doesn't have to be 51% of anything, it just has to be enough control of any one market that is used in such a way that it disadvantages any one party (another company or consumer).

https://www.ftc.gov/tips-advice/competition-guidance/guide-antitrust-laws/single-firm-conduct/monopolization-defined

 

While I don't wish to turn into another "ooh someone's an Apple fangirl" argument.

Quote

Market Power

Courts do not require a literal monopoly before applying rules for single firm conduct; that term is used as shorthand for a firm with significant and durable market power — that is, the long term ability to raise price or exclude competitors. That is how that term is used here: a "monopolist" is a firm with significant and durable market power. Courts look at the firm's market share, but typically do not find monopoly power if the firm (or a group of firms acting in concert) has less than 50 percent of the sales of a particular product or service within a certain geographic area. Some courts have required much higher percentages. In addition, that leading position must be sustainable over time: if competitive forces or the entry of new firms could discipline the conduct of the leading firm, courts are unlikely to find that the firm has lasting market power.

Given that the internet has no geographic wall.

 

The Microsoft case was literately they could do whatever they want (and still do) and nobody gets to say anything about it. If Microsoft didn't have it's wrists slapped a few times regarding internet explorer 4.0 (Which is what came with Windows 98), it might have escalated to a point where what we do with web browsers is dictated entirely by Microsoft (and ActiveX is still a bane on IT departments to this day.) No, instead it's dictated entirely by Google now. Same problem, different company, different sociopaths in charge. 

 

Microsoft still has a de-facto Monopoly on PC's, and one of the "well no duh" arguments why Apple gets away with murder is because Apple does not, and if Apple some how gained 50% of the consumer "computer" space, Microsoft could also get away with murder again. Nearly 100% of PC games only work on Windows, and that which works on MacOS or Linux is typically done through emulating the Windows API, or running inside a VM.

 

Which to bring this back to the problem at hand. iOS devices are not the market leader in anything except by profit. Oh boo hoo. 

 

 

Google has the Monopoly there, not Apple.

https://www.businessofapps.com/data/app-statistics/

 

https://42matters.com/stats

 

Google and Apple have about the same % of apps to games. More of the paid games are on iOS however, and that can almost be entirely chalked up to the piracy/hacking of F2P games on Android. Why bother putting something on Android unless it runs from the cloud and the user can't tamper with it.

 

At this point the only thing that would be fair to "the web" would be for Google, Microsoft, Apple and Opera to divest itself of their Webkit/Chromium/KHTML browsers and to take a big step away from them, and have no further involvement in their development. If they wish to pay developers to work on Webkit to support their OS's, do that, but all of these companies are trying to control the web by having their fingers really deep into the Webkit pie, and that should never have been permitted. We are right back to the problems we had in 1999 with two major browsers dictating separate features, and all the copy-cats following the market leader's behavior.

 

And wouldn't you know it, the HTML5 "apps" all use webkit engines. Only on Mac and Windows, they use self-contained Chromium Embedded engines, not the native webview, because the native webview did not exist on Windows until Chromium-based Edge. Kinda hard to build a cross-platform app when Windows was the only one having an incompatible webview.  Even then, Google keeps using Microsoft's old playbook. So much for a HTML5 living standard. Let's just call a fork a fork. Edge and Opera are incompatible forks of Chrome, which is an incompatible fork of Safari, which is an incompatible fork of KHTML, all claiming to be HTML5.0.

 

So going right back to the topic at hand. If the developer of "hey" is not competent enough to build a webview based app that works on all platforms, they are barking up the wrong tree. Spotify, Slack, Discord, Twitter, Facebook, Gmail, Youtube, etc all have "Web browser" versions that behave exactly the same as their app does. If they wish to charge money, there is nothing preventing them from doing exactly the same thing that Microsoft does with Outlook, or Google does with their Gmail apps. Now is that because Microsoft and Google don't want to give money to Apple for people subscribing to their premium services, or is it just less of a pain in the butt to make the app free and charge for the ancillary features like cloud storage? I personally don't care, and if an App developer is complaining about having to to pay a store to carry it's service, either charge more, or redesign the service to be free, and charge for features that can be bought directly from themselves.

