Hacker News new | ask | show | jobs
by bsdubernerd 1866 days ago
And a quick reminder to everybody else that walled gardens don't actually help the consumer. They only arbitrarily restrict choice, they don't actually improve security (if any, that's provided by the sandboxing, not by the store "review").

If this company (ENEL) wasn't a huge state-wide electric company (inheriting their power and ties from the previous state-owned monopoly) how many chances do you think they had to fight?

As a small fish you're just dumped.
7 comments
oblio 1866 days ago
Walled gardens are just security theater. The App Store revenue was $72bn in 2020, yet the review time for an app is a few hours. App reviewers barely have any qualifications, they're just "call center operators" running off a script.
link
spoonjim 1866 days ago
I've watched the App Store reviewers try out apps (not in person, from logging) and they do seem to do a pretty thorough job of exercising the functionality.
link
mupuff1234 1866 days ago
That makes me wonder how easy it is to just hide certain features during the review process.
link
collaborative 1866 days ago
It's extremely easy, but it also is extremely easy to get permanently banned if they find out you "switched on" a hidden feature once the app got into production. A permanent ban can be very damaging, so one needs to make sure to be completely legit when it comes to app store submission reviews and app store ratings
link
amacneil 1866 days ago
Can confirm. We got the Coinbase iOS app banned for doing this back in the day, when Apple did not allow bitcoin apps (IIRC showing the price was ok, transacting was not). Even after they relaxed their bitcoin restrictions (and calls to the head of app store), they still made us wait out the 12 month ban before reinstating the app.

https://www.coindesk.com/coinbase-bitcoin-app-apple-app-stor...

https://venturebeat.com/2014/12/14/bitcoin-wallet-coinbase-n...

link
jimnotgym 1866 days ago
> Apple did not allow bitcoin apps

This is what is wrong with walled gardens, laws should be made by lawmakers, not Apple.

link
asddubs 1866 days ago
I wonder how they confirm this happened. Do they store a video of the review and cross reference on suspicion?
link
tyingq 1866 days ago
I wonder how this works with webviews. Do they expect you to resubmit the same binary if a page displayed in a webview changes?
link
Hamuko 1866 days ago
Isn't that how Fortnite did Project Liberty?
link
bugfix 1866 days ago
It is actually pretty easy. As long as you don't use any private APIs, you can completely change the behavior of your app after the review by changing server side settings.
link
zepto 1866 days ago
Yes, but if they catch you, you’ll get kicked out of the store altogether.
link
jokethrowaway 1866 days ago
Why? We do it all the times, we ship most of our app behind feature switches and enable them in the future for subsets of users
link
bassdropvroom 1866 days ago
VW should hire this person!
link
oblio 1866 days ago
https://github.com/auchenberg/volkswagen
link
danuker 1866 days ago
How do you know those were not automated systems?
link
spoonjim 1866 days ago
Could have been, but then we got rejected for something which would have been hard to detect automatically.
link
threeseed 1866 days ago
a) Apple has invested heavily in automated review methods over the years.

b) I don't know what qualifications you think an app reviewer needs. They are not looking through the code but simply playing with the app on a range of devices.

c) It is only a few hours for updates. Initial app submissions often take days/weeks and are very thorough.

link
simion314 1866 days ago
> a) Apple has invested heavily in automated review methods over the years.

There was a news here where malware was found on the Apple iOS store, and Apple changed their mind in the last moment and refused to inform the victims.

The reality show you (if you want to see) that

- malware happens (you can't make automatic analysis code to detect all possible issues )

- Apple users will mostly have a wrong image of the Store security due to Apple not informing victims when bad things happen and a big PR budget to paint a fiction.

The reviewers are there mostly to make sure you do not put a link to your website and buypass the Apple payments and make sure that the app does not crash and use the approved UX. I really hope you are not that navie to think they are opening the app in a debugger and checking for weird code.

link
wwtrv 1866 days ago
You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store. Irregardless of how effective the review process is even if you manage to sneak any app with malware past it Apple will still be able to remotely remove it from every user’s device and ban your account. This alone make the Appstore inherently safer than any system which would allow side loading.

As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

link
simion314 1866 days ago
>You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store.

This was done on Windows too, you were not forced but any business would sign their application, otherwise they user would get a scary warning that the developer is not know.

