Craig Federighi ; side loading is a cybercriminal’s best friend

[saltycaramel]

13 minutes ago, Sauron said:

Oh my God, stop comparing wildly different things when you clearly understand neither. There is absolutely no parallel here. Adding the possibility of sideloading does not force anyone to use it, nor does it increase any type of risk for people who don't use it.

You can’t act like the walled garden system is not effective just because sometimes some pest passes thru the garden walls. That’s nonsense. This part is nonsense:

 

“Not to mention that it has been conclusively shown that only installing apps from the App Store does not protect you from malicious apps anyway...“

[Helpful Tech Witch]

I can fix your issue apple!

 

 

Settings->general->advanced->special options

allow instalation of apps from outside scources

dropdown-> NO

                    allow aproved apstores only

                    yes

 

Warning buble for yes

You are about to enable 3rd party app installs. Are you sure you want to do this?
You must be careful of the files you install, iPhone's waranty will not cover iPhone getting hacked



yes             NO

 

then it literally doesnt affect you......

[WhitetailAni]

Fun fact: You can sideload any iOS app you want as long as you have an Apple Developer account.

The free ones lose their certificate after a week apparently (I have a free dev account but my app hasn't expired yet despite it being almost 2 weeks later).

Look up Sideloadly - all you need is an Apple ID signed up as a dev account, the IPA of the app, and a compatible computer.

Works on any iOS version as far as I know - 6S + 15.0.2 worked.

[RejZoR]

I never felt the need to sideload apps on either, Android or iOS, because if it's not on the app store, it's not important or relevant enough to be used. What is funny is that our national lottery app needs to be sideloaded on Android from their official webpage where on iOS it's in the app store. Go figure lol.

[Sauron]

16 minutes ago, saltycaramel said:

You can’t act like the walled garden system is not effective just because sometimes some pest passes thru the garden walls. That’s nonsense. This part is nonsense:

 

You can't pretend it's effective without showing a shred of data demonstrating it. There is no wall; Apple's checks are embarassingly inadequate. Calling forbidden system functions without triggering the automated checks is as easy as splitting the name in the code.

[WolframaticAlpha]

2 hours ago, saltycaramel said:

 

1) what’s the malware situation of that other platform compared to iOS? have we got any data about it to compare the 2? I’m not up to date so I won’t jump to conclusions, but..

The other platform has roughly half the CVE vulnerabilities despite being largely FOSS

 

Edit: real sorry, but I was looking at different sources. It is actually 3755(iPhone OS, interestingly just iPhone) vs 3863 on Android(the whole Google Android, apparently)

 

@Mark KaineLook at this message again.

[Mark Kaine]

18 minutes ago, FakeKGB said:

Fun fact: You can sideload any iOS app you want as long as you have an Apple Developer account.

The free ones lose their certificate after a week apparently (I have a free dev account but my app hasn't expired yet despite it being almost 2 weeks later).

Look up Sideloadly - all you need is an Apple ID signed up as a dev account, the IPA of the app, and a compatible computer.

Works on any iOS version as far as I know - 6S + 15.0.2 worked.

Yeap the whole argument "bad actors could tell people how to enable app loading" doesn't cut it because this is possible right now and has always been (afaik) 

 

Android just doesn't make you jump through hoops for the same *option*

[Chris Pratt]

5 hours ago, maartendc said:

I agree to some extent.

 

However, there will always be a lot of users who can be fooled into clicking "allow this app" because during a phishing attempt, the perpetrator can just say: "oh yes, you will need to give access to install this really important piece of software...".

 

So yes, not enabling sideloading at all IS more secure, because it just takes the power away from the user to even enable non-verified installs. It decreases the chance grandma or little Timmy can install something malicious when being duped.

 

Whether or not you want to pay the price of less freedom over your device for more fool-proofness, that is another question. But it makes the device more idiot proof. And let's face it, a lot of people are just idiots.

Yes, I could see issues with that approach, but that's also not the approach I was speaking of either. The Mac setting is something you have to specifically go seek out and turn off, not some popup that you might accidentally agree to or something.

[EphraimK]

It can be hard to sideload. I had to sideload the H3lix app onto my iPad 4th Generation so I could jailbreak.

