Perhaps we should wait to get the whole story to discuss. Didn't we just go through this with the "Apple doesn't return 30% on refund" fiasco last week?
Except that it's been verified by many people, and you can verify on your own Mac, that the developer's certificate has indeed been revoked, and the apps don't work. That part of the story is indisputable.
Apple sends out emails about a month before your certificate expires - I bet they didn’t check it and/or thought the expiry would only apply to new builds
The certificate was revoked, not expired. And expired code signing certs don't prevent Mac apps from running, they just prevent new builds from being signed.
Honestly, no company should have this much control over people's businesses and livelihoods.
iPhone is a generic pocket computer, and it has outgrown Apple's desire to maintain a fiefdom.
Congress and the EU should force Apple to allow 3rd party marketplaces and installs. Apple is free to charge 30% for the App Store, but they can't be the only way to get code onto an iPhone. Nor should they be the only first class way of doing it.
Edit: I frequently get downvotes because of this. Who really wants everything going through Apple 100% of the time? I don't understand this perspective at all. Do you like not having control of your devices?
This is actually why I completely left the Apple ecosystem. I ditched the iPhone for a LineageOS device and, since I think the Mac will eventually end up fully locked down as well, decided to get ahead of that race and migrate to Linux.
I have done the same but unfortunately bunch of my applications are not working becasue of them detecting I have modified rom! The switch is not painless.
It hurts all of the supply-side people that make the ecosystem healthy. It's not a sweatshop, to be sure, but it's definitely a gangster-style shakedown with the eminent feeling of having your green card revoked.
Nevermind the fact that this was the platform that pioneered race to the bottom prices with the expectation of free updates for life.
Okay, so what are the situations where it can be false?
* apple actually did communicate to them, but it was via carrier pigeon or something and it got lost
* apple is under gag order
* the developer is actually a long time repeat offender and is trying to evade via sockpuppet accounts
None of them seem plausible to me. Also, unlike with the apple 30% refund fiasco, we know for sure this is happening, because other users are tweeting that they're receiving error messages when trying to install his software.
You make all good points except for the dashboard. I don't believe that posting a message on your own property can be construed as sending a communication (and for something like this situation, we're talking about sending when we say communicating). It would be like having to go to a lender's headquarters for financial statements and tax documents.
> apple actually did communicate to them, but it went to the developer's spam box.
Why are so many people assuming that Apple would only email a developer about revoking their certificate, a drastic action that suddenly kills all of the developer's apps? Apple has the phone number of every member of their developer program. Anything less than an immediate phone call from Apple in this situation would be gross negligence.
> apple didn't revoke it. something else is going on.
It's revoked. Any Mac user can verify this with "codesign --verify" on any of the apps on the developer's website that are still available for download.
>* apple actually did communicate to them, but it went to the developer's spam box.
Isn't "check your spam box" the same thing you're going to do if you're looking for an email that you're expecting?
>* apple actually did communicate to them, but sent it to an old email address that the developer never updated.
plausible, but seems unlikely that'd be the case, considering that this is a semi-important account that you won't use a throwaway account for. Also, isn't your itunes connect (app store) login based on your apple id, which is based on your email?
>* apple actually did communicate to them, but it was via a developer dashboard that the developer rarely checks.
His tweet said that his account was suspended, so he probably found that out while trying to log in, or got an email.
- Developer accidentally clicked "revoke my cert" (no idea if that's a real button, but that's not the point).
- A national security agency sent one of those scary letters preventing Apple from speaking but requiring the action.
- Developer had a mental breakdown and has lost grip on reality.
- Developer realized app was infected with malware and ...
Truth is stranger than fiction, so it's actually really hard to think of all the possible strange explanations. Which is why it seems imminently reasonable to take a wait and see approach at least for a reasonable period of time.
You first case is the first thing that came to mind--his certificate was found to have signed malware. They would revoke without notice in such a situation.
If that's the case why wasn't that communicated to him?
>- Developer accidentally clicked "revoke my cert" (no idea if that's a real button, but that's not the point).
