Hacker News new | ask | show | jobs
by threeseed 1867 days ago
a) Apple has invested heavily in automated review methods over the years.

b) I don't know what qualifications you think an app reviewer needs. They are not looking through the code but simply playing with the app on a range of devices.

c) It is only a few hours for updates. Initial app submissions often take days/weeks and are very thorough.
7 comments
simion314 1867 days ago
> a) Apple has invested heavily in automated review methods over the years.

There was a news here where malware was found on the Apple iOS store, and Apple changed their mind in the last moment and refused to inform the victims.

The reality show you (if you want to see) that

- malware happens (you can't make automatic analysis code to detect all possible issues )

- Apple users will mostly have a wrong image of the Store security due to Apple not informing victims when bad things happen and a big PR budget to paint a fiction.

The reviewers are there mostly to make sure you do not put a link to your website and buypass the Apple payments and make sure that the app does not crash and use the approved UX. I really hope you are not that navie to think they are opening the app in a debugger and checking for weird code.

link
wwtrv 1867 days ago
You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store. Irregardless of how effective the review process is even if you manage to sneak any app with malware past it Apple will still be able to remotely remove it from every user’s device and ban your account. This alone make the Appstore inherently safer than any system which would allow side loading.

As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

link
simion314 1867 days ago
>You need register with a real name and credit card and pay 100$ to be able to publish anything on the app store.

This was done on Windows too, you were not forced but any business would sign their application, otherwise they user would get a scary warning that the developer is not know.

>As for code, they run relatively extensive automatic tests to detect whether private (banned/undocumented) APIs are used, I don’t know how effective they are at catching malware, though.

The sandbox should solve this, unless the Store bans APIs only for some or worse there are hidden APIs that should not be used and the sandbox is to dumb to notice you are using them , then this would be security by obscurity.

This topic is different then most of the other topics about side loading apps, in this case the giant refused to allow an application on the store, or allow access to an API without a good enough reason. This reveals again that rules are not fair and is very hard to get justice for the users.

I would suggest a law to force the giants to give always an exact reason of why an action aganst someone happened, I have personal experience where an account of mine was banned and I have no way to appeal and I have no idea what was wrong. The giants are shitting on us all, as long as the numbers of the victims are low enough some flashy ads would solve their PR problems. We need something to make it fair for the users, make it easy to get our justice.

link
g_p 1867 days ago
In the EU there is a (little known) law that does as you suggest -

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32...

This regulation specifically looks at platform-to-business relationships, and requires actual disclosure of reasons, notice periods, etc.

What we need to see are cases using this law (as it's pretty clear from article 4 what business' rights are), so it becomes too costly to trample over businesses in an unaccountable way. Once the cost of human intervention and support is lower than that of their legal bills and penalties, human support and intervention will return. Platforms are getting away without humans in the loop as a result of the lack of cost impact to them of a mistake. Once it hits their bottom line and gets their counsel in a pickle, it will start to change rapidly to preserve their bank balance.

link
simion314 1867 days ago
I am from EU, I will try and google more, my issue is with PlayStation and I could not find with my searches any way to appeal or get clarifications on what happened. I am not sure if sending an email on a generic contact email address with a link to the law will work.
link
citizenkeen 1867 days ago
Regardless
link
swiley 1867 days ago
Your definition of "thorough" and mine are very different. I highly doubt they could do a meaningful review without the complete source code for the app. It's not unusual that apps change their behavior after the review and this sometimes comes from binary dylibs that the developer didn't write.

The whole thing is a scam.

link
zepto 1867 days ago
> It's not unusual that apps change their behavior after the review

Which leads to the account being banned.

> and this sometimes comes from binary dylibs that the developer didn't write.

Which are detected through analysis if they are common spyware.

>The whole thing is a scam.

Clearly not.

link
swiley 1867 days ago
>> It's not unusual that apps change their behavior after the review

>Which leads to the account being banned.

Only if it gets noticed.

>> and this sometimes comes from binary dylibs that the developer didn't write.

>Which are detected through analysis if they are common spyware.

Facebook got away with it for many years.

>>The whole thing is a scam.

>Clearly not.

If it weren't then they would let people choose to use the App Store. It only exists to protect Apple's services from competition.

link
zepto 1867 days ago
> Only if it gets noticed.

