[judge2020]

Unfortunately the most vulnerable will be easily manipulated into bypassing whatever prompts are needed. The threat vector is facebook telling users to install Instagram/FB from their own app store instead of from the App Store, both eroding their privacy (since they won't be mandated to respect the "do not track" popup) as well as training them how to install apps from third-party sources and that "it's OK to sideload because Facebook and Instagram require it".

[xyzzy_plugh]

I doubt it, otherwise we'd see this in Android. And while it does happen of course, it's vanishingly rare. Anecdotally I have plenty of friends and family who are neither technically proficient nor well educated and they seem to be doing just fine.

Instead it's a boon, especially for folks like myself who use a fair amount of software from alternative stores/installers.

[judge2020]

As far as I know, Android also doesn't have the same level of privacy requirements and permission prompts to show the user. Facebook et al. don't have much of a reason to push a third-party app store.

In addition, exploitation might be transparent to the user, i.e. a botnet that runs in the background[0] or replacing ads in other apps to steal their revenue[1]. People use iOS and recommend it to their friends/family because of its simplicity and the built-in safeguards the App Store provides, since installing a sideloaded app is a much more involved process.

0: https://cyble.com/blog/daam-android-botnet-being-distributed...

1: https://www.theverge.com/2019/7/10/20688885/agent-smith-andr...

[dns_snek]

Thankfully iOS users don't have to worry about any of that because Apple uses state of the art sandboxing that stops apps from stealing your data. I don't know what kind of safeguards you think the app store provides, but most of them are either provided by the OS itself, which would also apply to sideloaded apps, or they don't exist at all.

[danShumway]

> but most of them are either provided by the OS itself

It's tricky. Some of them are provided by the OS, some of them are not, my (possibly incomplete) understanding is that some are enforced by analyzing the submitted apps to know what they will request and not by blocking anything at runtime? I could be describing that incorrectly.

I would argue that permissions should be part of the OS itself and should work on every app regardless of where it came from, but there are people who know a lot more than I do about what specifically Apple is doing who have told me that's more complicated, and... :shrug: maybe they're right, maybe they're wrong, I don't know enough to argue with them about it.

Web browsers seem to be able to do this sandboxing at runtime just fine, so I don't really know why iOS is so heckin special, but it's not my area of expertise, I just know that there are apparently (?) some permissions that wouldn't work outside of the store.

[plorkyeran]

Facebook doesn't need a secondary app store on Android to bypass the default one's privacy rules because the default one isn't stopping them from doing what they want to do in the first place.

[hamandcheese]

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

[danShumway]

> The threat vector is facebook telling users to install Instagram/FB from their own app store

PSA, do not install Facebook on your iPhone. Use your browser.

Apple does deserve credit for forcing some privacy improvements on iOS for the Facebook app but it is in no way comparable to the privacy of a web browser. If you are using Facebook's app because you're on iOS and you're thinking, "oh it's fine, Facebook can't track me" -- please uninstall it, a native app on iOS still has far more tools at its disposal to track you than it should have.

As just one example, I would like to say that Facebook's in-app browser code on iOS is now blocked (https://www.engadget.com/meta-can-track-facebook-and-instagr...) but I'm not sure if that's actually the case. I hope it is, a quick cursory search couldn't tell me but it's very possible that Apple patched this by now. But what I do know is that Apple made a lot of noise about blocking tracking code before this article came out and while Facebook still had these capabilities.

Don't use known untrustworthy native apps. Don't use them on Android, and don't use them on iOS.

---

Also to be clear, the privacy improvements Apple has pushed for on iOS are in no small part to stop allowing access to an advertising ID that should not be on iOS at all. I don't want to act like there's no meaningful improvement here, Facebook's reaction is proof enough that Apple's changes did increase privacy. And I fully support Apple improving privacy. But some of that improvement is Apple putting controls in front of systems that shouldn't exist or covering for systems that are way more open and way less sandboxed than they should be.

So part of the difficulty of talking about Apple's security models and the role that the app store plays in that process is that some of Apple's policies are really only enforced on the app store, even though they should be enforced at an OS level that would apply to every app regardless of what app store it came from. Of course, not every permission can be expressed that way, but some permissions can. Web browsers are proof of that -- Safari doesn't have a quality control system in place to block abusive websites like Facebook, but despite that, it still manages to be better for your privacy for you to use Facebook from Safari instead of via a native app on iOS.

I worry that Apple's app store polices are sometimes used as an excuse to avoid building much more robust protections against tracking into the OS itself, and I worry that better privacy standards on the iOS app store get interpreted as proof that native apps on iOS are just generally safe and private. But Apple's standard of what counts as private "enough" to be on the app store is not always as strict as it could be. Generally speaking, until we get much better sandboxing controls on mobile devices than we have today, known malicious or known privacy-intrusive apps like Facebook, Twitter, Instagram, or Threads should not be installed period from any app store 1st or 3rd-party, they should be used in a web browser.

Reasonable people can disagree whether a 3rd-party app store would make this problem worse, but please don't have the takeaway of "a 3rd party app store would make the Facebook app suddenly unsafe and my parents would get fooled into installing it." The Facebook app is already unsafe, and your parents already shouldn't be using it.

[judge2020]

> Also to be clear, the privacy improvements Apple has pushed for on iOS are in no small part to stop allowing access to an advertising ID that should not be on iOS at all.

In 2010, Apple launched its own ad system called iAds[0]. Around that time, they started to crack down on other ad networks using UDID/mac addresses to target users with ads[1]. I imagine that Apple only made the IDFA in a compromise with advertisers[2].

While I understand the sentiment that any tracking identifier shouldn't exist, Apple needed iOS to continue to succeed in the iOS 6 days and probably didn't want to deal with any anticompetitive lawsuits that early in the lineup's lifetime.

0: https://www.apple.com/newsroom/2010/06/07Apple-to-Debut-iAds...

1: http://www.cultofmac.com/160248/what-the-hell-is-a-udid-and-...

2: https://www.businessinsider.com/ifa-apples-iphone-tracking-i...

[danShumway]

I'm confused how you would see this as anything other than further evidence for my point.

Don't install native apps from hostile networks like Facebook; they hook into systems that shouldn't exist that were added as a privacy-compromising concession in order to avoid regulatory scrutiny into other systems that also shouldn't exist.

The history of IDFA ultimately boils down to one fact: that for whatever reason it was added, the protections in place now are still protecting you from a tracking system that Apple added. And Apple's standards on what is and isn't an acceptable line to cross regarding privacy demonstrably are not always as going to be as strict as they ought to be. Sometimes Apple compromises.

These apps are not safe just because they have Apple's seal of approval, there is a certain threshold of abusive behavior from apps like Facebook that Apple will tolerate. It is better to use a web browser so that (however imperfect it may be) you can get at least some small amount of real sandboxing.

Look, I'm not even saying you need to support third-party app stores. I obviously have opinions on that, but if you disagree and think 3rd party stores will make things worse, then fine. That's not my point. My point is: don't get the impression that Facebook's native app is safe just because Apple hasn't removed it. iOS doesn't have enough tracking protection to make it a good idea to use these apps natively on your phone or to make it OK to advise others to install them; they should be avoided and used only within a browser if you care about your privacy.