>As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

The sandbox should solve this, unless the Store bans APIs only for some or worse there are hidden APIs that should not be used and the sandbox is to dumb to notice you are using them , then this would be security by obscurity.

This topic is different then most of the other topics about side loading apps, in this case the giant refused to allow an application on the store, or allow access to an API without a good enough reason. This reveals again that rules are not fair and is very hard to get justice for the users.

I would suggest a law to force the giants to give always an exact reason of why an action aganst someone happened, I have personal experience where an account of mine was banned and I have no way to appeal and I have no idea what was wrong. The giants are shitting on us all, as long as the numbers of the victims are low enough some flashy ads would solve their PR problems. We need something to make it fair for the users, make it easy to get our justice.

link
g_p 1866 days ago
In the EU there is a (little known) law that does as you suggest -

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32...

This regulation specifically looks at platform-to-business relationships, and requires actual disclosure of reasons, notice periods, etc.

What we need to see are cases using this law (as it's pretty clear from article 4 what business' rights are), so it becomes too costly to trample over businesses in an unaccountable way. Once the cost of human intervention and support is lower than that of their legal bills and penalties, human support and intervention will return. Platforms are getting away without humans in the loop as a result of the lack of cost impact to them of a mistake. Once it hits their bottom line and gets their counsel in a pickle, it will start to change rapidly to preserve their bank balance.

link
citizenkeen 1866 days ago
Regardless
link
swiley 1866 days ago
Your definition of "thorough" and mine are very different. I highly doubt they could do a meaningful review without the complete source code for the app. It's not unusual that apps change their behavior after the review and this sometimes comes from binary dylibs that the developer didn't write.

The whole thing is a scam.

link
zepto 1866 days ago
> It's not unusual that apps change their behavior after the review

Which leads to the account being banned.

> and this sometimes comes from binary dylibs that the developer didn't write.

Which are detected through analysis if they are common spyware.

>The whole thing is a scam.

Clearly not.

link
swiley 1866 days ago
>> It's not unusual that apps change their behavior after the review

>Which leads to the account being banned.

Only if it gets noticed.

>> and this sometimes comes from binary dylibs that the developer didn't write.

>Which are detected through analysis if they are common spyware.

Facebook got away with it for many years.

>>The whole thing is a scam.

>Clearly not.

If it weren't then they would let people choose to use the App Store. It only exists to protect Apple's services from competition.

link
zepto 1866 days ago
> Only if it gets noticed.

True, but they are getting better at noticing.

>> and this sometimes comes from binary dylibs that the developer didn't write. >Which are detected through analysis if they are common spyware.

> Facebook got away with it for many years.

You know about that because they were stopped. And since then Apple has tightened the rules and stepped up detection.

>>The whole thing is a scam. >Clearly not. > If it weren't then they would let people choose to use the App Store.

No, because that would enable social engineering attacks once again.

> It only exists to protect Apple's services from competition.

This is straight up bullshit. You keep saying it, but it’s false at face value.

Millions of scams have been stopped.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

link
cosmodisk 1866 days ago
Meanwhile this is what Salesforce does for their AppExchange applicants:

https://developer.salesforce.com/docs/atlas.en-us.packagingG....

[Edit] I should add that an annual listing is $150 and the initial security review is $2550, so no free cheese either.

link
Aulig 1866 days ago
c is not correct. I publish lots of apps for clients and I regularly get new apps published in less than 3 hours. Apples official stats are: 90% of apps get reviewed in less than 48h and 50% in less than 24.
link
codesternews 1866 days ago
I agree with you, But you know there are different rules for each app.

Small developers don't get same access as big developers and their apps get klled for smallest reason just by having some obscure policy or change in policy.

Developers don't have same access as Apple google eg: Screen Time

link
scarface74 1866 days ago
Yes. Because I really want third party developers to be able to track my app usage and disable other apps…
link
Karunamon 1866 days ago
Hi, rescuetime user here. Yes, I want apps to be able to track my usage if I ask for it.
link
benrbray 1866 days ago
> They are not looking through the code but simply playing with the app on a range of devices.

Hence, security theater.

link
MikeUt 1866 days ago
All that "heavy investment", and they don't catch even the most obvious scams:

https://news.ycombinator.com/item?id=26888190

https://news.ycombinator.com/item?id=26069660

https://news.ycombinator.com/item?id=26504158

link
Karunamon 1866 days ago
This may be a hot take, but I have a problem with the way that first article equates "extremely overpriced" with "scam".

A scam is when you've been deceived or defrauded.

If you consent to pay $10 a week for an app that doesn't provide what it claims to, that's one thing, and that should be actionable. But if it does what it claims to, not liking the price does not equate to being a scam.

link
emn13 1866 days ago
Except that you don't really get to pick to pay the price or not because of their monopoly position.

At best you get to take your marbles and refuse to play entirely; which isn't exactly a reasonable long term strategy.

There should be competition between app stores.

link
Karunamon 1866 days ago
This subthread is about purchasing subscriptions to apps. There are multiple apps serving the same niche, so I'm not sure what your point is here.
link
simias 1866 days ago
If we judge by the result these app store seem to do fairly well security-wise, no?

Compared to Windows as a case study of what happens when you let users install anything they want from untrusted sources, it seems that the app stores do fairly well at culling obvious malware. At least that's what I experienced comparing the number of time I had to cleanup a friend or family member's computer filled with malware and browser toolbars vs. iphones and androids.

link
zimbatm 1866 days ago
A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

What you don't see, is all the apps that steal the user's data.

Curation obviously helps but it's difficult to measure to what extent.

link
zepto 1866 days ago
> A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

True

> What you don't see, is all the apps that steal the user's data.

Exactly this. Apple now has policies against fingerprinting etc. which can’t be prevented by sandboxing.

> Curation obviously helps but it's difficult to measure to what extent.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

link
sneak 1866 days ago
It has to be both to work; the sandbox would fail in a day if there were no review/revocation system.
link
nickflood 1866 days ago
Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.

On the other hand, you can't be completely sure that sandboxes on mobile devices don't have actively exploited security issues as there are many ways to bypass app review from discovering the true functionality of an app.

link
sneak 1866 days ago
> Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.

Anything widely known gets fixed quickly. There are plenty of holes in browser sandboxing. The number approximately doubles as soon as you look at anything !Chrome, too.

link
philistine 1866 days ago
I'd argue only the revocation is needed. macOS is moving towards that model: every app requires notarization, Apple provides it without asking questions, but reserves the right to revoke the running privileges of any app. This makes so much more sense.
link
sneak 1866 days ago
There are certain apps (like Wireguard) that Apple will not notarize for non-App Store distribution.

Basically, for certain classes of apps, macOS is now already taking the iOS "App Store or gtfo" model.

link
zepto 1866 days ago
How does it make sense to allow scams to do their damage before shutting them down?
link
ajsnigrutin 1866 days ago
There is a lot of phone malware, showing random ad notifications, collecting gps data, sending it to whoknowswhere, some even sending premium sms messages, etc. There are less drive-by installs, but more intentional installs (eg. flashlight app with a gajillion permissions).
link
antipaul 1866 days ago
Details on app review process, including picture of reviewer workstation, surfaced in the Epic game trial:

https://www.macrumors.com/2021/05/07/app-store-35-percent-of...

link
kolinko 1866 days ago
And yet, over it’s 13 years of history there were only single instances of viruses/malware.

Compare that to Google Play

link
grawprog 1866 days ago
https://www.techradar.com/news/apple-app-store-is-apparently...

https://threatpost.com/click-fraud-malware-apple-app-store/1...

https://www.tomsguide.com/news/iphone-apps-infected-malware

https://9to5mac.com/2021/05/07/emails-reveal-128-million-ios...

https://www.theiphonewiki.com/wiki/Malware_for_iOS

link
kolinko 1866 days ago
Did you read the links you provided?

The last article explicitly mentions that most of the malware needs iPhone to be jailbroken or the app to be installed outside of the App Store, which kind of proves my point.

The research by Panda Security also showed that the ratio of malware on Android compared to iPhone is 50 to 1.

https://www.pandasecurity.com/en/mediacenter/mobile-security...

link
user-the-name 1866 days ago
It is a lot more than "theatre". The first line of defence is the sandboxing built into the OS. The second line is a lot of automated analysis of the binaries that are uploaded. The human review is the third line, but that is much less about security.
link
dalbasal 1866 days ago
..and the last line of defense is removing a bad app to prevent further harm.