>- Developer had a mental breakdown and has lost grip on reality.
While these are possible, they seem very unlikely. Compare the numerous cases of Big Tech silently revoking people's account with no notice or appeal, to the number of times that someone made a public announcement, and then went "nvm it was me lol".
Big Tech is not a monolithic entity and citing cases across different entities may not be an appropriate way to compare these issues. Asking for patience while both sides have a chance to explain the situation is reasonable.
Also, whenever you suggest something is "very unlikely," keep in mind that this likelihood is one instance in the context of 20 million developers. Are you suggesting it's like a 1 out of 100 chance, or a 1 out of 20 million chance?
How does other users receiving errors prove that the developer received no warning? Your first bullet point seems entirely plausible, albeit the failure mode is likely less avian.
* No email in my spam box.
* My contact address is still working and have received notifications about them approving my updates for the App Store yesterday (so saying that they have no way of contacting me is not true).
* No known breach of account.
* No accidental revocation (I was sleeping while this happened).
* The certificates are revoked as you can verify via command line.
If their certificate had been stolen it would be expected. Stolen code signing certificates have been used to distribute malware in the past; for example Stuxnet.
Of course, you'd expect a notification from Apple saying they'd done that and why; and plenty of safety measures to prevent mistaken revocations.
That's not to say I support mandatory code signing - merely that if you're going to have code signing, you also need to revoke stolen certs.
Honestly it doesn’t matter at all if it actually happened, that they could is unacceptable.
EDIT: To be clear, it's not the certificate revocation that's bad, it's that the certificate is required to distribute code and can only be acquired from a single organization.
I actually like code signing. I can still run unsigned code by flipping the right setting, but I don’t have to worry about non-developer family members running something bad.
I think certificate revocation of signed code is a good, useful feature and something that I want as part of my security infrastructure.
I wouldn't want it any other way if I have to use non-open source code that I can't inspect. But the basis of all my core software is going to be open source.
This will lead to computing being locked down further with really questionable benefits. In fact open source software can suffer greatly because these certs make deployment cost non-zero. So someone providing binaries of such software has to pay for it to large corps like Apple and Microsoft.
We've been in this situation for 10 years now. Has the slippery slope caused any sliding yet?
The cost issue is separate from the revocation issue, and my point was about certain revocation--it's an absolutely great feature for any code signing situation where you are trusting others to compile code for you and others can't confirm that a certain set of binaries came from a certain set of source files. (Reproducible builds could help, of course!)
Yes it has, that’s the point of this whole discussion. Desktop apps now need to be signed and I’d be willing to bet you couldn’t find a signed torrent client.
Eh, yes, we have much more locked down systems with reduced capabilities. Consoles used it maybe for years and they are notorious for being useless for any third party content. You cannot simply write your own drivers for several devices anymore, so you basically booted a lot of engineers. It infected whole industries. We have locked down agricultural devices where users pay for expensive hacks. It is a complete nightmare actually.
For security... sure... actually not even my grandmother would believe it.
Consoles haven’t been open for 30 years, but I can still run unsigned code on my Mac. They’re not a good argument for us actually sliding down a slippery slope.
And writing drivers for hardware has often been impossible or effectively so due to poor documentation and/or signing. Do you not remember the era when most WiFi cards didn’t work with Linux, or when graphics cards required closed source binary blobs to even work?
I get you don’t like it on principle, so maybe you shouldn’t buy a Mac, but the idea that we’re going down a slippery slope is very much [citation needed]
I remember the time and I could just fix the driver in some cases at least. And people did and provided solutions.
Windows also introduced software signing for drivers and user software, so yes, prevalence does increase while no benefits are provided. What is the advantage of an nvidia binary blob for Linux if it is signed or not. Was downloading from a trusted source a problem? We had hashes if you really wanted them.
With signing you make yourself dependent on the manufacturer of the OS.
The console argument was a hint that the application gained traction as a DRM utility, not for user security. Because signing here included properties of the medium the software was deployed on, so you couldn't just copy it to another CD/DVD.
