I look at the wording of the title of this Verge article (and a few others that come out lately) and see it as another example of media spreading fear through unnecessarily alarming titles.
In reality, the risks are no different from manually installing an APK on Android, which noone has kicked up a fuss about.
In other words, there are no useful apps on these stores because you have no idea of really knowing what their use is. Considering that they're already coming from nefarious sources, there's no reason to believe they're not a trojan horse for something worse.
I consider the phone to be firmly mine when I pay almost $1,000+ for it, and I want to be able to install whatever applications I want, not what Apple says I can have.
You've applied the term "nefarious sources" to a third party app store, to which I disagree. Do you take the same approach with your laptop? Can you download an exe or app from third party websites without having to go through a manufacturer approval process? I
Your phone is yours. Absolutely. No question. In the age of big data, security breaches, and identity theft, though, we shouldn't expect or want to make technology so stupidly easy that people unwittingly give up their privacy and security simply because they didn't know any better. And I know the old adage about "inventing a better idiot" but that's not what I'm concerned about here. I'm concerned about responsible disclosure of the information here. The downside is a few more inconvenient steps for people who would legitimately need to sideload or use a certificate like this while the upside is the ability for a non-savvy user to trust the technology in their hands.
When I pay $1,000+ on a phone, I don't want its usefulness to be restricted to what Apple says I can do with it.
Then don't buy an iPhone. It's not like you're paying that much money and then Apple is switching the phone out after you've paid. You're buying the device with the knowledge that it operates within Apple's walled garden before you ever take possession of it.
For 20+ years, in GUI design, it's been proven that if you present users with a challenge/warning prompt they will do whatever is necessary to click "yes/ok/i understand/install this thing" to accomplish what they think is their goal.
It would be worth having a deeply buried toggle within the iOS UI that you can change, if you're an actual developer. Otherwise installing an enterprise certificate on iOS should have larger, scarier, more time consuming and more difficult to bypass warnings.
This is exactly my concern. As someone who had to deal with people jailbreaking their phones without any knowledge of what they were doing, this is exactly what I think the issue is. The difference is that, in this case, there's credible evidence to suggest that this is a data-mining operation in disguise and people will unknowingly allow it to get "free apps".
I imagine that installing via Enterprise Certs doesn't remove the sandboxing around Y...
Can you please elaborate on what's actually happening?
The user of X' reports bugs to him/her as if it was legit X running, so he gets reports that don't really come from his/her app.
Also I'm confused as to why my question was downvoted... I'm a dev too who's released a few sandboxed apps (on iOS and macOS) and would like to understand if there is a vulnerability in the sandbox somewhere. Seems like this would be useful to understand for many devs.
Just Google "sideload iOS apps without jailbreak", you'll find all the guides you need.
By sideloading, I mean the ability to install and run a binary downloaded off the internet. Mac OS allows this, but does put a prompt out. Android allows this as well. No certs, no UDID etc.
But I still don't see the huge problem:
"Trusted" has a very strong meaning when used for any computing device. So this is already a really, really strong warning sign (safeguard 1). Next, you explicitly have to go to the settings to manually trust the certificate (safeguard 2). This gives you a lot of time (i.e. you don't accidentally "click/touch OK") to inform yourself intensively of the consequences of the decision (safeguard 3). Even after that according to this link (no screenshot is shown), you explicitly have to confirm your decision again (safeguard 4). Now according to this link, you have to install the apps from the now-trusted developer manually (safeguard 5).
So I see at least 5 levels of safeguards that Apple introduced.
Talk about inaccurate, bad reporting...
Also, ‘illicit’ doesn’t necessarily mean “unlawful”. https://www.merriam-webster.com/dictionary/illicit#synonyms also mentions “not permitted”, and Apple doesn’t permit you to use an enterprise certificate in this way.
Yeah, you're not going to sell me on this line of bullshit. The amount of money you pay for an apple is a fucking purchase. So why do they maintain control of it? Eh?
This historical version is my favorite in which Apple try to suppress negative press by threatening developers who fall victim to arbitrary rejections - "If you run to the press and trash us, it never helps."
Sorry for all the emphasis, but this stuff is important. Once a manufacturer has sold a product, it no longer has any claim to it — none. It belongs to the purchaser, who is the sole owner.
It's well known that there were some sketchy apps in there. But how was that any different from having a Linux or Windows desktop where in you can install whatever you want? I believe that the financial motivation (the walled garden) is the biggest one, but maybe not the only one.
Taking away the question of whether Apple has the right to determine what is moral or ethical (I argue that they don't), I agree with the op in that the primary reason is to maintain the walled garden.
That was my whole point: once sold, those phones are no longer Apple's devices. Apple has absolutely no legitimate say in what the new owners choose to do with those phones. Nor does Apple have any legal or ethical exposure to what the new owners do with their phones: that is the owners' liability.
Now, the owners may wish to enter an arrangement with Apple, and Apple may only choose to enter into that arrangement if the owners do certain things or refrain from doing certain things. That's completely fair.
What's not fair is 'selling' someone a device, but retaining ownership of it. That's not a sale; it's a lease.
The comment you were replying to mentioned two others, right there...
However the same App Store policies apply to all iPhone owners, regardless of how it was purchased.
In this case, things can get interesting if these companies have Chinese government backing. WeChat went through a similar fight with Apple, where Apple was trying to shove it's app store guidelines as justification for denying extensions on WeChat, but as usual, Apple curled up in the corner the moment there Chinese government got involved.