[freedomben]

> But I don't get you. You complained that droid makes it hard and apple makes it impossible.

I didn't complain about anything, I just stated the facts, with a possible exception regarding the snark about how Apple "owns" the device, although I do think that's a defensible position since they have higher access to it than it's "owner". I do think it's shitty though that they don't provide a way (even with some hoops) for the "owner" of the device to get the highest level of access to it, but that wasn't in the comment.

> But it would be better for average user security if they could not do it (aka "did not own the device" in anti-apple propaganda), right?

Why would that be better? I highly doubt it would make any difference at all to the average user. I doubt it even impacts the majority of power users.

The people who are impacted by these restrictions are the technical users who want to capture and inspect their own device's traffic, usually on their own network. Conveniently, these are also the researchers who might publish blog posts and articles about what kind of data and surveillance the device is sending home about the user, without their knowledge.

[throwaway290]

It would be better because if not then someone can turn it off. Automatically or by misinforming the user or by requiring it etc. Like now on ios you apparently just need to install a profile, maybe it's too easy.

[smoldesu]

Well an MDM profile isn't going to decrypt iCloud data or Apple telemetry. It's basically the same dangerous power your ISP and DNS provider wields, but nobody is about to suggest banning those for user safety too.

[throwaway290]

Sounds like dangerous disinfo. Your ISP or DNS cannot decrypt your HTTPS traffic.

But someone who slips in a custom CA cert maybe can. That's the point.

[smoldesu]

That's the point, indeed. Your ISP and DNS can technically intercept your traffic, but it's pointless since TLS exists. Similarly, you can Wireshark an iPhone using MDM profiles but Apple doesn't respect your profile in the first place. Third-parties have no obligation to show you their traffic either, and many don't.

[throwaway290]

You are saying a regular app on non jailbroken ios can choose to bypass the profile & custom CA when working with TLS?

[smoldesu]

They don't need to. I'm not sure if you're aware, but it's actually possible to encrypt traffic using things other than TLS. A regular app on non-jailbroken iOS can completely circumvent TLS decryption. First-party Apple Apps will bypass your profile and custom CA.