> Notarization is not App Review. The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
Perhaps the software connected to a website that was flagged as malicious by Apple. That’s one way I could see it getting flagged.
The developer's website (software.charliemonroe.net) is blocked by my ISP (Vodafone UK)'s adult content filter. This is strange as it does not appear to contain any adult content.
I don't think it's related to it being a "YouTube downloader" app either. There are many apps with this functionality and, so far as I can tell, none of the others are blocked.
This is strange as it does not appear to contain any adult content.
I've seen a number of times where a compromised web site will have a bit of javascript inserted into it that only shows the malicious payload to certain people from certain geographies or browsing history or operating systems, etc... It might be there, but not showing it to you.
I've come across a few strange blocks. Recently when researching bread knives I found that the website of the French knife company, Opinel, is blocked by at least two UK mobile carrier's content filters. (www.opinel.com, blocked by Three and Vodafone. Not blocked by O2.)
Their US site (www.opinel-usa.com) is not blocked, however, nor are the many online retailers which sell their knives.
> Ever wished you could save a video from the Internet? Search no more, Downie is what you're looking for. Easily download videos from thousands of different sites.
Apple might think so! I had a popular YouTube downloader app for Mac OS and I spent a lot of time on a port for iOS, but it was rejected from the app store back in 2010. The app reviewer did call me on the phone to tell me -- in fact, she called twice, once to tell me that my app was going into an extended review, and then a few weeks later she called to tell me that my app had been rejected. When I asked what the reason was, she told me to check the review guidelines ("check them again now" she said) and lo and behold, they had added a new guideline about downloading media without explicit IP rights. Moving the goalposts, one app at a time!
No, it's more that it's easy to guess the likely cause here:
* a lawyer sends a DMCA request to Youtube
* a Youtube bot looks at the offending request and finds a user agent
* Kicks off automated warning to Apple bot
* Apple bot shuts down developer account
All that's really needed here is a bot to post these things to Twitter and HackerNews and then an API for the service bots to read the complaints and undo the action with a phony apology post
The requests the app makes would not be coming from "Apple". The rest of the scenario is plausible, but it wouldn't be bots it would be humans connecting the dots and sending a manual claim to Apple.
> Tools like this do allow you to save copies of videos that weren't meant to be savable
It's actually computers that allow you to do this. I think this is why there's a war (of sorts) against general purpose computers: they enable you, the user, to do all sorts of things publishers didn't envision or want.
Broadcast and cable TV wasn't meant to be savable, and then VCRs came out and courts decided that saving (time shifting) is absolutely fine. It doesn't in and of itself facilitate sharing.
If it breaks actual encryption (a la DeCSS) then yes, it oversteps.
But TV content stakeholders don't have much pull with convincing VCR manufacturers/distributors to stop supplying VCRs. Apple does clearly have the ability to affect the signing of software.
> If it breaks actual encryption (a la DeCSS) then yes, it oversteps.
I'd counter that if the audio and video get to your eyes and ears, then the content provider has already provided you a decrypted copy of the media and/or the instructions for how to decrypt.
If you had an arms' length valid agreement with the company where you agree not to retain the media, then that's different issue.
And platforms doing standing back flips to appease stupid legislation.
Reminds me of YouTube blocking Blender videos... had other reasons though, don't remember exactly, but it had to do with them not monetizing their videos and really, really bad support.
They have to abide by them, not enforce them (unless a court order makes them). There's no law against distributing operating systems that allow running of programs that break the law.
Nobody here thinks that the law is a good idea or will do anything to protect any content industries. The fact is that despite being enormously stupid, it is still the law.
Yes, I know I'm preaching the choir here. My point is that with each advance in technology, established industry "actors" panic because they foresee their business will go bankrupt. Sometimes this panic is justified, but often it's not, or it's blown out of proportion.
It's not necessarily the law, either. Panicky industry heavyweights may lobby to make it a law, or try to confuse a given tech with copyright infringement, but "downloading videos" is not against the law.
Because Apple is the one that will be party to a lawsuit if it ever came to pass. One of the negatives of being gatekeeper is you're no longer protected by "safe harbor" provisions. And I have to imagine Apple has enough money to be worth suing, even if it's frivolous nonsense.