 

And no, I don't think a 30% cut is fair, but I don't think a developer is going to get to negotiate that unless they are one of the top 10 apps on the platform anyway. I'd much rather see developers be charged by the operational cost (eg every minor version that fixes nothing) of pushing revisions. PS4 and XBOX as far as I know only charge 15%. They also aren't pushing bug fixes every two days.

 

PS, while I'm on this topic, if you want to see the clusterf*ck of what would happen if we had to buy everything from the Microsoft store, take a look at PSO2 right now. Every time Microsoft patches it, users are having to download the entire game again. All 60GB or so.

[AlTech]

7 hours ago, lvh1 said:

That's the thing, the "guidelines" from the app store don't allow that. If you state in any way that purchasing the subscription on your website is cheaper your update will get rejected. Take a look at the site that spotify put up summarizing the stuff they've had to deal with https://timetoplayfair.com/facts

The point about Uber and Deliveroo not paying IAP fees are in Apple’s policy guidelines.

 

Apple makes exemptions for certain things like: including but not limited to: Credit Card Companies, Banks, and buying physical products or services are in person.
 

Physical products and services in person are never subject to the 30% fee. Digital services and subscriptions are subject to the fee.

 

Also, fairly sure subscriptions start at 25% and then go to 15% per year after 1 year but @DrMacintosh can confirm.

[SpaceGhostC2C]

1 hour ago, mr moose said:

As far as I am concerned they are operating systems on a personal computing device,   Therefore if the rules apply to one OS on a personal device they should apply to all.    Imagine buying a laptop and only being able to use windows on it and only being allowed to buy form the windows store.  The outcry would be huge.   

Sadly, the mobile business grew with practices no one would have accepted in PCs if they have appeared overnight. But they were accepted as "how it works" on mobile. Now that most people are even more familiar with smartphones than computers, I'm afraid I0m seeing signs of such practices creeping back up to the PC. I don't have high hopes for what things will be like in PC as we dinosaurs become less and less relevant in terms of market share.  Hopefully those rules you mentioned do get enforced across the board at some point...

[mr moose]

59 minutes ago, Kisai said:

snip

 

 

It's like you ignored the very first line of your quote:

 

Quote

Courts do not require a literal monopoly before applying rules for single firm conduct;

 

Forget the percentage, they have complete control over the ios app store,  everyone who buys an iphone has zero control over the apps that can be installed on them.  given they have half the market (buy device not the sheer number of apps in their app store) they hold a monopoly over what half the mobile users in the US can and cannot install on their phone.   That is a monopoly whether you like it or not.  It is a monopoly whether the US justice systems does anything about it or not.

 

 

 

 

 

[hishnash]

17 minutes ago, mr moose said:

It is a monopoly whether the US justice systems does anything about it or not.

That is the big difference between how the EU and the US consider a monopoly.

 

In the EU if you do something limits a users choice (even if it free like including internet explore in windows) it is seen as abuse of monopoly.  

See my comments above i do not want apple to permit side loading as an app developer that has a large risk of revenue for me apples no side-loading means i don't need to bother writing tones of license validation/DRM dirtiness that I do on other platforms just to ensure users pay for the app and cant download cracked version. (just take a look at some of the stuff on jailbroken app stores, there are nice tweak and then there are cracked apps) Maybe consumers think they want this but the result is all apps will require always on connection to the internet and most of the app will live server side as that is the only way to stop users stealing your work... it is also a lot more work so means less time to write bugs and features. 

what i want of apple is to reduce rates to be competitive with other payment provide that handle sales tax ~10%. Im not asking for apple to let us ask for card details as again I don't want users to expect every app is a scam, users trusting the app store is what means i can charge money to them, users knowing they can ask apple for a refund (apple should make this simpler) is a good thing for my income.

[mr moose]

28 minutes ago, hishnash said:

That is the big difference between how the EU and the US consider a monopoly.

So why do apple get  way with it in the EU,  google got arse reamed for trying to force phone makers to use their versions of everything. 

