[tkems]

This seems that Apple went to way too much thought to avoid a simple solution: Just let users sideload apps and put up a few warning messages like Android. Must have had a bunch of high-priced lawyers think this up.

Also, what is this Core Technology Fee for all apps? Maybe Apple has been losing money on the App Store infrastructure so they want to make it up? Or is this just a bid to try and keep as much control as possible? Seems that Apple wants to go into this kicking and screaming...

As someone in cybersecurity, I understand the need for secure apps, but I think Apple has been going about it in the wrong way.

[russli1993]

It's about preventing someone like Epic asking Fortnite players to download Epic store to download Fortnite. It's about preventing that sweet Apple tax going to zero. Apple tax on games is a huge chunk of app store revenue. It might be about not creating many app stores, launchers in the ecosystem, but for Apple, it's always about getting that service revenue, to protect the stock price, margins, profitability, and getting a good review on wall street. No many app stores, security is just a way to sell to consumers. Like many mentioned, there are many ways to design the system that offers security, even content moderation without all of the hoops.

[acdha]

> This seems that Apple went to way too much thought to avoid a simple solution: Just let users sideload apps and put up a few warning messages like Android. Must have had a bunch of high-priced lawyers think this up.

You know how every few weeks there’s an article about something dodgy in an alternate Android store which the scammer never even bothered to submit on iOS? There’s a real problem here and these seem generally like solid technical moves but paired with heavy handed language which reminds me of the way so many websites put up those “look at all the cookies the mean old EU is making us tell you about!” warnings. Notarization in particular seems like a good move for avoiding the common problems around impersonation or silent alteration of binaries, and I think the browser engine requirements are justifiable solely by looking at how many popular Electron apps take months to patch critical vulnerabilities.

[sensanaty]

Could you link to like, a single one? Cause I can't say I've ever seen a single one in recent memory.

[twodayslate]

Here is an article from 3 weeks ago: https://www.tomsguide.com/news/this-android-malware-installs...

> Xamalicious is a new Android backdoor that was found to be hiding in 14 malicious apps on the Google Play Store by the cybersecurity firm McAfee.

[Vinnl]

The Play Store is not an alternate Android app store though.

[kmlx]

you just need to read the article:

> The good news is that the bad apps in question have since been removed from Google’s official Android app store. However, the cybercriminals behind this campaign are also using a separate set of 12 malicious apps on unofficial third-party app stores to spread the Xamalicious malware. These apps need to be sideloaded onto your smartphone though as they are installed via an APK file.

i mean, this isn't really news, is it?

[Vinnl]

Ah, I stand corrected - I assumed that the quote would be the relevant bit of the article, and didn't click through.

[timeon]

> reminds me of the way so many websites put up those “look at all the cookies the mean old EU is making us tell you about!” warnings.

"so many" shady websites

[cubefox]

> You know how every few weeks there’s an article about something dodgy in an alternate Android store which the scammer never even bothered to submit on iOS?

Every few weeks there is an article about that!? That doesn't happen. It's a non-issue. Likewise on MacOS or Windows. I suspect these scenarios in the comments here are just made up by Apple fans to create FUD.

[acdha]

This is a pretty simple concept: the easier it is to run code on a device, the more options attackers have to trick users into installing it. Whether or not you follow the field, we have at this point 4+ decades of experience with people getting compromised because they installed something they thought was safe, and over that time we have seen attacks get more sophisticated as operating systems added safeguards. We’ve also seen the rise of entire businesses built on software which does things users wouldn’t have agreed to had they been fully informed. There’s a spectrum from classic malware to the quasi-legal stuff: spyware for governments or businesses who don’t trust their users, abusive spouses, or parents with control issues; and companies like Facebook who provide legitimate apps but also deeply detest transparency about the data they collect or how they use it. All of those represent enough money that they can provide polished apps, install instructions, customer service, etc. and many of them try to conceal their activities enough that all of the major operating systems have added limits to what applications or even administrators can access or run in the background, mandatory notifications when something sensitive like using your camera or microphone is requested, etc.