It's against the YouTube terms of service. One characterization of this software is that it is designed to violate the YouTube terms of service.
"The following restrictions apply to your use of the Service. You are not allowed to:
access, reproduce, download, distribute, transmit, broadcast, display, sell, license, alter, modify or otherwise use any part of the Service or any Content except: (a) as expressly authorized by the Service; or (b) with prior written permission from YouTube and, if applicable, the respective rights holders;"
This doesn't really explain anything. Why is Apple enforcing YouTube's terms of service on a third-party application? Especially via a mechanism ostensibly designed to stop malware.
Is the Transmission torrent client next because it could be used to download copyrighted content?
5.2.3 Audio/Video Downloading: Apps should not facilitate illegal file sharing or include the ability to save, convert, or download media from third-party sources (e.g. Apple Music, YouTube, SoundCloud, Vimeo, etc.) without explicit authorization from those sources. Streaming of audio/video content may also violate Terms of Use, so be sure to check before your app accesses those services. Documentation must be provided upon request.
Looking at his website I don't think it is even in the store. What he names it is really none of Apple's business unless it infringed on one of their trademarks.
> What he names it is really none of Apple's business
In any AppStore app, everything is literally Apple's business, considering they get a cut of any money that changes hands and can reject your app for "looking at them wrong".
That's why the whole model is (rightly) controversial.
I think anything that Apple does will be controversial, as there's the anti-fans and fans that are at political war.
But the true controversy is not a curated store, the controversy is that the curated store is the only way for people to load native code onto the device without compiling it themselves on a separate laptop.
I don’t disagree but we both know that’s not how Apple operates the app store. I can think of a ton of words I would absolutely expect Apple to deny as an app name.
Is it by any chance a straight port of youtube-dl? This and
>The developer's website (software.charliemonroe.net) is blocked by my ISP (Vodafone UK)'s adult content filter. This is strange as it does not appear to contain any adult content.
would explain a lot. In order to download from a pr0n website you need to hardcode that websites domain name inside the program = pr0n filters pick it up = Apple bans it.
Another possible explanation: The developer‘s certificate leaked and was really used to sign malware. Or his github repo was hacked and something evil was added to his code without him noticing.
Maybe I’m just rationalizing, because if Apple is really going down the road that most commenters here suspect, then there will be no arm macbook for me unfortunately... :(
So, that's plausible, and I'm trying to wrap my head around the operational model of signed software. Apple has plenty of docs about it [1] [2] [3] but never really get into "how does this work in the long run when things fail" beyond blithely noting that users won't be able to run your stuff and a host of services will start to fail.
A CRL / OSCP makes sense, more or less, for websites as they can simply abandon a cert.
If the cert leaks, is the remedy really to completely blacklist the certificate? Because that means that anyone who is able to steal the cert can effectively blackmail an author.
I'd definitely want to revoke it, but if there's a set of valid releases, it seems like you'd want to do a partial revocation, e.g. "valid until YYMMDD." Or have a blacklist / whitelist and mark known good releases.
I can't imagine how they don't have a separation of concerns given that app certificates must expire.
> I'd definitely want to revoke it, but if there's a set of valid releases, it seems like you'd want to do a partial revocation, e.g. "valid until YYMMDD." Or have a blacklist / whitelist and mark known good releases.
Yes, this is definitely possible, and why Developer ID signing has a secure timestamp, as specified by the --timestamp flag to the /usr/bin/codesign tool.
When Panic's code signing cert was stolen, they revoked it after a certain date, but old versions of their apps continued to be valid and pass Gatekeeper.
> "Hello everyone, today I woke up to my developer account being suspended without a single letter why which is why the apps are crashing. Please bear with me while I try to get this fixed with Apple. Thank you for understanding."
Not being a Mac developer, the wording about revoking the certificate makes it sound a little more unusual than just their account being banned. Although not nice, I assume that's something that happens a lot.