 

https://www.npr.org/2018/07/18/630030673/eu-hits-google-with-5-billion-fine-for-pushing-apps-on-android-users

 

But as of feb this year it was still touch and go if apple were even considering allowing you to use a proper 3rdparty browser as default.

https://www.theverge.com/2020/2/21/21146804/apple-ios-14-features-default-apps-settings-restrictions-apis-rumors

 

Quote

In the EU if you do something limits a users choice (even if it free like including internet explore in windows) it is seen as abuse of monopoly.  

You mean like what they have been doing already and yet don;t seem to get any flack for it? 

 

 

Quote

 

See my comments above i do not want apple to permit side loading as an app developer that has a large risk of revenue for me apples no side-loading means i don't need to bother writing tones of license validation/DRM dirtiness that I do on other platforms just to ensure users pay for the app and cant download cracked version. (just take a look at some of the stuff on jailbroken app stores, there are nice tweak and then there are cracked apps) Maybe consumers think they want this but the result is all apps will require always on connection to the internet and most of the app will live server side as that is the only way to stop users stealing your work... it is also a lot more work so means less time to write bugs and features. 

what i want of apple is to reduce rates to be competitive with other payment provide that handle sales tax ~10%. Im not asking for apple to let us ask for card details as again I don't want users to expect every app is a scam, users trusting the app store is what means i can charge money to them, users knowing they can ask apple for a refund (apple should make this simpler) is a good thing for my income.

 

I understand side loading has it's pitfalls, I get it,  that's why android has some of the worst malware.  but that doesn't mean a company can hold everyone else to ransom.  Not permitting a company/developer to update their app because of a fee issue is blackmail in my book.

 

It should actually be the consumers choice,  they should be warned of the dangers of side loading, but not have the option removed altogether. 

 

 

[Kisai]

58 minutes ago, mr moose said:

I understand side loading has it's pitfalls, I get it,  that's why android has some of the worst malware.  but that doesn't mean a company can hold everyone else to ransom.  Not permitting a company/developer to update their app because of a fee issue is blackmail in my book.

 

It should actually be the consumers choice,  they should be warned of the dangers of side loading, but not have the option removed altogether. 

 

 

Nah. There's a better solution here.

 

Every OS should not permit side-loading without signing. 

 

Therefor

a) Any app installed must be signed, for one version only. 

b) The device must check if the signature has been revoked (eg this version is bad/buggy, do not install) or invalid (this sig is fake) and absolutely reject it.

c) The owner of the device can download a developer key, and side-load self-signed binaries (eg they can't download cracked/pirated/modified software.) They can only run software compiled on their own device.

 

Alternatively

c) The owner of the device can download a source blob (eg pointing to github repo) that requires no dependencies (C-family runtime only, no interpreters), and the device will compile it for itself, thus allowing GPL software to be used, the compiler will self-sign this, and will not run the binary if altered.

 

The catch with either case, is that you don't get the updates that you would with the legit app store. At least with a git source, the device can periodically do a poll for "does this compile cleanly with (OS VERSION AND CPU)" and update itself. The device would still not permit another "store" on the device since it might stomp on it's own store, but it would permit side-loading software that doesn't exist in the official app store.

[Arika]

5 minutes ago, Kisai said:

Nah. There's a better solution here.

 

Every OS should not permit side-loading without signing. 

congratulations, you just bricked hundreds of thousands of programs, games and utilities that the developers have either moved on from, or just no longer exist and require that every "side loaded" program require an internet connection to open any of these. That is worse than any DRM

[hishnash]

1 hour ago, mr moose said:

force phone makers to use their versions of everything

Well that was not a consumer case but a company case.. EU law is fun and complex. Basically that was companies selling devices (with android) were upset that google were not letting them use google apps unless all gogole aps were preinstalled. Same would happen happen to apple if they licensed iOS.. Apple have very good international lawers so tend to be better at `fudging` things so that they are not court out by these things (not that it is good fo users.