Apple’s answer to this was the App Store’s strict limits which has been effective (a lot of stalkerware has detailed instructions for sideloading in on an Android phone but either doesn’t support or has far less functionality on iOS) but that’s not the same as saying that’s the optimal balance for users. The EU is also interesting because they have strong privacy laws, so it might be the case that it’s not so bad there but would be a disaster in the U.S. without such restrictions making it riskier to hide intrusive activity. I would like to try other models but I also think that the more successful ones will look like what Apple announced where the model isn’t just “game over, buy a new phone” if someone ever makes a mistake about who they trust.

[cubefox]

If it would be a disaster on iOS, it is already a disaster on Windows. It is not a disaster on Windows. Therefore it wouldn't be a disaster on iOS. (Modus tollens)

[acdha]

Have you ever done any Windows support? I have, and there are very, very few people you can trust not to install dodgy software if they have the ability to do so. No matter what level of warning dialog you put up, there’s some guy at a call center in India making good money walking your grandfather through the process of installing their root kit so he can help them fix their online banking.

Again, I’m not saying this isn’t a trade off with real consequences but if you want to contribute to the conversation, at least acknowledge the millions of people who’ve suffered severe embarrassment, lost money or even their lives because they trusted the wrong person’s software. This is bigger than your emotional relationship with Apple.

[cubefox]

As far as I know those Indian call centers usually use software like AnyDesk. This is not malware. In fact, it is already available in the App Store:

https://apps.apple.com/us/app/anydesk-remote-desktop/id11761...

So I don't see how this could be a big problem.

[lwkl]

Have you forgotten all the extortion that happens because of all the encrypted files? Just because people kept opening bill.pdf.exe.

A lot of companies don‘t allow their users to download any files from cloud services an quarantine and manually review e-mails with attachments and download links. A lot of companies running Windows are also starting to use AppLocker which is a way to only allow whitelisted executables to run. So yes this is a huge problem and billions of dollars are spent on it (be it losses through attacks or money spent on countermeasures).

[albert180]

It's so pathetic right? Please, please Apple, charge me for everything through the nose. I'm not worthy of deciding for myself and using my own brain.

I also don't know anyone outside my Techbubble who has sideloaded Apps, neither someone who has gotten a virus so far. Also the Bullshit about 5 different App Stores has never materialized.

[kevingadd]

"Maybe Apple has been losing money on the App Store infrastructure so they want to make it up" is a plausible theory, but there's no data to support it since mobile gacha/gambling apps pull in billions a year and Apple pockets 30% of it. Those games don't make particularly heavy use of Apple's infrastructure either, so I would guarantee that they are making a healthy profit every year on the store.

[zamadatix]

Even more succinctly if it were the case then the new offering wouldn't be limited to Europe and the old offering wouldn't be an option to retain going forward there either.

[FateOfNations]

Apple considered the App Store commission to be compensation for the value delivered by the entire iOS developer ecosystem, not just the mechanical/infrastructure parts of the app distribution process. It was a pretty good setup: aside from the $100/year membership fee, the charges scaled with revenue, which in most cases is a good approximation for the value provided (there were some edge cases where that falls apart, like digital content purchases). Unlike, say Microsoft, they didn't charge $250/seat/year for their full-fat IDE. The also haven't charged licencing fees for the SDK, like is common in the video game space.

[Andrew_nenakhov]

Device price is sufficient compensation for the value delivered by the entire iOS developer ecosystem.

If a user wants to specifically avoid this 'ecosystem' and have a direct relationship with the app developer, such user should be allowed to run the app without Apple's consent, permission or even knowing.

[bandergirl]

> Device price

I don’t see Samsung pricing their top-end devices at less than $999, and they pay Korean salaries, not Silicon Valley salaries.

[Andrew_nenakhov]

If Apple feels the price should be higher to justify the costs, they should raise the price.

If Apple is saying that they are selling a phone but do not give their customers full freedom to do whatever they want with the device, it is not sale, but lending, and Apple should come clean about it.

[arunkumar9t2]

Do you think Samsung does not have non Korean employees?

[bandergirl]

Come on that’s a lazy comeback. It’s obvious they have more Korean employees than Californian, I don’t need fact check. Having direct factory access (read: own) further reduces costs.