The developer's account is liked to the certificates used to sign their app binaries. If MacOS is set to only allow signed binaries to run, that means this developer's app binaries won't run.
Their customers can work around this by disabling the requirement for signed binaries, but of course that's not desirable and in corporate environments might not be allowed.
I understand that. Just saying that when you word it as the certificate being revoked it's not immediately obvious that's a consequence of the developer account being banned. If the headline was "longtime Apple developer suspended" quite frankly I'd be much less interested, thinking it's a common occurrence.
The developer's website (software.charliemonroe.net) is also blocked by my ISP (Vodafone UK)'s adult content filter. This is strange as it does not appear to contain any adult content.
It has an app for downloading videos off YouTube and other video sites. Not sure how much influence media companies have in the UK but maybe that's why?
I know YouTube downloading services have struggled in the past to stay operational.
You can deactivate it by verifying your age with a credit card or photo ID. Vodafone don't seem to offer a way to report false positives, but I've seen that option with other providers.
18 years old to verify. You don't have to be an adult to sign up for service, it's available as pre-pay etc. Debit cards and bank accounts are also available to under-18s in the UK if co-signed by a parent/guardian.
I believe the majority of UK ISPs now have content filtering on by default for new connections, and all mobile providers have it.
This is a voluntary industry code of practice, not a legal requirement. For some time there was talk of making it law, enabled by a clause in the Digital Economy Act 2017, but this was abandoned in 2019.
"after almost 24 hours after 10PM, I got my account re-instated. Apple has called and apologized for the complications. The issue was caused by my account being erroneously flagged by automated processes as malicious and was put on hold."
In other words: you can’t depend on signed mac apps for anything important as a user even if they keep everything local to your computer. The developer could do something completely unrelated and your app will suddenly stop working with no warning.
Which it should. If Apple detects that there's a problem with a cert, they should revoke it.
Presumably, there's a known problem and something isn't working, even if it looks like it is.
Arguably, it'd be nice to have a facility (assuming it doesn't already exist) to override the revocation list, but designing that it isn't bypassed by social engineering is tough.
“MPlayerX hasn’t been working for almost a year now. Also they still offer my apps on the App Store, they revoked my (direct) distribution certificate...”
Sadly, this is what a walled garden results in. Please don't be surprised, shocked or even remotely discontent because by signing the ToS you have waived away any and all of your rights regarding the use and publishing of software in this walled garden. The only reason an issue like this will get "fixed" is when this (post/tweet) goes viral and the PR department will work extra hard to correct this.
Don't know why you are downvoted since you are completely correct. It is unfair to the developer but we wouldn't even have this discussion if people rejected app stores.
I like that more developers just reject software certification processes. There is zero benefit aside from lock in.
Someone said there are security benefits to the user. Obviously nothing is 100%, but there is a benefit. There’s also discovery benefits to both sides and trust benefits. I am find apps more easily on app stores, and am much more quick to buy an app through the store then some random website.
Maybe those benefits don’t outweigh the downsides, but to say there is no user or developer benefit is objectively false in both cases IMO.
Right, there might be some superficial advantages but I would question them as well. Sure, I don't expect an Apple or Google app to act as a trojan, but I surely expect any bad behavior under the sun, especially concerning data exfiltration.
Additionally, the most predatory kind of app milks your wallet and these come in signed and unsigned forms.
Also, quite a few companies with long time certs have leaked them pretty quickly. Primarily, it is a lock in mechanism with questionable security benefits. Predatory apps can be signed which would have been classified as malware 15 years ago.
Exactly right. Yet they are fully signed and sold in (supposedly) secure app stores. When people talk about a feature providing security, it's important to ask "security from who?"
I don’t know that I’d call the app store “secure” but it’s definitely more secure to download and run an app from the app store than to download and run an app from elsewhere on the internet. Better the (fully signed) devil you know.
Regardless of the full story, fact is that Apple (and many other owners of walled gardens) can revoke your access to it at a moment's notice without any explanation whatsoever. The reason for them doing this might be there but they owe you no explanation whatsoever. Some public outrage will put them in a position to make a statement or reconsider their decision. But you have no right to it.
