[icpmoles]

Quick summary: the biggest electricity provider in the country (ENEL) made an app (Juicepass) to find and manage their charging stations across the country. The Android Auto functionality of the app has been rejected by Google for non disclosed "security concerns while driving". The antitrust ruled out it was because Google wanted to sabotage competitor apps to the charging stations finder built-in in the Google Maps app. On top of the fine Google will need to provide the SDK to integrate their app with Android Auto.

[bsdubernerd]

And a quick reminder to everybody else that walled gardens don't actually help the consumer. They only arbitrarily restrict choice, they don't actually improve security (if any, that's provided by the sandboxing, not by the store "review").

If this company (ENEL) wasn't a huge state-wide electric company (inheriting their power and ties from the previous state-owned monopoly) how many chances do you think they had to fight?

As a small fish you're just dumped.

[oblio]

Walled gardens are just security theater. The App Store revenue was $72bn in 2020, yet the review time for an app is a few hours. App reviewers barely have any qualifications, they're just "call center operators" running off a script.

[spoonjim]

I've watched the App Store reviewers try out apps (not in person, from logging) and they do seem to do a pretty thorough job of exercising the functionality.

[mupuff1234]

That makes me wonder how easy it is to just hide certain features during the review process.

[collaborative]

It's extremely easy, but it also is extremely easy to get permanently banned if they find out you "switched on" a hidden feature once the app got into production. A permanent ban can be very damaging, so one needs to make sure to be completely legit when it comes to app store submission reviews and app store ratings

[amacneil]

Can confirm. We got the Coinbase iOS app banned for doing this back in the day, when Apple did not allow bitcoin apps (IIRC showing the price was ok, transacting was not). Even after they relaxed their bitcoin restrictions (and calls to the head of app store), they still made us wait out the 12 month ban before reinstating the app.

https://www.coindesk.com/coinbase-bitcoin-app-apple-app-stor...

https://venturebeat.com/2014/12/14/bitcoin-wallet-coinbase-n...

[tyingq]

I wonder how this works with webviews. Do they expect you to resubmit the same binary if a page displayed in a webview changes?

[bugfix]

It is actually pretty easy. As long as you don't use any private APIs, you can completely change the behavior of your app after the review by changing server side settings.

[zepto]

Yes, but if they catch you, you’ll get kicked out of the store altogether.

[bassdropvroom]

VW should hire this person!

[oblio]

https://github.com/auchenberg/volkswagen

[danuker]

How do you know those were not automated systems?

[spoonjim]

Could have been, but then we got rejected for something which would have been hard to detect automatically.

[threeseed]

a) Apple has invested heavily in automated review methods over the years.

b) I don't know what qualifications you think an app reviewer needs. They are not looking through the code but simply playing with the app on a range of devices.

c) It is only a few hours for updates. Initial app submissions often take days/weeks and are very thorough.

[simion314]

> a) Apple has invested heavily in automated review methods over the years.

There was a news here where malware was found on the Apple iOS store, and Apple changed their mind in the last moment and refused to inform the victims.

The reality show you (if you want to see) that

- malware happens (you can't make automatic analysis code to detect all possible issues )

- Apple users will mostly have a wrong image of the Store security due to Apple not informing victims when bad things happen and a big PR budget to paint a fiction.

The reviewers are there mostly to make sure you do not put a link to your website and buypass the Apple payments and make sure that the app does not crash and use the approved UX. I really hope you are not that navie to think they are opening the app in a debugger and checking for weird code.

[wwtrv]

You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store. Irregardless of how effective the review process is even if you manage to sneak any app with malware past it Apple will still be able to remotely remove it from every user’s device and ban your account. This alone make the Appstore inherently safer than any system which would allow side loading.

As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

[simion314]

>You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store.

This was done on Windows too, you were not forced but any business would sign their application, otherwise they user would get a scary warning that the developer is not know.

>As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

The sandbox should solve this, unless the Store bans APIs only for some or worse there are hidden APIs that should not be used and the sandbox is to dumb to notice you are using them , then this would be security by obscurity.

This topic is different then most of the other topics about side loading apps, in this case the giant refused to allow an application on the store, or allow access to an API without a good enough reason. This reveals again that rules are not fair and is very hard to get justice for the users.

I would suggest a law to force the giants to give always an exact reason of why an action aganst someone happened, I have personal experience where an account of mine was banned and I have no way to appeal and I have no idea what was wrong. The giants are shitting on us all, as long as the numbers of the victims are low enough some flashy ads would solve their PR problems. We need something to make it fair for the users, make it easy to get our justice.

