
iOS, the Future of MacOS, Freedom, Security and Privacy - agreen
https://gist.github.com/desantis/5728d5536b6dfe37e781c0a4a0f32e54
======
LeoPanthera
When the iPhone was new, Apple wasn't fighting surveillance society. They were
mainly fighting carriers forcing you to buy shitty locked-down phones
preloaded with as many monetization tools as they can fit in them.

So a lot of the basic security of iPhone OS, as it was originally called, was
supposed to stop your carrier from fucking it up.

That legacy continues today, even though Apple is pivoting to a "privacy is
the product" model. I suspect a lot of these criticisms are a byproduct of
that legacy, and not necessarily a sign of trouble in the future.

I still trust Apple - but Apple will have to continue to work hard to maintain
that trust.

------
drodgers
> Especially since iOS10, and the “differential privacy” (dprivacyd) concept,
> which Apple pushed, and which this author feels essentially boils down to
> “let’s collect even more data without giving a real reason and spin it as a
> privacy improvement because we remove certain metadata, after all none of
> our users understand or care anyway”

This is too misleading and dismissive. Differential privacy collection
requires that the device will send back data which doesn't contain enough
information to tell anything significant about the individual, but does allow
for population-level statistics to be computed from many samples (eg. the old
private-survey trick of flip a coin and answer truthfully if it's heads or
randomly if it's tails). If they're collecting more data with this system,
then it's supposed to mean that they don't know more about _you_.

Almost all tech companies collect extensive usage data; Apple seems to have
made a genuine and rare attempt to improve the privacy of their users
(admittedly without damaging their ability to make informed product
decisions). Given the popularity of AI tech and the huge amounts of data it
requires, systems like this are probably the only plausible way to improve
user privacy without getting left-behind in the AI and product-development
race.

------
GlenTheMachine
“On iOS, there is no full-disk or full-volume encryption, only varying levels
of file-based encryption...”

I don't understand this claim. iOS had full disk encryption starting with iOS
3.0, in 2010. Or at least Apple (and other security experts) says it does:

[https://darthnull.org/security/2014/10/06/ios-
encryption/](https://darthnull.org/security/2014/10/06/ios-encryption/)

Am I missing something here?

~~~
lilyball
You're not missing something. The author doesn't seem to understand how iOS's
disk encryption works. It's not "full disk encryption" in that the full disk
is not encrypted with one key. However, every single file on the disk is
encrypted, with separate keys, and the various levels of security (e.g.
"accessible always", "accessible when unlocked", etc) are managed by storing
these keys in different key bags whose own keys are evicted from memory at the
appropriate times.

Which is to say, it's not classic FDE, but if you were to take the storage out
of an iPhone and inspect it, you'd find that everything in the filesystem is
in fact encrypted.

~~~
drodgers
Yep. And this layered encryption is great because it allows — for example —
your phone to boot up before you enter a passphrase.

Making this technology more convenient is just as important for making people
secure as the algorithms themselves, because otherwise, almost no one will use
them (PGP-encrypted email being the classic example).

------
stuartd
How old is this?

 _the state and details of disk encryption on both OSes is slightly unclear,
but hopefully will become clearer when iOS 10.3 is released._

10.3 was released 9 months ago. And I find it hard to take seriously any
article where every other sentence is bolded.

~~~
stuartd
Answering my own question - the original gist was posted in March 2017.

~~~
dang
OK thanks, we'll add that.

~~~
merlish
The gist contains a 2018 update section at the bottom...

~~~
dang
Ok thanks, we'll take that out.

------
userbinator
_This post by a security researcher who prefers to remain anonymous_

 _If iOS is to really be considered a secure OS, and if vanilla macOS is to
become more secure, independent end-user control must be considered. Increased
low-level design security at the cost of control, and the ability to prevent
leaking data, cannot be considered a real improvement in security._

Whoever you are, _thank you greatly_ for not being another one of those
authoritarian cargo-cult "users are stupid so we should remove all control
from them" people which the greater security community seems to be full of.