[Gork]

10 hours ago, Bombastinator said:

I’ve been a gmail user from years back and watched as the thing lost quality. I’m finally getting shut of the thing though I had to be pushed.  Lot of inertia there. I generally avoid as many google apps as possible, gmail being the last one to go, but it is in the interest of advertisers to circumvent pop-up blockers so the whole technology might simply be losing effectiveness.

Fortunately Firefox, Brave and Opera disagree. Load times, blocking out entire sections of website, and the petillion repeating popups. Fuck them.

[elfensky]

16 hours ago, Bombastinator said:

I don’t think it’s meant to be an excuse.  what other ways to solve the issue are available? Keeping cost in mind. Lots of things can be fixed with money, but tossing too much of it can put the tosser at a competitive disadvantage. The complaint seems to be that side-loading may be cheap for the implementor and the end user initially, but potentially much more expensive for both in the long run.  There are lots of things that made stuff cheaper initially that we are now paying for.  Plastic and carbon emissions come to mind.  Cheap objects and cheap power turned out to be more expensive for everyone eventually.  

Don't they sandbox apps on OS level? If they do it properly, side-loading shouldn't have the impact that they say it does. It really does read like an excuse imo. 

[Bombastinator]

8 hours ago, Sauron said:

You still haven't explained what the risk here is for people who don't want to sideload. If you don't sideload anything then you have no problem.

Thought I did.   wouldn't be one except for the risk to everyone in general with someone with such a thing bringing malware into a trusted or particularly sensitive area. possible issues with their devices being considered to be of lesser security and therefore being unable to bring it places a device without side loading might be allowed.  I understand there are office buildings where iPhones are allowed into but android phones must be checked, and companies who issue android phones to their low end workers but issue iPhones to corporate. A sideload could possibly create an open market segment.  Blackberry or something could come back.

[Sauron]

Just now, Bombastinator said:

wouldn't be one except for the risk to everyone in general with someone with such a thing bringing malware into a trusted or particularly sensitive area.

In any situation where this is a problem people should not be allowed access with their own smartphone. This is just common procedure and sideloading is definitely no riskier in this sense than just regular internet access or apps that you can get from the App Store.

7 minutes ago, Bombastinator said:

I understand there are office buildings where iPhones are allowed into but android phones must be checked

And this doesn't make sense for the reasons above.

7 minutes ago, Bombastinator said:

and companies who issue android phones to their low end workers but issue iPhones to corporate.

That's usually just execs wanting more expensive phones as a status symbol. And again, you can just block sideloading on company devices if you consider it a security issue.

[Bombastinator]

7 hours ago, Sauron said:

"Might" is not the same as "does", plus you still haven't described how exactly having this optional feature that requires physical access to a device increases the spread of any computer virus.

Why did you quote a part where neither of those things were mentioned?  I’d have to hunt the whole thread to find them. (Could be the reason) 

looking at just this quote I would have to take the “might” and “does” thing as agreement.  “Plus” is also not “but” though.  I did explain that.  Several times.  Other people understood it.  They replied. The best rebuttal imho was by @Arika S who presented alternate if perhaps flawed evidence. 

[Bombastinator]

20 minutes ago, Sauron said:

That's usually just execs wanting more expensive phones as a status symbol. And again, you can just block sideloading on company devices if you consider it a security issue.

Perhaps.  Perhaps not.  I have no data.  I’m seeing a lot of assertions based on assumption which are then used as evidence in this thread generally. It would depend on who has input in such things.  One would assume one of the groups involved would be IT.  There are android phones more expensive than iPhone and always have been.  It would be easier for an IT department to have only one OS to deal with.

 

20 minutes ago, Sauron said:

This is just common procedure and sideloading is definitely no riskier in this sense than just regular internet access or apps that you can get from the App Store.

And this doesn't make sense for the reasons above.

How risky side loading is seems to be the subject of this whole thread.  The equating of the internet in general and the App Store is particularly amusing as literally the whole point behind most app sites is software vetting. 

 

together they equate to assertions without evidence attempting to negate this entire thread. 
 