[citizenkeen]

Regardless

[swiley]

Your definition of "thorough" and mine are very different. I highly doubt they could do a meaningful review without the complete source code for the app. It's not unusual that apps change their behavior after the review and this sometimes comes from binary dylibs that the developer didn't write.

The whole thing is a scam.

[zepto]

> It's not unusual that apps change their behavior after the review

Which leads to the account being banned.

> and this sometimes comes from binary dylibs that the developer didn't write.

Which are detected through analysis if they are common spyware.

>The whole thing is a scam.

Clearly not.

[swiley]

>> It's not unusual that apps change their behavior after the review

>Which leads to the account being banned.

Only if it gets noticed.

>> and this sometimes comes from binary dylibs that the developer didn't write.

>Which are detected through analysis if they are common spyware.

Facebook got away with it for many years.

>>The whole thing is a scam.

>Clearly not.

If it weren't then they would let people choose to use the App Store. It only exists to protect Apple's services from competition.

[cosmodisk]

Meanwhile this is what Salesforce does for their AppExchange applicants:

https://developer.salesforce.com/docs/atlas.en-us.packagingG....

[Edit] I should add that an annual listing is $150 and the initial security review is $2550, so no free cheese either.

[Aulig]

c is not correct. I publish lots of apps for clients and I regularly get new apps published in less than 3 hours. Apples official stats are: 90% of apps get reviewed in less than 48h and 50% in less than 24.

[codesternews]

I agree with you, But you know there are different rules for each app.

Small developers don't get same access as big developers and their apps get klled for smallest reason just by having some obscure policy or change in policy.

Developers don't have same access as Apple google eg: Screen Time

[scarface74]

Yes. Because I really want third party developers to be able to track my app usage and disable other apps…

[Karunamon]

Hi, rescuetime user here. Yes, I want apps to be able to track my usage if I ask for it.

[benrbray]

> They are not looking through the code but simply playing with the app on a range of devices.

Hence, security theater.

[MikeUt]

All that "heavy investment", and they don't catch even the most obvious scams:

https://news.ycombinator.com/item?id=26888190

https://news.ycombinator.com/item?id=26069660

https://news.ycombinator.com/item?id=26504158

[Karunamon]

This may be a hot take, but I have a problem with the way that first article equates "extremely overpriced" with "scam".

A scam is when you've been deceived or defrauded.

If you consent to pay $10 a week for an app that doesn't provide what it claims to, that's one thing, and that should be actionable. But if it does what it claims to, not liking the price does not equate to being a scam.

[emn13]

Except that you don't really get to pick to pay the price or not because of their monopoly position.

At best you get to take your marbles and refuse to play entirely; which isn't exactly a reasonable long term strategy.

There should be competition between app stores.

[simias]

If we judge by the result these app store seem to do fairly well security-wise, no?

Compared to Windows as a case study of what happens when you let users install anything they want from untrusted sources, it seems that the app stores do fairly well at culling obvious malware. At least that's what I experienced comparing the number of time I had to cleanup a friend or family member's computer filled with malware and browser toolbars vs. iphones and androids.

[zimbatm]

A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

What you don't see, is all the apps that steal the user's data.

Curation obviously helps but it's difficult to measure to what extent.

[zepto]

> A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

True

> What you don't see, is all the apps that steal the user's data.

Exactly this. Apple now has policies against fingerprinting etc. which can’t be prevented by sandboxing.

> Curation obviously helps but it's difficult to measure to what extent.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

[sneak]

It has to be both to work; the sandbox would fail in a day if there were no review/revocation system.

[nickflood]

Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.

On the other hand, you can't be completely sure that sandboxes on mobile devices don't have actively exploited security issues as there are many ways to bypass app review from discovering the true functionality of an app.

[philistine]

I'd argue only the revocation is needed. macOS is moving towards that model: every app requires notarization, Apple provides it without asking questions, but reserves the right to revoke the running privileges of any app. This makes so much more sense.

[ajsnigrutin]

There is a lot of phone malware, showing random ad notifications, collecting gps data, sending it to whoknowswhere, some even sending premium sms messages, etc. There are less drive-by installs, but more intentional installs (eg. flashlight app with a gajillion permissions).

[antipaul]

Details on app review process, including picture of reviewer workstation, surfaced in the Epic game trial:

https://www.macrumors.com/2021/05/07/app-store-35-percent-of...