------
karimdag
I am no _connaisseur_ , just a guy who cares about privacy (in general and his
in particular) who also happens to own an iPhone and wants to buy a Mac.

This seems pretty troubling, as I as well as many I suppose, trust Apple and
think that they're one of the good guys. I know it's cliché but I think this
is the part where "[..] live long enough to see yourself become the villain."
applies.

The more important question, imho, then is: what can we do about it ? If
nothing, what should be done ?

~~~
unstatusthequo
What do you do? Windows world is worse. So is Android generally.

Use Linux? How do you trust that? QubesOS? Pen and paper?

If you walk outside, you’re on camera. Living off grid with no phone or
computer seals the deal, but not very practical.

I’m all about security and privacy, but everything is on balance with
practically. If a three digit govt agency wants to find you, they have so many
other ways than Apple.

~~~
nixpulvis
Why not trust Linux? No activation, full control over all the processes. Seems
like a good solution for people who "care".

~~~
andromeduck
It's good in theory but in practice you'd need to spend a lot of time and
money doing deep audits yourself, both hardware and software. That just really
isn't a worthwhile investment for the vast, vast, majority of people.

At the end of the day it all still boils down to trust based on reputation,
incentives and oversight. Openness is important but no panacea.

~~~
nixpulvis
Well at least the surface area of the audit is a LOT smaller than on macOS,
Windows, etc.

~~~
andromeduck
I really doubt that's the case if you use more than a few small apps which is
the case for the vast majority of users.

~~~
nixpulvis
Must I link a running process list of my Linux laptop vs my macOS laptop?

~~~
davewritescode
How do you know the process list is accurate for certain?

The point is, there’s potentially back doors in everything, including the C
compiler that built your Linux kernel.

~~~
nixpulvis
We've all read reflections on trusting trust... still my point stands, it's
hard to argue that Linux is not lighter than the mainstream OSes.

~~~
andromeduck
It can be lighter but what does that mean in practical terms if the cost of
maintenance is monumental? I think with even just the barest bones practical
computer with wifi + with email + browser + compiler and their dependencies is
well beyond the scope of what one person is able to audit. You'd need a team
of at least 20-30 individuals before that starts making sense.

~~~
michaelmrose
If only it was possible for massive armies of people to inspect source code
for possible defects or backdoors?

Further what if it happened we were unsatisfied with this we could all
collectively hire more people to audit the software stacks we rely on in order
of priority instead of expecting each person to hire dozens to vet the
software they are presently running.

