[Veen]

Perhaps we should think about this from a utilitarian perspective. There are obvious security advantages to app signing. But there are also negative implications for privacy and availability. Given tens of millions of non-technical users, is app signing likely to result in more good than bad, taking into account the fact that it can be turned off? I don’t know the answer, but I’m pretty sure those who relentlessly focus on the possible downsides don’t know either.

(Pretending to be able to see into the minds and motivations of people you don’t know is rarely helpful. You have no grounds to attribute users’ behavior and opinions to Stockholm Syndrome, and it doesn’t apply anyway: no one is held hostage or abused in this scenario)

[AnthonyMouse]

The key is in understanding that the trade off is an illusion. App signing is de facto blacklisting. Anyone can get an app signed but Apple maintains a naughty list. It's just anti-virus by another name.

But you don't need signed apps for that, only hashes. And you don't have to phone home for that, only download the latest naughty list whenever it changes so you can check against it locally.

[zeusflight]

> There are obvious security advantages to app signing. But there are also negative implications for privacy and availability.

App signing exists elsewhere without sacrificing privacy. Most Linux packages, for example, are signed with GPG keys. The difference is that Linux only cares about installing trusted packages. It doesn't care about applications that are already installed after verification. Apple insists on having the ability to revoke something that's already installed. There are two issues here:

1. Is it reasonable to revoke permissions for an installed package? It could be argued that it will help stop malicious apps that were discovered after they were distributed. However, it could equally as well be that Apple wants more control over devices and hold developers to ransom. Their recent treatment of developers indicate that this concern is not at all misplaced. The least Apple could do is warn the user about a revoked certificate and ask if they still want to proceed (like how browsers do in the same scenario). However, it just refuses outright.

2. Apple chose a very bad method to implement online certificate revocation. OCSP is meant for server certificate validation. OCSP stapling is preferred over plain OCSP due to privacy concerns. Stapling cannot be used in this context. This method unfortunately ruins privacy and spill user information everywhere. They could have chosen some other more private method, like an updatable CRL.

> I’m pretty sure those who relentlessly focus on the possible downsides don’t know either.

As I said, there are more private ways to push revocation status. Apple always claimed that the device lockdown was to ensure privacy. This oversight shows how hollow that claim is.

Important part to notice is the false dichotomy of freedom vs security. The argument that negligent users will screw up if given freedom. This is wrong for two reasons:

1. Defaults vs restrictions: Keep the defaults secure and slightly hard to modify for normal users. But don't restrict those who need alternatives.

2. Security can be achieved without locking everything down and remote controlling it. See web browsers for example. We run JS from all insecure sources, but cannot access sensitive resources (like camera, file access etc) without users' permission. The same can be achieved on OS with sandboxing, microkernels etc.

> no one is held hostage or abused in this scenario

Abuse is not always apparent to the abused. User rights are gradually eroded away in the name of security, giving users enough time to get accustomed to it. There may be escape hatches now, but they are slowly getting closed. For example, we considered PCs that don't allow us to install another OS as abusive. However, we don't hold mobile devices to the same standard. Unfortunately, this normalization of abuse doesn't just affect those who accept it. The rest of us are left without a choice. That criticism is definitely valid.