[scarface74]

Which you can verify they aren't doing if they provide the source code. Or the non-Apple app distributor could verify that they aren't or otherwise sandbox the apps they distribute to prevent that from happening -- another advantage to competition

So what sandbox is available for apps that don’t allow a native app to ascertain individually identifiable device information?

You also now have to trust the non Apple App Store to check the source code. The entire open source community let the HeartBleed bug stay in open source software for a year and a half...

[AnthonyMouse]

> So what sandbox is available for apps that don’t allow a native app to ascertain individually identifiable device information?

That's the point. Currently nobody can build that because Apple doesn't allow it.

> You also now have to trust the non Apple App Store to check the source code. The entire open source community let the HeartBleed bug stay in open source software for a year and a half...

"Many eyes" results in fewer bugs over time, not zero bugs instantaneously. It doesn't have to be perfect to be better.

[scarface74]

That's the point. Currently nobody can build that because Apple doesn't allow it.

And where does this Sandbox wrapper for third party app stores exist for the Android ecosystem where it is both allowed and their are five time more devices?

Many eyes" results in fewer bugs over time, not zero bugs instantaneously. It doesn't have to be perfect to be better.

Have any statistics to back that up? Is Android more secure or less buggy than iOS?

[AnthonyMouse]

> And where does this Sandbox wrapper for third party app stores exist for the Android ecosystem where it is both allowed and their are five time more devices?

https://seap.samsung.com/sdk/knox-standard-android

https://yajin.org/papers/asiaccs15_appcage.pdf

> Have any statistics to back that up? Is Android more secure or less buggy than iOS?

Obvious confounder:

https://en.wikipedia.org/wiki/Darwin_(operating_system)

But what metric would you use anyway? Number of discovered bugs doesn't work because the whole premise is that a higher percentage of the bugs will be found.

It's inherently difficult to measure. But refute the logic: Bugs found by vendor + everyone else > Bugs found by vendor alone. The only assumption is that bugs found by everyone else is non-zero, which is clearly true for any number of open source projects including both Android and Darwin.

[scarface74]

So your solution to a sandbox app is to buy a Samsung device and use a corporate MDM product to manage that one device?

But what metric would you use anyway? Number of discovered bugs doesn't work because the whole premise is that a higher percentage of the bugs will be found. It's inherently difficult to measure. But refute the logic: Bugs found by vendor + everyone else > Bugs found by vendor alone.

Google and third parties have been finding bugs in other people’s closed source products for decades. Again just because people can look at code doesn’t mean that people are looking at code.

You made the claim that there are less bugs in open source software, without any citations, studies, etc.

Android and Darwin are open source but a large part of both iOS and Android are closed source.

[AnthonyMouse]

> So your solution to a sandbox app is to buy a Samsung device and use a corporate MDM product to manage that one device?

You implied that no one was making any such thing. They do. An app distributor that wanted to do the same for apps it distributes could do so likewise, but not if Apple stands in their way.

> Google and third parties have been finding bugs in other people’s closed source products for decades. Again just because people can look at code doesn’t mean that people are looking at code.

And if the product was open source, they could also fix the bug, rather than having to rely on the vendor to do it -- which they sometimes don't.

It would also be easier for them to discover the bugs, which would result in more of them being discovered.

> You made the claim that there are less bugs in open source software, without any citations, studies, etc.

Because it's an argument from logic rather than an argument from observation. The claim isn't that some specific number of people have been observed using published source code to discover bugs, only that the number is non-zero -- which doesn't require statistics, only a single counterexample that I can provide myself from personal experience in having done it.

> Android and Darwin are open source but a large part of both iOS and Android are closed source.

Then why propose to compare them as though it would provide some useful information about the effect of open source on finding bugs?

[scarface74]

Of course I knew about MDM software, it’s been around forever - before the iPhone ever cane out. We used it for Windows Mobile software, deployment of vertical software for both iOS and Android, etc. And if the product was open source, they could also fix the bug, rather than having to rely on the vendor to do it -- which they sometimes don't. It would also be easier for them to discover the bugs, which would result in more of them being discovered.

In reality, Android is suppose to be “open” but between Android, iOS, and Windows, the Android ecosystem has the worse track record of both correcting bugs and getting the patches out to users.

In the real world, no one is voluntarily going through each line of either Android or iOS looking for exploits out of the goodness of thier hearts.

Because it's an argument from logic rather than an argument from observation. The claim isn't that some specific number of people have been observed using published source code to discover bugs, only that the number is non-zero -- which doesn't require statistics, only a single counterexample that I can provide myself from personal experience in having done it.

And that “logic” falls apart with one widespread example - the HeartBleed bug that was in the OpenSSL implementation for a year and a half.

The number is also “non zero” of bugs found by third parties in closed source software....