20 minutes ago, Sauron said:

In any situation where this is a problem people should not be allowed access with their own smartphone. This is just common procedure and sideloading is definitely no riskier in this sense than just regular internet access or apps that you can get from the App Store.

And this doesn't make sense for the reasons above.

Exactly.  Either one or the other cannot be smart behavior.  The example implies either there is some sort of middle ground, or such entities are behaving foolishly.  Given the near total lack of argument let alone evidence posed in that post with only what amounts  to an “I don’ lik eet. ‘s wrong!” as rebuttal, there is little to bother rebutting. (Rerebutting?). Of course this is the same problem as with the original quoted statement.  It was an assertion that something is a particular way without support. 

[Sauron]

2 minutes ago, Bombastinator said:

There are android phones more expensive than iPhone and always have been.  It would be easier for an IT department to have only one OS to deal with.

Of course it would be easier if everyone just had the same phones, but execs tend to be spoiled prima donnas and they have more power than the IT guy. Sure, there are expensive android phones and I'm sure some execs prefer those, but iphones do tend to be viewed as more of a status symbol. Obviously it's all meaningless fluff, but that's how it be sometimes.

4 minutes ago, Bombastinator said:

How risky side loading is seems to be the subject of this whole thread.  The equating of the internet in general and the App Store is particularly amusing as literally the whole point behind most app sites is software vetting. 

I'm trying to make you see that any potential risk associated with sideloading is present tenfold when you're simply navigating the internet on your phone. Which is why I can't take people seriously when they claim Apple blocks sideloading for the benefit of security when, by the same logic, they should block internet access as well.

6 minutes ago, Bombastinator said:

The example implies either there is some sort of middle ground, or such entities are behaving foolishly.

You'd be surprised how many people behave "foolishly" in such scenarios.

7 minutes ago, Bombastinator said:

Given the near total lack of argument let alone evidence posed in that post with only what amounts  to an “I don’ lik eet. ‘s wrong!” as rebuttal, there is little to bother rebutting. (Rerebutting?)

I'm not the one claiming there's significant risk posed by just allowing optional access to sideloading on iphones. The burden of proof is on people making that claim here.

[Bombastinator]

12 minutes ago, Sauron said:

Of course it would be easier if everyone just had the same phones, but execs tend to be spoiled prima donnas and they have more power than the IT guy. Sure, there are expensive android phones and I'm sure some execs prefer those, but iphones do tend to be viewed as more of a status symbol. Obviously it's all meaningless fluff, but that's how it be sometimes.

I'm trying to make you see that any potential risk associated with sideloading is present tenfold when you're simply navigating the internet on your phone. Which is why I can't take people seriously when they claim Apple blocks sideloading for the benefit of security when, by the same logic, they should block internet access as well.

You'd be surprised how many people behave "foolishly" in such scenarios.

I'm not the one claiming there's significant risk posed by just allowing optional access to sideloading on iphones. The burden of proof is on people making that claim here.

All I see here are more unsupported assertions. Even worse ones than the earlier post.
 

What is needed is some sort of material measurement.  Such could be done as what is being proposed is something that android already does.  The closest thing I have seen so far is a quote of a specialty industry publication by @Arika S which was perhaps insufficiently granular.  How dangerous exactly is side loading? The argument that reduction is nothing if it is not full negation I have repetitively seen here I do not feel holds water.  ”Did not! Did not! Did not!” Is also not an argument.  It may or may not be incorrect, but it isn’t an argument. As a separate issue I have not yet seen treated, I wonder how much of this is that Google does not need to rely on consumer sales to remain solvent whereas Apple does. 

Edited November 4, 2021 by Bombastinator

[sir_A4D_]

33 minutes ago, Bombastinator said:

What is needed is some sort of material measurement.  Such could be done as what is being proposed is something that android already does.  The closest thing I have seen so far is a quote of a specialty industry publication by @Arika S which was perhaps insufficiently granular.  How dangerous exactly is side loading? The argument that reduction is nothing if it is not full negation I have repetitively seen here I do not feel holds water.  ”Did not! Did not! Did not!” Is also not an argument.  

To be fair ,  the one person who has been making the most unsupported assertions in this thread is u .  
 

