[judge2020]

> They could implement some kind of tracking, but again, remember that the app runs in a sandbox and Apple controls that sandbox.

Sandbox escapes are incredibly common, Apple still controls eliminating your business from iphones if you attempt to use an exploit to pull user data when you distribute through the App Store.

If you can do distribution via your own site, it becomes a whack-a-mole game with Apple - where data exfiltration exploits are found, Apple fixes them in a new update, then we have to wait for people to update.

And until most users update, the at-fault company is busy siphoning data from any user who can't update (e.g. no wifi / limited data plan) or any user who is slow to approve the update dialog. Eventually the company's app will grow to contain an exploit for the last dozen iOS versions that conditionally execute based on the iOS version/feature detection/probing for exploit availability.

[luuurker]

> Sandbox escapes are incredibly common

If iOS' sandbox is that insecure, then they have a problem on their hands.

[judge2020]

The sandbox is the largest attack surface ever and trying to lock it down from everything forever is basically impossible.

[Gud]

And as soon as app X starts exploiting a sandbox vulnerability, apple will patch it.

[judge2020]

Apps without app store review could also start delivering dynamic code packages that aren't included in the binary. There could be targeted attacks via these apps on specific users (say, journalists, politicians and their families, etc) not delivered to everyone; Apple thus can't analyze until it's been delivered to a device they control. App Store rules forbid dynamic native code delivery.

[luuurker]

Perhaps journalists and politicians should stick with the App Store (which is what 99% of users do on Android, where you can sideload apps) and use Lockdown Mode.