Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's a false dichotomy. Apple can offer everything you have now while also giving users the option to sideload. Nowhere is it written that they have to be mutually exclusive.


Sideloading sounds great to me and you, but it also opens up a great attack vector on less techy people: just convince the user to run an arbitrary binary to pwn the device.


Not in practice no. People don't sideload "arbitrary binaries" also on android they install other app stores and these app stores have vetting. The vetting guide lines there might have less censorship than apple, but this "attack vector" is just completely made up in reality.


Right. On Android, that's not possible without enabling Developer Mode in settings through a cryptic combo, then enabling the installation of third party packages. After that you still have to go through the process of installing the software.

It's not something you can bait Grandma into very easily. It's a useless attack vector when Safari comes preinstalled on every iPhone.


Oh that's not a problem, there are so many ways to make it seem innocuous. Let's start with the fact that 80% of legit devs will just never notarize if they can instead tell users "go through this flow to use my app, not my fault apple bad". Like on macOS, it becomes routine after 3rd time.

And if you believe exploiting evergreen Safari from JS to arbitrary execution is the same as directly running malicious instructions that came in sideloaded app then I have nothing more to say.


How many casual users are going to be downloading mobile apps from random indie devs who do that? How many casual users are going to be sideloading at all?


Like on macOS, probably lots. It's not casual users who are at most risk but semi-techies savvy enough to follow a tutorial on disabling SIP to do something benign but not savvy enough to know of the implications. There are more people like that in digital native generations, perhaps even more than actually "casual users" in the old sense.

I know such people who use alternative browsers. They are OK jumping through an extra hoop to use non-notarized enthusiast-made software. And don't underestimate how people like to reskin their OS GUI which on Apple hardware is not possible without full root and disabling various security measures.


I know I am missing the point here. Locking the cosmetic GUI is totally bonkers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: