[idle_zealot]

Notarization is not a reasonable implemetation of a malware kill switch. All you'd need for that is an Apple-published list of known-bad app ids that the OS could check itself against periodically. No, notarization is a control mechanism to impede the creation and distribution of any non-Apple-approved apps.

[rekoil]

App IDs don't really work for this purpose if Apple aren't in control of generating them, nothing is stopping a malware vendor from literally never reusing app IDs. Notarization is a reasonable implementation, and it can even require some form of developer identification, it just can't be very deep identification, an e-mail address is enough (along with IP and other metadata gathered during the process). That way they can disable all apps signed by one developer, and can more quickly react to malicious actors, without it becoming a problem for normal users.

[Someone]

> nothing is stopping a malware vendor from literally never reusing app IDs.

Or form using the ID of another vendor.

> and it can even require some form of developer identification, it just can't be very deep identification, an e-mail address is enough (along with IP and other metadata gathered during the process).

I expect the typical malware writer will easily find a way to have a unique “e-mail address (along with IP and other metadata gathered during the process)”.

Because of that, “That way they can disable all apps signed by one developer” will not be possible.

[rekoil]

Yes, but all attempts at circumventing the system will give Apple more information about their behaviour. If 1000 different users are requesting to sign the same (or only slightly differing) IPA within a short period of time, from different IPs and different emails, it's a good indicator that something fishy is going on.

[cageface]

The requirement for a hardened runtime certainly supports this point of view.