 

1 hour ago, mr moose said:

Not permitting a company/developer to update their app because of a fee issue is blackmail in my book.

I agree, that is why in my above post i want apple to provide 2 options to devs, 1 that is were apple handle the sales tax for devs and they can sell globaly (at ~10% cut) and one were apple just handle card payments for ~2% cut but you are limited to only distributing your app in regions were apple can make you liable if you don't comply with local tax law.

 

 

1 hour ago, mr moose said:

  they should be warned of the dangers of side loading, but not have the option removed altogether. 

That does not help developers through, side loaded apps will not make `ligit` developers any money it will just lead to users loading cracked software and all other users that are paying for the apps will end up with more bugs and less features as developers spend time trying to stop people from `cracking` and side loading apps. 

 

On android it is the case that most developers do not expect to many money from selling apps any more, you make money from ads in apps (that steal i shit ton of users data and give it to dogy third parties...) or you make money from server side features that require online only DRM style locks. 

 

 

33 minutes ago, Kisai said:

Therefor

a) Any app installed must be signed, for one version only. 

b) The device must check if the signature has been revoked (eg this version is bad/buggy, do not install) or invalid (this sig is fake) and absolutely reject it.

c) The owner of the device can download a developer key, and side-load self-signed binaries (eg they can't download cracked/pirated/modified software.) They can only run software compiled on their own device.

 

This is basically how the notarisation system works on macOS (if you are online). (you can turn it off if you go deep into system settings however) The issue is you cant stop them running cracked/pirated/modified if after the app has been modified is is re-signed with anther developer ID. Developer ID only costs $100/year increasing this would be bad but how do you stop crackers from just signing the cracked versions of apps with thier key, trying to detect duplicated code paths will just flag up common libs that everyone uses and be full of false positives. 

 

[FirehawkV21]

3 hours ago, Kisai said:

Only on Mac and Windows, they use self-contained Chromium Embedded engines, not the native webview, because the native webview did not exist on Windows until Chromium-based Edge.

Minor correction: Windows 10 does have a WebView (which uses EdgeHTML). Microsoft even had tools to convert HTML5 apps to UWP apps. Visual Studio even had templates for these (up until 2019, but the PWA Builder could prepare you an MSIX package).

46 minutes ago, Kisai said:

Every OS should not permit side-loading without signing.

I kind of disagree with this. If the app wants to access sensitive stuff, then they should require signing (in my opinion). Maybe with something like a GPG key, but the signing should be laser focused on "this app is from this dev and not a thief that uses the name".

47 minutes ago, Arika S said:

congratulations, you just bricked hundreds of thousands of programs, games and utilities that the developers have either moved on from, or just no longer exist and require that every "side loaded" program require an internet connection to open any of these.

Last time I checked, you can timestamp the package during signing so it can still be used.

 

[mr moose]

1 hour ago, hishnash said:

Well that was not a consumer case but a company case.. EU law is fun and complex. Basically that was companies selling devices (with android) were upset that google were not letting them use google apps unless all gogole aps were preinstalled. Same would happen happen to apple if they licensed iOS.. Apple have very good international lawers so tend to be better at `fudging` things so that they are not court out by these things (not that it is good fo users.

That was the EU commission itself bringing the fine under anti trust laws, not a civil case under EU law.  The eu found that:

 

Quote

Google is dominant in the worldwide market (excluding China) for app stores for the Android mobile operating system. Google's app store, the Play Store, accounts for more than 90% of apps downloaded on Android devices. This market is also characterised by high barriers to entry. For similar reasons to those already listed above, Google's app store dominance is not constrained by Apple's App Store, which is only available on iOS devices.

 

I think it is really telling that the EU found google guilty of antitrust because their app store service 90% android, while the apple store which services 100% of ios by force is not a problem.

 

 

1 hour ago, hishnash said:

I agree, that is why in my above post i want apple to provide 2 options to devs, 1 that is were apple handle the sales tax for devs and they can sell globaly (at ~10% cut) and one were apple just handle card payments for ~2% cut but you are limited to only distributing your app in regions were apple can make you liable if you don't comply with local tax law.