And again I keep reminding u that apple is already sideloading apps on macOS and that’s just great .  And those who prefer to download the apps from the AppStore only can just simply keep the sideloading feature turned off(its off by default anyway) ,  this way power users get to use their device in the way they want , without staying locked in a Walled garden, as simple as that . 
 

its definitely a demonstration of willful ignorance at this point, to assume that the walled garden serves all users well , since this depends on each user’s use case ,  and tech savvy users definitely benefit from side loading,  without being limited to apple’s policies.  Also the generalization that side loading will just make the device less secure is inaccurate as this will also depend on each user’s use case. 
The same macOS users that sideload apps on their macs , downloading products like IntelliJ idea from their official sites  aren’t anyless secure , and havin such users do the same on their iPhones would be nothing extreme . 
 

2.  Actually having a phone manufacturer like apple control what apps u can and cannot access is quite dangerous,  contrary to apple’s claims , and its already negatively affecting  the privacy and security of millions of users . How u might ask ? 
 

Well apple operates in countries like China ,  in which apple has to follow every directive from Chinese govt . Now it is no secret that the Chinese government is hell bent on only allowing its citizens to access websites and apps that the CCP approves of . As we speak, the Chinese government has banned lots of games,  apps and vpns ( which users user to evade surveillance and encrypt their traffic) .  And since apple controls the access to apps on its iphones in China ,  it therefore means the Chinese  government controls the people’s access to apps . Think carefully about that for a second. 
 

 So for an iPhone user in China intending to keep his/her online activity anonymous and also gaining access to the powerful Google search engine, by using a vpn ,  the iPhone’s lack of side loading is a privacy and security vulnerability. 

[mr moose]

7 hours ago, saltycaramel said:

You can’t act like the walled garden system is not effective just because sometimes some pest passes thru the garden walls. That’s nonsense. This part is nonsense:

 

“Not to mention that it has been conclusively shown that only installing apps from the App Store does not protect you from malicious apps anyway...“

 

Your comparison to vaccines is not even logical,  vaccines have mass amounts of efficacy data proving they work,   where as there is no data to support the claim that allowing side loading will reduce security.     What's nonsense here is the desire to keep defending an anti consumer practice that has no foundation to support it other than to prevent users buying software elsewhere.

 

I assume you don't apply the same logic to windows and MS,  do you support them in only permitting the use of software you buy through the windows store? ...  I didn't think so.

 

 

 

[Bombastinator]

12 hours ago, sir_A4D_ said:

To be fair ,  the one person who has been making the most unsupported assertions in this thread is u .  
 

I so hate cut quotes around here, but for long multipoint posts like this there’s really no good way around them.  
I’m not taking much of a side though.  I’m merely saying that if people are supposed to decide if this is a valid argument or not we need data about how big an issue it actually is.  Actual data.  Not merely unsupported claims.  Clearly they can be made in any direction.   I also wonder about motivations of the major players. They may not be what people seem to think they are.  That’s all about searching for clarity, not taking a side about what should or should not be done.  Data probably exists and may be gettable.  Making claims from a basis of supposition and assumption because they are convenient for whatever reason seems ineffective to me.  

12 hours ago, sir_A4D_ said:

And again I keep reminding u that apple is already sideloading apps on macOS and that’s just great .  

Asked and answered previously  
My reply to that in the thread was to point out that phones and desktops are different markets. 
 

To further explain that, If apple is doing it one place and not doing it in another there may be a reason having to do with the natures of those markets.  It might also be that desktops didn’t used to have app stores at all because there weren’t any app stores, so it could just be a holdout, but reasons should be checked before attempting to use it as evidence because it may be based on an incorrect assumption that phones and desktops are the same for these purposes. 
 

12 hours ago, sir_A4D_ said:

.  And those who prefer to download the apps from the AppStore only can just simply keep the sideloading feature turned off(its off by default anyway) ,  this way power users get to use their device in the way they want , without staying locked in a Walled garden, as simple as that . 

A prime example of that “did not!” Did not!” Thing I spoke of earlier.  That is like the fourth time in this thread that has been brought up as if it were new.  i direct you to any previous discussion of it. In short, it’s already assumed, and any discussed issues already include it. 
 

