
Apple and Russia Face Off Over Telegram on App Store - kharazi
https://www.bbc.com/news/technology-44300961
======
heisenbit
The problem with the app store is that it is a great control point. We may
appreciate the safety it provides but it is a tempting target for regulators.
More diversity in the ecosystem would help here.

~~~
api
People are only now realizing this?

~~~
walrus01
People have been saying this for years. For the 98% of non technical users,
the App Store is suitable for them because its GUI is incredibly easy to use
and understand. For the 2% of people who want to be able to sideload apps and
to truly do things with root privilege on their android or ios phones,
enforced app stores are a terrible thing.

~~~
overcast
2% is being incredibly generous. If I asked my entire office of 200 people
what rooting their phone meant, I'd be flabbergasted if 4 of them knew what I
was even saying. HN and forums like it really live in a tiny, tiny bubble of
vocal minorities. I've been in this industry for twenty years, and I have
absolutely no interest in monkeying around with my phone. I just want it to
work.

~~~
craftyguy
200 people is a very small sample size, and since you all work in the same
office, it's likely you all have similar backgrounds and experiences. In
short, probably not representative enough of the total population (on top of
being a small sample size).

~~~
overcast
A sample size of 200 is a 93% confidence level. The company is international,
and so is the diversity. I guarantee we don't all have the same experiences
and backgrounds.

~~~
craftyguy
Here's a counter anecdote to yours: the organization I work in has around 1000
people, I'd say about 30% easily know what 'rooting your phone' means, and at
least 5% (probably closer to 10%) do it. Also an international organization
here. Your sample group, like mine, is not good enough to come to any
conclusions.

~~~
overcast
Sounds like your organization is not diverse, but more of a technical one.

------
jve
> It is possible that, as a result, the app is not GDPR compliant

As a result of what? And this is between Russia/USA which has nothing to do
with GDPR.

And moreover, company has to be GDPR compliant and not an app. An app may
include stuff that helps to be GDPR compliant, but is only a subset of what is
required to be compliant.

~~~
mercer
FWIW, from the man/Durov himself:

"as a result, we’ve also been unable to fully comply with GDPR for our EU-
users by the deadline of May 25, 2018. We are continuing our efforts to
resolve the situation and will keep you updated."

~~~
zimpenfish
To be fair, they had fully two years to do this before the May 25th
"deadline".

------
codedokode
Is not this anti-competitive? Apple prevents Telegram from updating while
allowing it to competing messengers.

By the way legally Telegram is not a russian company (British company if I
remember correctly) so Apple cannot get away with "who cares, they are from
Russia". Is it ok that at Russian government's request American company is
restricting a British company?

~~~
segmondy
Not allowing them to update their app globally is truly evil. Apple has been
positioning as a champion of privacy but it's all rubbish. They truly are as
bad as Google.

~~~
ryanlol
Not banning Telegram from the app store is truly evil.

~~~
IntelMiner
Feel free to extrapolate on this comment...?

~~~
ryanlol
If you truly value privacy, perhaps you’d ban the “secure messaging” app with
a history of obvious crypto backdoors?

[https://habr.com/post/206900/](https://habr.com/post/206900/)

I’d love to see any credible explanation as to how this could have happened by
accident.

~~~
huhtenberg
Have you actually read the post you linked to?

He found a flaw, they fixed it. The flaw itself is of a kind common to a home-
brewed crypto and it was lying on a surface. Saying that Telegram made this
mistake on purpose is, if you pardon my French, making shit up.

~~~
ryanlol
Do you _actually_ understand the nature of the “mistake” they made here?

Yes, they fixed it.

No, you can’t _accidentally_ write code that pulls DH nonces from your server.

>The flaw itself is of a kind common to a home-brewed crypto

You can’t say things like this and then proceed to accuse others of making up
shit.

~~~
huhtenberg
This is way too crude and obvious to be an intentionally planted protocol
weakness.

Telegram doesn't have reproducible builds, do they? So if they really wanted
to fuck people over, all they had to do is to ship a build that uses
predictable PRNG. The vast majority of users will use vendor-supplied
binaries, so chances are that for any pair of peers you will be able to fully
recover all their secrets and eavesdrop on the traffic. You don't even have to
be Telegram to do that. In fact, this works against _any_ protocol... unless
client binaries are routinely audited and matched against their source, which
is never the case with any of the clients. The only example I am aware of was
Zimmerman's PGPfone back in mid-90s.