 

That sounds fair enough. 

1 hour ago, hishnash said:

 

That does not help developers through, side loaded apps will not make `ligit` developers any money it will just lead to users loading cracked software and all other users that are paying for the apps will end up with more bugs and less features as developers spend time trying to stop people from `cracking` and side loading apps. 

Developers worried about pirates are not the only  users of the system though.   Customers should be allowed to write and use their own software, app developers should be allowed to distribute their own software outside of apple if they want and end users should be allowed to use any software they choose without having to go through jail breaking procedures to do it.

 

 

[Kisai]

 

 

2 hours ago, Arika S said:

congratulations, you just bricked hundreds of thousands of programs, games and utilities that the developers have either moved on from, or just no longer exist and require that every "side loaded" program require an internet connection to open any of these. That is worse than any DRM

Nope. If it was a legitimate program, it would have been signed, and if a developer has abandoned it, the signature would still be valid. If you want to run a 15 year old program, good luck finding a current OS with system libraries that will in the first place.

 

The point being, we have solutions already (virtual machines, sandboxes, emulators) for this issue, and we should not have to compromise the current OS and devices by running broken software on them in perpetuity.

 

1 hour ago, hishnash said:

 

This is basically how the notarisation system works on macOS (if you are online). (you can turn it off if you go deep into system settings however) The issue is you cant stop them running cracked/pirated/modified if after the app has been modified is is re-signed with anther developer ID. Developer ID only costs $100/year increasing this would be bad but how do you stop crackers from just signing the cracked versions of apps with thier key, trying to detect duplicated code paths will just flag up common libs that everyone uses and be full of false positives. 

 

The idea is to not allow re-signing of binaries in the first place. Self-signing will only work if you compile it on your own device, or compile it on a device using your developer key. Thus if you have a Mac/PC and a Android/iOS device, that dev key only allows the self-signed binary generated by your Mac/PC run on the Android/iOS device, or a system compiler on the Android/iOS device can directly compile from source and self-sign.

 

The idea is that, aside from decompiled obsfucated code winding up on something like github, there is no opportunity to run unsigned binaries on the device and escape a sandbox. If something is unsigned it only runs with all the security features enabled, which means, no contact list, no sms, no phone system, no audio, no video, no filesystem, no network, no gps, no sensors, no nfc, no bluetooth, etc. It simply has as much functionality that a calculator app would need. The software sees nothing on the device.

 

Basically, "prove to me that the thing you want me to install isn't spyware by showing the code"

 

1 hour ago, FirehawkV21 said:

Minor correction: Windows 10 does have a WebView (which uses EdgeHTML). Microsoft even had tools to convert HTML5 apps to UWP apps. Visual Studio even had templates for these (up until 2019, but the PWA Builder could prepare you an MSIX package).

 

I intentionally overlooked this because the previous MSIE integration and the Edge Webview do not provide the functionality that the webkit webviews have, and this is most likely why Microsoft had their arm twisted to switch to Chromium, otherwise they were going to continue to have ugly, bloated webview-based apps continue to use bloated versions of chromium (see nw.js (used by HTML5 games like RPG Maker) and Electron (used by applications like Discord and Slack))

 

But the point still stands, side-loading ability is largely why people still get tricked into running malware/rubbish/fake software, and people on Android are more vulnerable due to the incompetent vendors that don't update the OS on the device for at least 5 years. On desktop's and laptops the "forced updating" only really works on MacOS X, on Windows you can update the core OS, but nothing goes through the microsoft store except a few programs that Microsoft develops or has some hand in publishing (such as Xbox game ports) , Steam is the de-facto store for games, and the ship has long sailed for Microsoft on that. Origin and Ubisoft both tried to put their own game stores on Windows and people just don't care to deal with them, it's Steam or GoG, nothing else. Sorry Epic game store, too little too late, and like my complaint in the previous paragraph, Steam and Epic both do the notoriously bloated embedded chromium webview thing.