Further if only even if we can't ever arrive at 100% surety we can get closer
and closer to satisfaction.

~~~
andromeduck
> If only it was possible for massive armies of people to inspect source code
> for possible defects or backdoors?

You mean like what Google, Apple, Microsoft, etc. already do?

------
tedunangst
> Apple Activation servers are accessed via Akamai, which means sensitive data
> may be cached by Akamai and its’ peering partners' which includes many
> global ISPs and IXPs

Wouldn't this be devastating to about 10000 other businesses as well?

------
saagarjha
Wow, this was a long article, so let me try to unpack it:

> iOS devices (even non-cellular devices) on first boot and, occasionally for
> unclear reasons after OS upgrades, will require “Activation” and an internet
> connection to contact an array of Apple servers.

The linked patent says that this is for carrier locking. It's possible that
the code is used even on non-cellular devices because they just found it more
convenient to not remove it? There might be more to this; maybe it allows for
something like Activation Lock to work or allow Apple to track stolen
inventory.

> Apple links the credit card used at purchase, the purchaser's name and
> email, and of course, the serial number and all components required to
> generate a UUID

Of course they do; these are all components of an Apple ID, so it would be
impossible for them to keep them apart.

> This means, for example, that if you were to use a certain app for a social
> network under a pseudonym on an iOS device (not that I would recommend
> installing any social networking site’s apps on your device) and that
> service sends information via APNS, Apple (and possibly the social
> networking service) can most likely link the pseudonym account to your real
> identity.

I'm not very familiar with APNS, but doesn't it work something like "social
media server sends Apple message, and Apple forwards it to the right device"?
How would device-specific information get to third parties?

> if you enter contacts into the address book, contacts’ details are hashed
> and automatically sent to Apple, supposedly to check for presence in Apple’s
> iMessage database to determine whether to show iMessage as an option on that
> contact’s page

I agree that this is a stupid decision. This is a reasonably large loss of
privacy for a very small benefit.

> ust try to remove your Mac’s WiFi card and rebooting - all Mac App Store
> apps will likely fail to open

Wait, what? I've been able to open Mac App Store apps without a network
connection. You _can_ try to validate with the App Store over the network, but
that's an _option_ , not a requirement:
[https://developer.apple.com/library/content/releasenotes/Gen...](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Introduction.html)

> Apple really wanted the DRM aspect

I'm not even sure what the purpose behind Apple's "DRM" is. It's trivially
bypassed on jailbroken devices, and I think on macOS as well.

> On macOS you can separately download an update/upgrade DMG, which will be
> signed by Apple, and then simply install it without a network connection.

On macOS you can also downgrade your OS to whatever you like. iOS requires a
firmware to be signed before it will install, which obviously means that it
will have to reach out to Apple somehow.

> if a user feels like removing/modifying certain Apple system binaries they
> are uncomfortable with

What if a user removes AMFI or the Sandbox?

> The fact that there is no way of monitoring or intercepting file system
> events, network connections and other system calls on said device and that
> you are giving apps many, many more privileges than you realise

It takes work, but this is possible. What you need to do is sign every app you
download with your own entitlements that allow for debugging.

Despite the author's hesitations, I'm still pretty convinced that macOS/iOS
are probably some of the most secure operating systems you can buy today; the
amount of time Apple has put into this clearly shows. Plus, it's obvious to
see that Apple's incentives don't really align along data collection, even
when taking a cynical viewpoint. Not collecting user information allows them
to resist government requests for data and increases public goodwill; unlike
other companies they have a clear source of revenue that's not tied to data
collection, and it's highly unlikely that they'd burn that money to go after
data collection for AI or whatever given that's not an area they have a whole
lot of experience in.

That being said, there are many good points brought up in the article, namely
the centralized control that Apple has over devices. We've already seen
occasions where this has caused Apple to acquiesce to third-party requests:
for example, the removal of network extension apps from China's App Store.
Apple is playing a delicate balancing game of trying to maintain some control
over the hardware they vend while trying to keep it secure, and this is a
difficult thing to do, especially when they need to cater to the needs of
users for whom features are important and privacy is invisible.

------
trisimix
Having to choose between sanely developing and cuatomizing your phone, and
privacy on your phone, sshouldnt be the case.

------
dcow
Does anyone have a pastebin copy or something? I don't log into gh on my phone
and gists are behind a reg-wall now...

~~~
acdha
It loads on mobile Safari without a login. Do you have any browser extensions
which might be causing that?

~~~
dcow
I have Firefox Focus installed. I've definitely talked to other people who
have also been unable to read gists lately without logging in. Would github
care about adblockers?

~~~
acdha
I also use Focus so I don’t think it’s that. Maybe A/B testing gone terribly
wrong?

------
feelin_googley
Its encouraging to be reminded that still not everyone who uses Apple hardware
runs MacOS exclusively.

[https://sivers.org/openbsd](https://sivers.org/openbsd)

[http://www.sacrideo.us/openbsd-on-macbook/](http://www.sacrideo.us/openbsd-
on-macbook/)

However I have not heard any reports of anyone running an alternative OS on
iPhone or iPad hardware.

With every passing year I continue to think it would be interesting to observe
how users would choose if Apple hardware and Apple software were sold
separately.

