[okennedy]

There are simple ways to allow hardware changes without losing security. One straightforward idea: Once the phone is unlocked (e.g. by pin code) allow the user to authorize the new hardware.

This is effectively what Apple does already. The usual difficulties with asking users to make security choices don't really apply here: Physical changes to the hardware are requires, so security fatigue isn't as big a deal. Maybe you get some protection from wrench attacks by not having the authority to pair new internal hardware, but that seems like a very specialized use case...

[chongli]

One straightforward idea: Once the phone is unlocked (e.g. by pin code) allow the user to authorize the new hardware.

I don't think most users are capable of auditing their generic hardware to be sure it is free of backdoors.

[Y_Y]

It's sad that that's not up to the user. maybe paternalistic comprising is what Apple's customers really want, but I'm convinced it's bad for the user and bad for society in the long run.

[chongli]

I think it's a natural consequence of miniaturization and other technology advancements. With today's technology you can hide a hardware backdoor inside a counterfeit version of a chip and the only way it could be detected would be to de-cap the chip and examine it under an electron microscope.

[kaba0]

Hard disagree — there are plenty of things where human brains will take a shortcut no matter how smart the individual is. Security is especially a category where humans will fault, no matter what.

[Y_Y]

It's not clear to me how your statement disagrees with mine.

[okennedy]

I'm not convinced that they need to. What threat model are you considering? In this case, the privilege that the user is granting the new hardware is the authority to unlock the phone.

Since the phone has to already be unlocked for this privilege to be granted, it can't be used to bypass authentication.

The hardware is already installed by this point, so if it's 'spying' it can do that. The user's choice has no impact on the hardware's ability to record and/or deliver information.

At best, the replacement hardware would be able to unlock the phone for the attacker at some later time. However, the cost of getting this customized unlocking device into the phone seems high given that the attacker needs physical access to the device to embed the hardware in the first place, and then again at a later time to get into the device.

[lotsofpulp]

I can see used devices being more trustworthy if the hardware is not able to be modified by the previous owner.

[eastbound]

Just make it possible to display the list of hw changes.

[lotsofpulp]

More complexity, more chance of problems.

For example, my dad used to use Androids. Without fail, he would get malware on them, he simply could not resist bypassing the security prompt to click on something he wanted to click on. Or maybe he does not understand English, or the concept of malware enough to properly heed the security warning pop up.

With iPhone, it’s not possible, so there is no worry, and no malware. Same with the hardware changes. People like my dad, or my wife, or even me who have very little interest in technology simply want to trust their device. And this device is literally the key to their life, their financials, their personal data.

All I know is my life has been made much easier by slinging Apple devices at people in my family that they simply do not have a way to mess up.

[circuit10]

The topic seems have changed to sideloading here, for that they can bury the setting somewhere or require connecting a PC over USB (but hopefully without involving Apple’s servers or requiring a Mac) to enable it if that’s really their motivation

But their main motivation is likely control and profit more than safety

[vr46]

I don't think this is quite that simple, because one user's authority could potential trump everyone else's in a company or group, once a vulnerable device infiltrates the system. Having trusted authorities works well when everyone has to rely on the security of the device. Once you can bypass that authority you effectively have a cheap MITM attack.

[okennedy]

You are describing a different class of attacks. If the company owns the device, they should be free to (try to) lock it down all they want. OP is about Apple locking down devices that someone else ostensibly owns.

[LeanderK]

this is still no excuse. You could just disable 3rd party replacement parts by group-wise policy, maybe even enabled as default.

[rickdeckard]

Why? If this is really an attack-vector a company considers, it could streamline hardware-repairs into their internal processes.

If the device is enrolled in a corporate MDM, the confirmation of HW-changes could be delegated from the user to the admin, with the device working in "degraded" mode (i.e. no FaceID) until the admin approves the Repair.

Even more, large companies could contract with specific repair-companies to authorize them for their company devices and their repairs are synced into the corporate processes.

This would create a paradigm-shift in that market as repair-volume suddenly becomes more predictable ("I'll repair phones when they come in" --> "my company is the exclusive repair-center for a footprint of 10k corporate devices"), repair-companies will commit to certain performance, then drive smaller-volume contracts and individual repairs to offset the cost of such guaranteed turnaround-times, and so on...