 

12 hours ago, sir_A4D_ said:

I don’t think anyone has ever disagreed with that. The walled garden is a cost.  It has caused me immense issues personally.  I jumped in anyway though not because I thought it was good, but because  I thought the alternative was worse.  This is the problem when there are only two options.

 

Im running out of steam here.  It’s taken nearly an hour and I’m still less than half way through that gigantic thing.  Gonna try to do the rest fast:

 

re: sideloading will make a device less secure..

 

Ok. There are phones that sideload.  What are the statistics?  There is ample evidence in the actions of manufacturers that THEY think it does. There is also basic logic.  It may or may not make a functional difference. More “did not!” “did not!”

 

Re: 2 (where is 1 btw?  I saw it earlier. )

This may be the only actual possible point of the entire thing. Everything else was a rehash of previous stuff. 

 Of course it’s a potential problem. That is already also assumed.  IS is perhaps much,   I did think carefully about that for a second.  What you are saying in not so many words (setting up a thought so people think it’s their own is a thousand year old tactic by the way.  There was a Greek that did it first) is that lack of side loading interferes with potential acts of civil disobedience in China. The mere method of delivery makes me very suspicious of this one.  More or less any concept delivered in this method should be looked at that way.  The CCP has many ways to work on that one.  The Arab spring sprung in the early 2000’s.  Governments in a lot of places besides China have already found work arounds for that stuff.  I’m not sure how strong the point actually functionally is. 

Edited November 5, 2021 by Bombastinator

[Bombastinator]

3 hours ago, mr moose said:

 

Your comparison to vaccines is not even logical,  vaccines have mass amounts of efficacy data proving they work,   where as there is no data to support the claim that allowing side loading will reduce security.     What's nonsense here is the desire to keep defending an anti consumer practice that has no foundation to support it other than to prevent users buying software elsewhere.

 

I assume you don't apply the same logic to windows and MS,  do you support them in only permitting the use of software you buy through the windows store? ...  I didn't think so.

 

 

 

This is a stick that points both ways though.  The lack of data goes to both arguments.  Pointing it in that direction had not been done yet though.

[saltycaramel]

Up to 2007: instantly get viruses whenever you insert a thumbdrive in a public PC (class PC, etc.)

 

After 2007: iPhones and iPads, while having an user base with a far higher % of noobs (and a market share that makes them a more interesting target than Macs ever were), don’t get nearly as many viruses 

 

for sure the fact that all installable software is vetted has got nothing to do with it, my frens on LTT forums told me so, one of them also inferred that if a defense system doesn’t work 100% of the times then it’s “conclusively shown” that it’s not worth it, some good logic there

[saltycaramel]

iPhones and iPads set a new standard, a new baseline for security, and yes that baseline is higher than on Macs.

 

Nobody actually using them would like to downgrade them to a lower security. IT departments issuing them or allowing them as BYOD. Airlines issuing them to pilots and crew. You name it. Nobody ever said “I wish these were downgraded to the lesser security and lesser you-can’t-mess-them-up_ness of the good old Windows/Mac days”. It’s just big platforms wanting to circumvent Apple’s cut, and Apple bashers answering the call of duty. And some people debating this in good faith. And some people putting the good of the few (because, who here wouldn’t like to install Dolphin on iPhone//iPads without jumping thru hoops and altserver and dev accounts? I get it) before the good of the many (security of most users).

[DexterSmythe]

I bet you Craig Federighi has has sideloaded tens of thousands of applications on his Macs over the years. You can already sideload apps with a Apple Developer Certificate on iOS anyway. This argument is so ridiculous. Adults are more than capable of determining if they're fine with the risk level of a program they install, just like we all do on our PCs, Macs, and Android devices all the time.

[saltycaramel]

“Adults are more than capable of..”

 

I like that people talk like the current state of security in the world is fine.

 

Security is a mess right now. We don’t know for sure if the hospital of the city we live in will be disabled via ransomware tomorrow morning. Work from home has made these risks even worse. 

 

But let’s keep using the “it happens on these other platforms and the world hasn’t ended” argument..instead of striving for better security on all platforms..