So, yes, I think that you are seeing things that are not there and it's yet
another case of stupidity rather than malice on part of Telegram's devs.

~~~
ryanlol
>Telegram doesn't have reproducible builds, do they? So if they really wanted
to fuck people over, all they had to do is to ship a build that uses
predictable PRNG.

This doesn't really matter that much, the source code isn't very helpful while
auditing a RNG.

Most of the time Telegram doesn't even encrypt conversations, yet this is
their main selling point.

>So, yes, I think that you are seeing things that are not there and it's yet
another case of stupidity rather than malice on part of Telegram's devs.

No. I just don't think it matters whether this was stupidity or malice,
sufficiently advanced stupidity is indistinguishable from malice. This was not
your typical crypto fail. You suggested that this is a common kind of error,
can you point at someone else that did this?

I think it's fair to assume malice in the case of Telegram, their "secure
encrypted messaging" application _still_ doesn't even encrypt most
conversations.

------
thisisit
I wonder how would have Apple have reacted if it was a Chinese request
considering they have blocked VPN apps from the China Store.

------
cynix
Strangely, the desktop version in the Mac App Store seems to be getting
updates just fine.

~~~
Mindwipe
Not even Apple remembers the Mac App Store exists to interfere with it.

------
peteretep
I'm curious to know if Russia's a big enough market for Apple to give a shit.
It's not China. Also, does Putin really want to upset the middle-class iPhone
users in Russia, over an app written by Russians? Seems risky.

~~~
mv4
Putin does not care about middle-class iPhone users in Russia. Blocking
Telegram is just another form of censorship for him. He got away with blocking
half the Internet in Russia already.

[https://www.independent.co.uk/news/world/europe/russia-
inter...](https://www.independent.co.uk/news/world/europe/russia-internet-
censorship-facebook-regulations-rules-a8315656.html)

~~~
Grue3
For those who read this, "half of the Internet" is _not_ an exaggeration. I
legitimately cannot access about half of websites I get linked to without a
proxy.

~~~
bogomipz
I had a couple of questions about this. First does attempting to access the
site simply time out? For instance in the UAE you get an official message
saying that the content is blocked. Second what has the coverage of this been
like in the local media?

~~~
codedokode
Yes, it times out. If a site uses HTTP, there can be a notification about it
being blocked, for HTTPS sites it is not possible. Some ISPs block packets by
inspecting SNI field and such blocks can be bypassed by playing with TCP
packet size either from client or server side. Some ISPs just block traffic to
blacklisted IPs without inspecting the packets.

> Second what has the coverage of this been like in the local media?

All major media in Russia are controlled by the government. They reported that
Telegram is used by terrorists and drug dealers and Durov refused to comply
with russian law and provide decryption keys that are needed for the
invesigation (Durov says that accounts in question are long deactivated and
that he was required to provide keys allowing to decrypt the traffic of any
user, and that those terrorists used WhatsApp as well).

Putin's advisor on Internet development also suggested that russian users can
switch to messengers made by russian companies.

There also was a small rally in Moscow against internet censorship. Only about
12000 people from 12-million city took part in it.

~~~
bogomipz
Thanks for the response.

>"Yes, it times out. If a site uses HTTP, there can be a notification about it
being blocked, for HTTPS sites it is not possible."

Why wouldn't it be possible to get a notification for HTTPs though since the
domain part of the URL is still unencrypted? How does manipulating the packet
size help steer around the blocking?

Also I am curious what the media coverage has been regarding the state HTTP
filtering?

~~~
codedokode
> Why wouldn't it be possible to get a notification for HTTPs

Because you need a valid certificate to break SSL connection.

> How does manipulating the packet size help steer around the blocking?

The filtering hardware looks for SNI field at specific offset. If you break
packet into two it will let the packet through because it doesn't reassemble
IP packets (probably because it would require more resources).

> what the media coverage has been regarding the state HTTP filtering?

When the law was discussed initially, I think somewhere around 2012, after
large protests against falsifying parlament election results and Putin's third
term, media explained that there is many illegal information on the net, for
example, terrorists' sites, sites selling drugs, sites that promote homosexual
relations or suicide among minors. So the government needs a law to protect
children from this. Sometimes they also add that some western countries censor
Internet access too.

Several years later new causes to block sites were added, such as sites with
pirated movies, casino sites, sites that allow to view blocked content or
provide VPN services, or pages that call for an unauthorized rallies.

It is somewhat ironical that when Ukraine blocked russian social networks,
media explained how to bypass the block.

------
simonh
Is it possible Apple is considering a legal challenge? I know the system in
Russia is horribly corrupt, but at least they seem to care about pretending to
have a functioning legal system.

~~~
codedokode
Russia has no relation here. Apple now is imposing sanctions upon a British
company (Telegram is registered there). By the way Russian users are only 7%
of Telegram's userbase.

------
Aissen
Since they have blocked VPN apps in China, the cat is out of the bag: they
have proved to every country that they have the technical means to block a
whatever app they like in a given country, and that they'd cave to local
regulations to prevent being blocked. That's the cost of doing business
anywhere, whether a dictatorship or not.

They might stall for a time, but they'll end up blocking Telegram in Russia as
well. And other apps will follow.

~~~
codedokode
As I understand, Apple has blocked updates for all countries, and Telegram is
a British company, not Russian, and russian users are only 7% of its userbase.