True, but they are getting better at noticing.

>> and this sometimes comes from binary dylibs that the developer didn't write. >Which are detected through analysis if they are common spyware.

> Facebook got away with it for many years.

You know about that because they were stopped. And since then Apple has tightened the rules and stepped up detection.

>>The whole thing is a scam. >Clearly not. > If it weren't then they would let people choose to use the App Store.

No, because that would enable social engineering attacks once again.

> It only exists to protect Apple's services from competition.

This is straight up bullshit. You keep saying it, but it’s false at face value.

Millions of scams have been stopped.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

link
swiley 1867 days ago
Noticing malware after it's installed based on a hash isn't any better than eg windows defender. The App Store doesn't help with that at all.

>You know about that because they were stopped. And since then Apple has tightened the rules and stepped up detection.

Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still.

>No, because that would enable social engineering attacks once again.

People still get tricked into installing CA certs which is just as effective since everything has to be done in a browser due to the App Store restrictions. So no this hasn't prevented social engineering attacks, it's only changed them and it's come at an extreme cost.

link
zepto 1867 days ago
> Noticing malware after it's installed based on a hash isn't any better than eg windows defender. The App Store doesn't help with that at all.

False. Once a scam has been detected, the developer account can be disabled, which adds cost to new attempts, unlike windows defender.

> Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still.

That doesn’t change anything.

>No, because that would enable social engineering attacks once again.

> People still get tricked into installing CA certs which is just as effective since everything has to be done in a browser due to the App Store restrictions.

> So no this hasn't prevented social engineering attacks,

A false statement. Many kinds of social engineering attacks have definitely been prevented.

> it's only changed them

Here you admit that significant classes of attack have been prevented.

Your argument is that because not all attacks have been prevented, there is no value in preventing attacks.

This is an obvious fallacy.

link
cosmodisk 1867 days ago
Meanwhile this is what Salesforce does for their AppExchange applicants:

https://developer.salesforce.com/docs/atlas.en-us.packagingG....

[Edit] I should add that an annual listing is $150 and the initial security review is $2550, so no free cheese either.

link
Aulig 1867 days ago
c is not correct. I publish lots of apps for clients and I regularly get new apps published in less than 3 hours. Apples official stats are: 90% of apps get reviewed in less than 48h and 50% in less than 24.
link
codesternews 1867 days ago
I agree with you, But you know there are different rules for each app.

Small developers don't get same access as big developers and their apps get klled for smallest reason just by having some obscure policy or change in policy.

Developers don't have same access as Apple google eg: Screen Time

link
scarface74 1867 days ago
Yes. Because I really want third party developers to be able to track my app usage and disable other apps…
link
Karunamon 1867 days ago
Hi, rescuetime user here. Yes, I want apps to be able to track my usage if I ask for it.
link
benrbray 1867 days ago
> They are not looking through the code but simply playing with the app on a range of devices.

Hence, security theater.

link
MikeUt 1867 days ago
All that "heavy investment", and they don't catch even the most obvious scams:

https://news.ycombinator.com/item?id=26888190

https://news.ycombinator.com/item?id=26069660

https://news.ycombinator.com/item?id=26504158

link
Karunamon 1867 days ago
This may be a hot take, but I have a problem with the way that first article equates "extremely overpriced" with "scam".

A scam is when you've been deceived or defrauded.

If you consent to pay $10 a week for an app that doesn't provide what it claims to, that's one thing, and that should be actionable. But if it does what it claims to, not liking the price does not equate to being a scam.

link
emn13 1867 days ago
Except that you don't really get to pick to pay the price or not because of their monopoly position.

At best you get to take your marbles and refuse to play entirely; which isn't exactly a reasonable long term strategy.

There should be competition between app stores.

link
Karunamon 1867 days ago
This subthread is about purchasing subscriptions to apps. There are multiple apps serving the same niche, so I'm not sure what your point is here.
link
emn13 1866 days ago
I misunderstood your criticism; so while I do believe such subscriptions are scams in the sense that they prey on victims via deception and the presence of such actors undermines trust in the marketplace thus undermining fluid trade, thus such scams should be prevented - that's really kind of neither here nor their, because that's at best a laudable goal, not some kind of requirement for Apple as app-store manager.
link