[kolinko]

And yet, over it’s 13 years of history there were only single instances of viruses/malware.

Compare that to Google Play

[grawprog]

https://www.techradar.com/news/apple-app-store-is-apparently...

https://threatpost.com/click-fraud-malware-apple-app-store/1...

https://www.tomsguide.com/news/iphone-apps-infected-malware

https://9to5mac.com/2021/05/07/emails-reveal-128-million-ios...

https://www.theiphonewiki.com/wiki/Malware_for_iOS

[kolinko]

Did you read the links you provided?

The last article explicitly mentions that most of the malware needs iPhone to be jailbroken or the app to be installed outside of the App Store, which kind of proves my point.

The research by Panda Security also showed that the ratio of malware on Android compared to iPhone is 50 to 1.

https://www.pandasecurity.com/en/mediacenter/mobile-security...

[user-the-name]

It is a lot more than "theatre". The first line of defence is the sandboxing built into the OS. The second line is a lot of automated analysis of the binaries that are uploaded. The human review is the third line, but that is much less about security.

[dalbasal]

..and the last line of defense is removing a bad app to prevent further harm.

Drivers licenses aren't only about competence. Sure, there's a test. But, there's also the ability to revoke a license.

[Siira]

So please explain why the licenses need to cost a fortune? Simple Bayesian thinking will tell you what the real motive is, and what is being used as the coverup motive.

[dalbasal]

There is no "real" motive, only history. One thing led to another. Now we are here.

[user-the-name]

Is $99 a year really "a fortune"? It's less than the price of a Netflix subscription.

[zepto]

> And a quick reminder to everybody else that walled gardens don't actually help the consumer.

This is not supported by the article at all.

> They only arbitrarily restrict choice,

This statement is total bullshit. Even if a few scams get through, and even if Google has abused its store, it’s not only arbitrary.

> they don't actually improve security (if any, that's provided by the sandboxing, not by the store "review").

No, Sandboxing cannot stop large classes of well known social engineering scams.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

Here is data proving that walled gardens do in fact protect consumers greatly.

You don’t have to like them, and of course there are downsides, but let’s not pretend there are no benefits.

[dalbasal]

IMO, walled gardens are besides the point. Whatever the working definition of walled garden, we can find some consumer or situation for whom it arguably makes sense.

The real problem isn't the wall, it's the gate. Adwords, Android, FB, Twitter, Spotify, Steam... those are all about controlling the gate. At that point, others do the work and the gatekeeper makes the profit.

[WanderPanda]

It’s not all black and white. Walled gardens can have upsides for the consumer. Ruling that out discredits your argument

[PaulHoule]

When Apple's App store first came out consumers were sour about a decade of "crapp(s)" on Microsoft Windows.

That is, you pretty much expected to download software and have it trash your machine on a regular basis.

Things are better today, half of that is people realizing that it has to get better ("national security" today, but it's much bigger than national in scope) and the other half is people realizing it is possible to get better, and Apple's App store is one reason for that.

---

Improvements in HW and SW are what helped Microsoft, not the Microsoft store -- since Win 8 I think I've had a Windows machine where it was really possible to download third-party apps from the Microsoft store about 10% of machine*years. Part of that is that it was disabled on corporate laptops I've used, the other part is that the metadata database for the Microsoft store gets corrupted on a regular basis.

I've contacted Microsofties about that and what they tell me is that I should delete my account on my computer and then reinstall the account and spend or two work days reconfigurings all of the "normal" Windows apps that I used on an everyday basis (Firefox, Jetbrains, Creative Cloud, Python, ...) I tell them "there's a procedure to rebuild the metadata database because I've see the database get rebuilt when the six month OS updates happen" and they act as if they didn't hear anything.

For that matter Microsoft seems to be a counter-example to "the power of monopoly".

For instance there are several third-party gaming "app" stores for Windows such as Steam. One thing they all have in common is that they work.

When Win 8 came out DropBox and a number of imitators had apps that worked for Windows. There was one DropBox imitator that didn't work, and that was Microsoft's OneDrive. Office was jiggered to push you to save files to OneDrive, but if you were saving files to OneDrive you could frequently NOT BE ABLE TO SAVE FILES AT ALL!

To add insult to injury, this would also trigger harassment from Word the next time I open it about the files it didn't let me save. It's like this

https://tonyortega.org/2021/04/12/scientology-answers-danny-...

I guess it proves that running an "app store" without brand awareness doesn't lead to industry dominance.

