Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.
On the other hand, you can't be completely sure that sandboxes on mobile devices don't have actively exploited security issues as there are many ways to bypass app review from discovering the true functionality of an app.
> Web browsers don't have widely known glaring security holes in them even though their vendors don't approve the content that's viewed through them.
Anything widely known gets fixed quickly. There are plenty of holes in browser sandboxing. The number approximately doubles as soon as you look at anything !Chrome, too.
Yeah, but by that same logic there may be unknown holes in app review and app sandbox as well. And since Apple aren't big on publicising their missteps (while Chrome is developed in the open), we may never really know how secure the app store model really is.
> Yeah, but by that same logic there may be unknown holes in app review and app sandbox as well.
To exploit those you need to get past app review in the first place, though, and the type of code that can do stuff like this for the most part sticks out like a sore thumb when subjected to static analysis.
Most of Apple's checks around this stuff are automated, I understand, and are applied to every submission instantly.
I'd argue only the revocation is needed. macOS is moving towards that model: every app requires notarization, Apple provides it without asking questions, but reserves the right to revoke the running privileges of any app. This makes so much more sense.
On the other hand, you can't be completely sure that sandboxes on mobile devices don't have actively exploited security issues as there are many ways to bypass app review from discovering the true functionality of an app.