Drivers licenses aren't only about competence. Sure, there's a test. But, there's also the ability to revoke a license.

link
Siira 1866 days ago
So please explain why the licenses need to cost a fortune? Simple Bayesian thinking will tell you what the real motive is, and what is being used as the coverup motive.
link
dalbasal 1866 days ago
There is no "real" motive, only history. One thing led to another. Now we are here.
link
Siira 1866 days ago
Your theory has zero predictive powers, unlike mine.
link
user-the-name 1866 days ago
Is $99 a year really "a fortune"? It's less than the price of a Netflix subscription.
link
zepto 1866 days ago
> And a quick reminder to everybody else that walled gardens don't actually help the consumer.

This is not supported by the article at all.

> They only arbitrarily restrict choice,

This statement is total bullshit. Even if a few scams get through, and even if Google has abused its store, it’s not only arbitrary.

> they don't actually improve security (if any, that's provided by the sandboxing, not by the store "review").

No, Sandboxing cannot stop large classes of well known social engineering scams.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

Here is data proving that walled gardens do in fact protect consumers greatly.

You don’t have to like them, and of course there are downsides, but let’s not pretend there are no benefits.

link
dalbasal 1866 days ago
IMO, walled gardens are besides the point. Whatever the working definition of walled garden, we can find some consumer or situation for whom it arguably makes sense.

The real problem isn't the wall, it's the gate. Adwords, Android, FB, Twitter, Spotify, Steam... those are all about controlling the gate. At that point, others do the work and the gatekeeper makes the profit.

link
WanderPanda 1866 days ago
It’s not all black and white. Walled gardens can have upsides for the consumer. Ruling that out discredits your argument
link
PaulHoule 1866 days ago
When Apple's App store first came out consumers were sour about a decade of "crapp(s)" on Microsoft Windows.

That is, you pretty much expected to download software and have it trash your machine on a regular basis.

Things are better today, half of that is people realizing that it has to get better ("national security" today, but it's much bigger than national in scope) and the other half is people realizing it is possible to get better, and Apple's App store is one reason for that.

---

Improvements in HW and SW are what helped Microsoft, not the Microsoft store -- since Win 8 I think I've had a Windows machine where it was really possible to download third-party apps from the Microsoft store about 10% of machine*years. Part of that is that it was disabled on corporate laptops I've used, the other part is that the metadata database for the Microsoft store gets corrupted on a regular basis.

I've contacted Microsofties about that and what they tell me is that I should delete my account on my computer and then reinstall the account and spend or two work days reconfigurings all of the "normal" Windows apps that I used on an everyday basis (Firefox, Jetbrains, Creative Cloud, Python, ...) I tell them "there's a procedure to rebuild the metadata database because I've see the database get rebuilt when the six month OS updates happen" and they act as if they didn't hear anything.

For that matter Microsoft seems to be a counter-example to "the power of monopoly".

For instance there are several third-party gaming "app" stores for Windows such as Steam. One thing they all have in common is that they work.

When Win 8 came out DropBox and a number of imitators had apps that worked for Windows. There was one DropBox imitator that didn't work, and that was Microsoft's OneDrive. Office was jiggered to push you to save files to OneDrive, but if you were saving files to OneDrive you could frequently NOT BE ABLE TO SAVE FILES AT ALL!

To add insult to injury, this would also trigger harassment from Word the next time I open it about the files it didn't let me save. It's like this

https://tonyortega.org/2021/04/12/scientology-answers-danny-...

I guess it proves that running an "app store" without brand awareness doesn't lead to industry dominance.

link
permo-w 1866 days ago
I agree that the downsides outweigh the positives, but they do provide security to a certain extent.

For example, you can give your grandma an iPad or a chromebook, and there’s very little chance of her accidentally installing x nasty malware.

Give her a proper laptop, and at any one time she’s about 6 clicks from something dodgy, especially if she’s on social media.

link
egocentric 1866 days ago
That's because of system-level protections like the sandbox, not App Review or the App Store.
link
permo-w 1866 days ago
yes but if you allow alternative app stores, then what? it’s either regulated by apple, which defeats the point, or it’s a security risk.

I’m against walled gardens, I just disagree that there’s no security upside to it

link
Barrin92 1866 days ago
put a system setting in place that lets you lock down the device if necessary with a password so grandma can use it safely?

As OP points out you do not need an app store monopoly, you just need adjustable device settings.

link
rattlesnakedave 1866 days ago
As an Apple consumer, having a “walled garden” is great for UX, IMO. I don’t have to deal with a ton of shitty wallet apps, everything is in one App Store, etc.

I find this much preferable to the situation on Android.

link