[permo-w]

I agree that the downsides outweigh the positives, but they do provide security to a certain extent.

For example, you can give your grandma an iPad or a chromebook, and there’s very little chance of her accidentally installing x nasty malware.

Give her a proper laptop, and at any one time she’s about 6 clicks from something dodgy, especially if she’s on social media.

[egocentric]

That's because of system-level protections like the sandbox, not App Review or the App Store.

[permo-w]

yes but if you allow alternative app stores, then what? it’s either regulated by apple, which defeats the point, or it’s a security risk.

I’m against walled gardens, I just disagree that there’s no security upside to it

[Barrin92]

put a system setting in place that lets you lock down the device if necessary with a password so grandma can use it safely?

As OP points out you do not need an app store monopoly, you just need adjustable device settings.

[rattlesnakedave]

As an Apple consumer, having a “walled garden” is great for UX, IMO. I don’t have to deal with a ton of shitty wallet apps, everything is in one App Store, etc.

I find this much preferable to the situation on Android.

[dan-robertson]

> The antitrust ruled out it was because Google wanted to sabotage competitor apps to the charging stations finder built-in in the Google Maps app

Should this say “…ruled it was because…”? I can’t figure out the reason for the fine otherwise.

[simonh]

Just to explain for non-native anglophones, I think what they meant was "gave out a rule", but in idiomatic English "ruled something out" means it has been eliminated as a possibility.

[Chris2048]

Yep, and to explain further; The first instance of "ruling" in a judicial sense probably derives from rule (i.e dictat/maxim).

To "rule out" is to use a ruler to cross a line through something in a written list of items, thereby eliminating it from consideration.

[wccrawford]

But also in colloquial English, "rule out" means "eliminate by logic". Like, "use the rules to take it out of possibility".

[dan-robertson]

I don’t think this is an accurate definition or etymology. The phrase can mean “formally remove” or just “eliminate”. I think it always alludes to using a stick of wood to draw a line rather than a regulation or law.

[wccrawford]

My etymology might be completely wrong. No argument there.

But as for the meaning, that's what it's always meant when I've heard it said. So it definitely means that, at least colloquially.

[HALtheWise]

The really sad thing about this case is that there is _no way_ that Google made anything like $100M from the charging station finder in Google Maps in Italy. That functionality reeks to me of something made by a small group of Googlers because they legitimately care about promoting electric cars and making life easier for their owners, not because Google particularly cares if they dominate the electric vehicle charging station finding market. Now that the functionality has cost them $100M and however much effort it takes to make a regulator-approved SDK for Android Auto, I'm worried that the lawyers at the company will just shut down that feature and others like it, which would be a net loss for users.

[klmadfejno]

That's only sad if all they did was make a product and not share it with others. They also rejected a competitor access to their monopoly on the service. It's supposed to sting. Otherwise they would just do this shit all the time.

[ysavir]

So it's okay for companies like google to abuse their market position so long as we think they're doing it for the greater good?

[seaman1921]

exactly, this is not the reinforcement you want to give the big tech - putting fines for the actually useful stuff using crappy antitrust arguments? Come on.

This will just encourage them to kill all the genuinely useful stuff they do because honestly their legal teams can't spend hours vetting all of these small features and apps which provide immense value to certain subsets of users. And for what ? The shitty JuicePass app with under 2.5 rating.

[seaman1921]

edit, s/reinforcement/punishment

[PaulHoule]

What are the rules for Android Auto?

Distracted driving is a big problem, but my experience is that people have superstitious ideas about what is safe and what is dangerous in areas like that.

You can certainly do experiments, and the conclusion you seem to reach is that you're in a lot safer with a car that has physical buttons for the audio, heat, etc. (Had "luxury" carmakers been on the ball five years or so they would have kicked the infotainment systems to the curb and would be giving customers a premium experience today -- how many $1000 does Android Auto knock off the resale value of your car?)

[darksaints]

Totally. I'm maybe a week or two away from buying a Model 3, but the thing I keep coming back to is the whole "everything is controlled by a touchscreen" crap. Even when physical controls are not designed perfectly, you can still get used to them to the point where they are muscle memory and no longer a distraction. No matter how awesome they are, touch screens will never not be a distraction.

[908B64B197]

I'm on Google's side here.

I want Android Auto to know what type of plug I have and Google Maps to just show me all compatible chargers. And possibly handle payments. Like what Tesla has been doing for years [0].

