Hacker News new | ask | show | jobs
by zepto 1865 days ago
> Only if it gets noticed.

True, but they are getting better at noticing.

>> and this sometimes comes from binary dylibs that the developer didn't write. >Which are detected through analysis if they are common spyware.

> Facebook got away with it for many years.

You know about that because they were stopped. And since then Apple has tightened the rules and stepped up detection.

>>The whole thing is a scam. >Clearly not. > If it weren't then they would let people choose to use the App Store.

No, because that would enable social engineering attacks once again.

> It only exists to protect Apple's services from competition.

This is straight up bullshit. You keep saying it, but it’s false at face value.

Millions of scams have been stopped.

https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...
1 comments
swiley 1865 days ago
Noticing malware after it's installed based on a hash isn't any better than eg windows defender. The App Store doesn't help with that at all.

>You know about that because they were stopped. And since then Apple has tightened the rules and stepped up detection.

Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still.

>No, because that would enable social engineering attacks once again.

People still get tricked into installing CA certs which is just as effective since everything has to be done in a browser due to the App Store restrictions. So no this hasn't prevented social engineering attacks, it's only changed them and it's come at an extreme cost.

link
zepto 1865 days ago
> Noticing malware after it's installed based on a hash isn't any better than eg windows defender. The App Store doesn't help with that at all.

False. Once a scam has been detected, the developer account can be disabled, which adds cost to new attempts, unlike windows defender.

> Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still.

That doesn’t change anything.

>No, because that would enable social engineering attacks once again.

> People still get tricked into installing CA certs which is just as effective since everything has to be done in a browser due to the App Store restrictions.

> So no this hasn't prevented social engineering attacks,

A false statement. Many kinds of social engineering attacks have definitely been prevented.

> it's only changed them

Here you admit that significant classes of attack have been prevented.

Your argument is that because not all attacks have been prevented, there is no value in preventing attacks.

This is an obvious fallacy.

link
swiley 1865 days ago
I'm arguing that it hasn't prevented attacks to a degree that was worth the cost (completely forfeiting ownership of personal computers by anyone that wants to participate in group chats with iphone users.)

>Here you admit that significant classes of attack have been prevented.

I don't think people care whether they lost things on their phone because of malware or because of a fake CA cert, the attack works pretty much the same way and has the same result.

>False. Once a scam has been detected, the developer account can be disabled, which adds cost to new attempts, unlike windows defender.

You don't need a dev account to distribute malware in dylibs.

>> Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still.

>That doesn’t change anything.

It means the App Store doesn't stop malware before it's able to exfiltrate data from large numbers of users for long periods of time. That's the justification for it.

link
zepto 1865 days ago
> I'm arguing that it hasn't prevented attacks to a degree that was worth the cost

Ok, but that’s not what you said before,

> (completely forfeiting ownership of personal computers by anyone that wants to participate in group chats with iphone users.)

This is false. There are many group chat programs, that people use cross platform and they are more popular than iMessage.

Nobody if ‘forfeiting ownership’ of anything anyway - that’s just an ideological tautology.

If you you want a platform that can do both iMessage, and install apps without review, then you can use a Mac.

So literally no part of your statement is true.

>Here you admit that significant classes of attack have been prevented.

> I don't think people care whether they lost things on their phone because of malware or because of a fake CA cert, the attack works pretty much the same way and has the same result.

They may not know or care about the technical details but they do care about the risk level, so this is a moot point.

>False. Once a scam has been detected, the developer account can be disabled, which adds cost to new attempts, unlike windows defender.

> You don't need a dev account to distribute malware in dylibs.

No, but you do to distribute it to App Store users.

>> Nope, lots of people knew it was happening for years before Apple actually stopped it and it happens with other libraries still. >That doesn’t change anything.

> It means the App Store doesn't stop malware before it's able to exfiltrate data from large numbers of users for long periods of time. That's the justification for it.

False. It just means that some apps slip through the protections. It doesn’t say a thing about the ones which are stopped.

This is a repeat of the earlier fallacy: “if the protection doesn’t stop all attacks then we don’t need the protection”, which is obviously not true.

link
swiley 1865 days ago
>> I'm arguing that it hasn't prevented attacks to a degree that was worth the cost

>Ok, but that’s not what you said before,

It's not worth the cost IE a scam, literally what I wrote in my first post.

>If you you want a platform that can do both iMessage, and install apps without review, then you can use a Mac.

Ah yes let me just go ahead and fold up the macbook so I can put it in my pocket. If you want to be included in a group of iPhone users that use iMessage you must own an iPhone. Apple knows this and that's why there's no web interface for iMessage.

>No, but you do to distribute it to App Store users.

Someone does, but it does not need to be the dylib author.

> just means that some apps slip through the protections.

This wasn't some, it was happening (and likely still is) on a massive scale and affected most popular apps.

>This is a repeat of your earlier fallacy: “if the protection doesn’t stop all attacks then we don’t need the protection”, which is obviously not true.

Forcing the "protection" on everyone, despite the extreme cost, is wrong. Especially since the "protection" does very little to stop this kind of attack in practice. Not a fallacy, it's not worth the cost IE a scam.

link
zepto 1865 days ago
> If you want to be included in a group of iPhone users that use iMessage you must own an iPhone.

This is true but also meaningless. If you want to be included in a group of Android users who use Facebook messenger, you must own an Android device. If you want to be part of a group of Windows users who use signal, you must own a Windows machine.

All three are true, but presumably you can see they have absolutely nothing to do with app review.

There is no extreme cost.

You say the protection does very little - but that ignores the numbers: https://www.apple.com/newsroom/2021/05/app-store-stopped-ove...

link