[roblabla]

The walled garden is not what protects your email, 2FA SMSes or bank details. The OS sandboxing and permissions system do that. The two are often conflated, but the two concerns are orthogonal really.

Heck, you could easily imagine a system where software distributed outside the app store can only access a subset of perms if security is such a concern, and that'd still be less anti-competitive

[threeseed]

Due to the way iOS works (dynamic dispatch) private APIs can only be prevented through an App Store review process.

And many of those APIs can be used to extract enough information to fingerprint the device, determine your location or steal your data e.g. accessing the list of WiFi networks or browser history.

So no. The two concerns are very much related.

[brmgb]

> Due to the way iOS works (dynamic dispatch) private APIs can only be prevented through an App Store review process.

That's complete nonsense.

Dynamic dispatch has nothing to do with the ability or not of a program to access API. Dynamic dispatch is the selection at runtime of the correct version of a polymorphic function. Obviously, you can sandbox programs written in languages using dynamic dispatch.

[threeseed]

Be curious how you plan to prevent access to Apple's private APIs in Objective-C, which uses dynamic dispatching, without breaking existing code.

I am sure Apple would love to know how you've managed to solve this.

[gpderetta]

sign existing code.

[ben_w]

They do, this is an argument about how they decide when it is OK to sign that code.

[t0mas88]

You could easily argue that Apple has built an OS that is deeply broken and insecure if they aren't able to technically enforce permissions of apps to do certain things. Virtually any other OS has that capability.

[gridlockd]

They can't be prevented reliably even through the App Store process - that's simply impossible.

The point of a private API not security, it's to distinguish between the public interface that is meant to be stable and implementation details that might change.

They might do some rudimentary checks to catch obvious usage of private APIs, but it's not part of the security model and still apps show up on the App Store that use private APIs, all the time.

[appleflaxen]

they are related because apple plugged one process into the other.

but there is nothing intrinsic to their operation that requires it, and apple could un-plug it.

this is like apple arguing that IE is central to the fabric of windows, and can't be removed during the european antitrust suit.

it's dishonest, but apple will likely make the same claim.

[Joeri]

Heck, you could easily imagine a system where software distributed outside the app store can only access a subset of perms if security is such a concern, and that'd still be less anti-competitive

I think this system is called the world wide web.

Apple would have a much stronger case if mobile safari were a first class PWA platform, instead of being almost useless for PWA's. Then the choice would be: make a PWA and live in the browser sandbox, or go through approval and be on the app store.

[madeofpalk]

I really don't think so. there are many classes of applications that just do not work on the web platform.

A podcast player or music and video streaming app, or a game like fortnite, are not going to work as web sites.

[rimliu]

   > but the two concerns are orthogonal really.

They are not, really.