 

The amount of easy to access pirate software out there is just, ridiculous. We don't need invasive DRM schemes if the side-loading itself was dialed back to signed-only, and the average PC user will simply never encounter "side-load unsigned" software. Heck, you how how often I even run into "untrusted" software on Windows? It's always stuff cross-compiled with GCC.

 

If someone absolutely doesn't care about this stuff, there's always turning the integrity checks off, which also turns off the official store entirely. If you brick the device at this point, it's entirely on you.

[mr moose]

9 minutes ago, Kisai said:

 

 

 If you want to run a 15 year old program, good luck finding a current OS with system libraries that will in the first place.

 

Windows 10 currently runs my programs that are more than 15 years old now.  Shit I am still playing a game that came out in the 90's and my version of photoshop is 4 or 5, which was released sometime before 2003.   Hell, even the current 32bit version of windows 10 can natively run dos software without any need for third party emulators.

 

 

[Kisai]

5 hours ago, mr moose said:

Windows 10 currently runs my programs that are more than 15 years old now.  Shit I am still playing a game that came out in the 90's and my version of photoshop is 4 or 5, which was released sometime before 2003.   Hell, even the current 32bit version of windows 10 can natively run dos software without any need for third party emulators.

 

 

Oh, does it now? Did you miss where it probably had to install 15 year old versions of the Visual C/CPP/Basic runtime or the DirectX runtime? This is because Microsoft made pains and efforts to ensure that old software will run, but that's even reaching the end of feasibility and why Microsoft was so desperate for everyone to switch to their .NET IL stuff , WinRT and then later UWP. If you attempted to run a program you had installed under Windows XP, and then later installed Windows 10 fresh, it likely doesn't work without reinstalling it, assuming it had a 32-bit installer.

 

C:\Windows\SysWow64 is 1.58GB, that is the 32-bit "C:\Windows\System" compatibility layer. System32 is 6GB

C:\Windows\SxS is 8GB, that is the side-by-side assemblies. That is how it manages to keep running old software, by keeping multiple copies of every version when software runtimes try to stomp on each other. It's about the only thing that Windows does better than OSX and FreeBSD/Linux does (which tend to allow stomping of the system libraries by userland libraries, and userland libraries stomping on each other. OSX and and *nix-like systems have a problem where you usually can not run an older program on the current OS because the OS doesn't keep a 15 year old version of the C runtime, let alone the system libraries it needs. Usually what happens on Linux in particular, is that you have to recompile the entire program against the current system libraries. Amazingly enough you can more easily run a 15 year old version of a Windows program on a GUI Linux under WINE than you can a 15 year old Linux program.

 

But this is a distraction from the topic. My 8 year old 32-bit iPad still gets updates from Apple, and software updates for titles on the device, and occasionally it just spits out "this is not compatible with this OS" if the app was updated to 64-bit only. Yet a lot of open source (side loaded) stuff that is compiled for OSX (VLC comes to mind) throws a fit after an OS update, with the most recent OSX throwing out the 32-bit runtimes entirely, breaking anything that wasn't 64-bit. There will be hell to pay when Microsoft does the same, so I doubt we will see 32-bit removed from Windows 10 any time soon, and instead see it removed from whatever succeeds it. All these 64-bit apps shipping with 32-bit installers will be DOA, and we will see a second coming of the "32-bit app, 16-bit installer" problem.

[hishnash]

9 hours ago, mr moose said:

Customers should be allowed to write and use their own software

This you can do apple do not stop you, the limitation is without a developer id you need to re-sign it ever 7 days (maybe they could increase this timeout). What you cant do is run stuff signed by other people unless they have dev ids: This is how the https://altstore.io/ works.  The timeout limit here is what stops a massive flock of users just using this like the jailbreak stores to get cracked software but it does let you run code you right.
 

9 hours ago, Kisai said:

can directly compile from source and self-sign.

That is not how signatures work, the signature is placed on the binnary result that is how you can validate it so if you mofiy the binnary you can resigne. The only way of doing what you are saying is if to produce signed code it needed to be compiled form 100% sourced on apples servers (no static stared libs). Basicly the developer would not have acess to thier own private keys that is the only way to stop them signing.