[simias]

If we judge by the result these app store seem to do fairly well security-wise, no?

Compared to Windows as a case study of what happens when you let users install anything they want from untrusted sources, it seems that the app stores do fairly well at culling obvious malware. At least that's what I experienced comparing the number of time I had to cleanup a friend or family member's computer filled with malware and browser toolbars vs. iphones and androids.

[zimbatm]

A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

What you don't see, is all the apps that steal the user's data.

Curation obviously helps but it's difficult to measure to what extent.

[zepto]

> A large part of the stability can be attributed to sandboxing. This is what prevents apps from gaining unprivileged access and destabilizing the system. This is the time where relatives will call you.

True

> What you don't see, is all the apps that steal the user's data.

Exactly this. Apple now has policies against fingerprinting etc. which can’t be prevented by sandboxing.

> Curation obviously helps but it's difficult to measure to what extent.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

[sneak]

It has to be both to work; the sandbox would fail in a day if there were no review/revocation system.

[nickflood]

Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.

On the other hand, you can't be completely sure that sandboxes on mobile devices don't have actively exploited security issues as there are many ways to bypass app review from discovering the true functionality of an app.

[sneak]

> Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.

Anything widely known gets fixed quickly. There are plenty of holes in browser sandboxing. The number approximately doubles as soon as you look at anything !Chrome, too.

[nickflood]

Yeah, but by that same logic there may be unknown holes in app review and app sandbox as well. And since Apple aren't big on publicising their missteps (while Chrome is developed in the open), we may never really know how secure the app store model really is.

[sneak]

> Yeah, but by that same logic there may be unknown holes in app review and app sandbox as well.

To exploit those you need to get past app review in the first place, though, and the type of code that can do stuff like this for the most part sticks out like a sore thumb when subjected to static analysis.

Most of Apple's checks around this stuff are automated, I understand, and are applied to every submission instantly.

[philistine]

I'd argue only the revocation is needed. macOS is moving towards that model: every app requires notarization, Apple provides it without asking questions, but reserves the right to revoke the running privileges of any app. This makes so much more sense.

[sneak]

There are certain apps (like Wireguard) that Apple will not notarize for non-App Store distribution.

Basically, for certain classes of apps, macOS is now already taking the iOS "App Store or gtfo" model.

[zepto]

How does it make sense to allow scams to do their damage before shutting them down?

[ajsnigrutin]

There is a lot of phone malware, showing random ad notifications, collecting gps data, sending it to whoknowswhere, some even sending premium sms messages, etc. There are less drive-by installs, but more intentional installs (eg. flashlight app with a gajillion permissions).