Now there's some government developed app to duplicate that functionality but only for their special snowflake network and only in their jurisdiction. Just crossed the border from France to Italy? Install this app (is it in international app stores as well? Do I have to switch my phone to that country?). Ohh now it has it's own map but no navigation so I'm switching back and forth between that and Google Maps.

[0] https://youtu.be/hA_B7qPyUDA?t=1145

[Chymor]

That’s not really what it’s about. It’s about if they can do that and throw out competing apps doing the same thing. Or if you will have the ability to choose an other app if you don’t like google.

Of cause integration and ease of use become harder if there’s multiple networks and apps, but that’s separate from the question if they should be allowed by google.

[gentleman11]

Not sure why nobody else is asking this, but what is the evidence? Did an investigation reveal that this actually was the reason for the App Store rejection?

[toyg]

This was an antitrust ruling, so chances are that the process was something like:

- app developer (here, the giant state-backed energy company ENEL) complains to antitrust authority about getting denied access to store

- authority asks Google to justify itself

- Google makes a very weak argument, refuses to disclose the internal decision-making process that resulted in blocking access

- authority goes “oh really?”, proceeds to slap Google with a fine

Now Google can decide whether they want to take this to court (which, being Italy, will probably take 5 to 10 years); pay the fine and allow ENEL in; or just ignore the ruling and dare the state to slap them harder (which again, would probably mean a good 5+ years will pass before sanctions are actually enacted, but might result in higher fines).

[jeffbee]

It can't be that simple because there is working ChargePoint integration with Android Auto. If they were just blocking 3rd party apps that wouldn't exist.

[Pxtl]

"ruled" or "ruled out"? Because those have opposing meanings.

[ArkanExplorer]

A true penalty would have been to limit Google Play to 5% commissions for any purchasers or developers in Italy.

[snambi]

companies like google needed to be spilt up and made as smaller entities. These companies are a threat to humanity.

[genericacct]

The fact that ENEL is owned by the employers of the ruling judges is just a coincidence.

[mikro2nd]

Are you suggesting that the Italian judiciary is incapable of acting independently and impartially?

[saddlerustle]

The majority of italians rate the independence of courts to be poor, which is among the lowest ratings in the EU [1]

[1] https://ec.europa.eu/info/sites/info/files/justice_scoreboar...

[riffraff]

this is because they think the courts are politicized, not because the judiciary takes input from the government. In fact there has been a constant conflict between judges and government for the last 30 years.

[anoncake]

Doesn't that mean the judiciary is independent, but biased?

[toyg]

Kinda. The judicial branch is rigorously separated from the other two, but it self-organises in a way that often replicates the ideological groups emerging in regular politics (they have their own little parliament, basically). When the postwar political equilibrium crumbled under the weight of its own corruption and Berlusconi got in power, effectively altering the ideological landscape, the judiciary “class” did not immediately follow, since most of them saw the guy as a dodgy felon (which was technically correct); and things have been a bit hairy ever since.

[riffraff]

It's hard to say, certainly some investigations have appeared political, but in US terms there is distrust against "public attorneys" rather than against judges (and Italy permits one to change career between the two).

But what I meant to say is that one political side have complained about judges for 30 years, which has impacted the public opinion.

See the effects Trump has had on institutional trust in the US, and make it last 5 mandates.

[ClumsyPilot]

It would be good to see objective metrics, like how much conviction depends on wealth, etc

[carlob]

Probably due to Berlusconi and Salvini trying to escape their legal troubles by calling the judges communists.

[carlob]

ENEL has been privatized a long time ago and the Italian government has just a plurality stake.

[permo-w]

just a plurality?

wouldn’t a plurality make them the controlling shareholder?

[kosievdmerwe]

Plurality means largest stake, but that stake is less than 50%.

So it means that they have a lot of say, but they can be overridden if every other shareholder disagrees.

[permo-w]

isn’t the controlling shareholder generally the shareholder with the largest portion?

[kosievdmerwe]

AFAIK controlling shareholder means that the shareholder has more than 50% of the voting power. They or the group they belong to have unilateral control of the company barring some restrictions.

Though looking at this a large but not 50%+ stake can also be "controlling": https://www.upcounsel.com/controlling-shareholder

But controlling looks to more about how much voting power and influence you have rather than how many shares, because remember companies can have different classes of shares.

[matsemann]

Just like all judges and prosecutors are employed by the people?

[artiszt]

assuming this to be true and of factual, in praxi [thus procedural], significance in this case, then of course Google hasn't done any wrong ?