Would all users choose Apple software?

~~~
dang
Duplicate comments are not ok here.

For a long time now—and an astonishing number of posts—you've been using HN
basically to post agitprop. The trouble isn't your opinions—whatever they are,
I'm sure plenty of other users agree with them, all of whom manage to use HN
just fine. The trouble is that you've crossed into being a single-purpose
account, which is not cool. HN threads are for conversations, not agendas. One
can't have a conversation with a megaphone.

Since we already asked you once to stop and you don't seem interested in
changing, I'm going to ban this account. If you don't want to be banned,
you're welcome to email hn@ycombinator.com and give us reason to believe that
you'll follow the rules in the future.

~~~
feelin_googley
Its not a duplicate. @mercer suggested the last paragraph should be removed,
so thats what I did. Alas, the edit period had expired.

Edit: Notice that youve toned down your original reply, which had statements
like "No one cares about your opinions about Google, Apple or Facebook." It
seems I have agitated you. I apologise.

~~~
dang
I didn't say "no one cares". Originally I wrote " _We_ really don't care about
your opinions of Apple or Facebook or Google". That is true, in the sense that
if you flipped the high bit on all your opinions to turn them into the
opposite opinions, we'd have the same moderation response.

But I've learned it's better not to word things that way. I can't easily stop
myself from typing the first version of a comment more strongly than I know is
helpful, so my solution is to sand off the sharp edges by editing, which I do
a lot of.

~~~
feelin_googley
I dont have any issue with editing comments. I use the edit feature constantly
myself.

Im just making clear I am not _trying_ to cause agitation. Thats not the
intent.

I try to be sparing with opinions. I dislike having to type prefix or postfix
statements with "IMO" again and again, but I want to make explicit what is
only an opinion versus what are facts or observations because ("IMO") opinions
are almost always worthless. I prefer facts and questions.

Most of the volume of posts I made the past few weeks were not opinions but
were excerpts and pointers to articles: facts and some _journalists_ opinions.

The truth is I waste too much time "interacting" with this addictive forum.
Its a distraction.

If you ban me from ever posting anything ever again on HN, in all honesty, you
will probably be doing me a favour.

~~~
mercer
I don't mean this in a mean way, but you do seem to care a little too
intensely (about both fb/apple/etc. and the effects of that on your karma and
whatnot). Wouldn't a good alternative be to just tone it down a bit, if
possible? Because honestly I don't think you're wrong probably most of the
time, so your contributions could be valuable.

I often struggle with my own conduct in social settings, and I've been called
'too intense' more than once, among other things. I don't know your particular
story, or if there is a 'story', but I'd really hate the idea that you'd leave
entirely instead of finding a way to be _you_ and still fall within the
acceptable range of HN commenters. And not get too addicted, of course :).
I've been so unsuccessful at the latter that I decided to 'use it for good'
and build my own little plugins so at least I'm learning something while being
here.

------
feelin_googley
Its encouraging to be reminded that still not everyone who uses Apple hardware
runs MacOS exclusively.

[https://sivers.org/openbsd](https://sivers.org/openbsd)

[http://www.sacrideo.us/openbsd-on-macbook/](http://www.sacrideo.us/openbsd-
on-macbook/)

However I have not heard any reports of anyone running an alternative OS on
iPhone or iPad hardware.

With every passing year I continue to think it would be interesting to observe
how users would choose if Apple hardware and Apple software were sold
separately.

Would all users choose Apple software?

Expecting to take a little karma subtraction from the thought police for
daring to entertain such a nonpermissible idea. Par for the course here and
well worth it.

~~~
mercer
I'm almost certain that your comment wouldn't be greyed out if you hadn't
added that last paragraph.

~~~
feelin_googley
Comments from me that are _skeptical_ of Apple are _always_ downvoted.
Complaining is acceptable but _doubting_ is not. I have tested this over the
years and it is remarkably consistent. Its both amusing and sad. The clicks
can sometimes take a while to come, sometimes days, but they _always_ come.
Whether I add something silly acknowedging this phenomenon makes no
difference. They come either way. Its just a small price to pay for being
irreverent I guess. I have plenty of karma to spare. Well worth it.

