[jameshart]

The security problem of open platforms is the key.

Anything that is open enough to let someone who knows what they're doing customize the system to their liking, will also be abused by bad actors persuading people who don't know what they are doing to customize the system in ways that harm them.

The fact I can write my own custom keyboards on Android is great! But the fact someone can convince your grandparents to install a keyboard that includes an embedded key logger is not!

Browser extensions have always been a malware-rich ecosystem. Joking about removing all the toolbars from your parents' Internet Explorer whenever you went home for thanksgiving dates back to about 1999.

[danielheath]

Custom keyboards are a great example of an app that - by default - shouldn't have write access to shared resources (that is, no network access, no writing to files which other apps can read).

Adding either of those entitlements to a keyboard app should require extremely scary dialogs. Needs to be possible - perhaps you want your password manager with sync to be part of the keyboard app - but it's clearly a huge risk.

[jenadine]

Until you want to be able to download language dictionaries or updated language model. Or if your keyboard is actually a remote keyboard or shared keyboard taking input from some other devices.

[JohnFen]

> Until you want to be able to download language dictionaries or updated language model.

You don't need the keyboard application to be able to communicate externally for that. You could have a separate, optional, downloader/installer. That's better for security all around.

[simscitizen]

Mobile OS vendors have already thought of that and came up with the exact same solution of requiring entitlements to access the network from a keyboard app:

https://developer.apple.com/documentation/uikit/keyboards_an...

The question is do you actually trust regular users to understand what’s going on when they’re asked for permission to grant an app the ability to do something sketchy?

[danielheath]

Bear in mind that on iOS, you can't just prompt for permission; those "regular users" need to be able to navigate to the settings app, find the relevant (deeply nested) section, and enable it there.

That narrows the gap significantly - to users who can't understand the issues, but can (even with the app providing an explanation) find reasonably well-hidden settings.

[LoganDark]

I've heard from a couple developers over the years that it's entirely impossible to implement a setting that will not be changed by people who don't know what it does.

It doesn't matter if it's behind a footnote, an easter egg, a password input, a magic email code, a call with the main project developer, all of the above, etc. No matter how many steps you try to add, there are still an incredible number of idiots who will mindlessly tap through literally any number of dialogs, warnings, and disclaimers to get to what they want.

Their brain will entirely filter out the path they took. They will probably not even remember a single one of those intermediate steps. The only thing they care about is that they're fixing some problem.

This could be one of the reasons Apple and Google don't want you jailbreaking/rooting your devices. Someone will inevitably make a guide, and millions of idiots will follow it. It will legitimately make the device less secure for them because they won't have any idea what they are doing and likely won't even remember doing it. The only thing they care about is that they're fixing some problem.

This is one reason why some people get so panicked and upset when anything on their computer changes unexpectedly, even if the change is actually harmless. They never actually understood anything. They had managed to accidentally get it how they want it through a combination of stuff that they don't remember. When anything changes, they have to go through that process again.

Look, these people are great at following guides and learning routines. Repetitive, mindless tasks like data entry are perfect for them, because they have no other talent to worry about wasting. But because these people exist, you have to be really careful about what settings you add, no matter how well you think it is hidden, because they will be changed by people who don't know what they're doing.

So far, the devs that have told me this have done so because I asked for some setting to turn off some safeguards, and they said that it's a near-universal request from power users, but they still can't do it, because the rest of their userbase is too clueless to be trusted with that setting. They'd receive bug reports from people who have no clue what went wrong, when the reality is that they disabled the safeguards in order to make something work, and then promptly forgot what happened once it worked the way they wanted. This has supposedly happened so many times in the past that they just don't take the risk anymore.

Anyway, all this is to say that while hiding a setting, as opposed to automatically prompting for it, can definitely rule out a decent chunk of idiots, you will never be able to rule out the resourceful idiots that can mindlessly follow instructions.

[rrr_oh_man]

I think you underestimate how much we all are these resourceful idiots under the right circumstances.

[LoganDark]

I'm biased because I'm neurodivergent, which means I don't have as much experience with neurotypical thought processes.

While I do use search engines and the resultant resources all the time, I don't follow steps completely cluelessly/mindlessly and later forget that I did it. I don't know what the equivalent would be for non-tech - I at least try to understand what a guide is doing so I can reproduce it independently later. I try to develop basic intuition for everything that I do. It is hard for me to imagine someone who lacks that ability. I don't mean to be offensive to anyone in particular, I just use "idiots" for the sake of argument to explain how any setting will eventually be found and changed.

Is it normal to forget the steps you took to accomplish a task? To, say, specifically turn off a setting for crash protection, then completely pull a blank if the program gets into a crash loop later?

[medstrom]

I bookmarked this post, thanks! Really interesting.

[conradev]

A great XKCD on the topic: https://xkcd.com/2044/

I do think that with every turn of that cycle we end up with better compromises. They’ll still be compromises, though.