A lot of authors want to do things that violate the user’s trust, but are hard to detect.
Wouldn’t it be better to have the user have the control?
The walled garden does have problems, but I generally don’t see anyone adding any value to our understanding of how to replace it with something better.
> Wouldn’t it be better to have the user have the control?
It would, but the user has no control of the walled garden either. It's a situation where both the user and the author have little to no control, as well as poor feedback.
I'm not sure walled gardens, with their arbitrary rules, and opaque audit and review processes (which include not knowing how detailed their reviews are), are really a trusty safeguard against malicious authors. Whether you believe walled gardens protect you from malware depends on your definition of "malware".
It's not true that without the App Store there's a world of dangers out there. Author reputation goes a long way.
If you don’t believe that there are dangers out there for general users installing software from the internet, I don’t know what to tell you.
History certainly proves otherwise, as do the number of attempts at putting malware into app stores.
I’d go as far as to say that you are certainly wrong about this and you can trivially verify this by even the most cursory examination of software threat models.
Author reputation goes almost nowhere these days. It’s quite obvious why. There are a huge number of authors producing software.
It’s impossible for more than a few authors to develop a reputation, and even those that do face impersonation.
As to you not being sure how much protection ‘walled gardens’ give. They aren’t perfect, but they clearly work, and you can trivially verify that.
If you think the author or the user can solve these problems without an intermediary, it bears some explanation as to how exactly this could work.
Somehow the world outside walled gardens exists and it's not a danger-infested world. What's worse, you can't really argue for the quality controls of walled gardens such as the App Store because they are not transparent -- at most you can guess with trial and error.
You haven't explained how the user has more control with walled gardens, a bold and unsupported assertion (I believe we both agree the author has less control with walled garden, at least).
> It’s impossible for more than a few authors to develop a reputation, and even those that do face impersonation.
The first part is a matter of opinion (and I disagree with you). As for the latter: do you really believe the only technical solution to author impersonation is a walled garden? No other form of establishing trust is possible to you? Interesting.
> I’d go as far as to say that you are certainly wrong about this and you can trivially verify this by even the most cursory examination of software threat models.
That isn't an argument. That's just you saying "I'm right and you're wrong".
Can you say where I said a walled garden was the only way to solve any of the problems?
In fact I have consistently agreed about the problems levied against the walled garden model.
I haven’t asserted that the user has more control with a walled garden, although I think they do in practice have more control with an App Store than with nothing.
I’d be curious how you came to the impression that I did - can you explain where I made that claim?
My claim is that walled gardens do introduce problems, but that they currently solve much greater problems for both users and developers than the ones they introduce.
The claim that it’s just safe for people to install software because it’s not dangerous out there is obviously false.
You can say this is just me saying ‘I’m right and you are wrong’, or you can do the most basic research on the amount of cybercrime and plain old scams and how much of it involves malware or impersonation of one kind or another.
If you think this problem doen’t exist, it would make sense that you don’t see the benefit of App stores, however to deny that it exists in this way is quite surprising, to say the very least.
The issue of reputation isn’t a matter of opinion. It’s a fact. How can I say that? All industries with a significant number of creators and a significant number of consumers have intermediaries. Only the most famous independent producers are independent.
If you can find a counterexample, I would be interested to know about it.
As for believing that the only solution to the issue of impersonation is a walled garden - I don’t know the answer to that.
Maybe some kind of distributed reputation and trust system that doesn’t involve a powerful intermediary is possible.
Perhaps some kind of blockchain or web of trust can be developed.
I’m not at all sure that this is possible - Apple’s attestation mechanism uses hardware keys to to create signatures that join a device, a particular user and an app binary.
Without the ability to link all three of these it’s hard to see how a software only solution would work.
But even if an alternative is technically possible, it quite obviously doesn’t exist today. If it did, you’d have just linked to it, and I’d have probably ordered whatever device would allow me to participate.
If you want to continue claim that App stores solve no real problems or that the problems are trivial, there are no dangers out there etc, then be my guest. I can’t change that belief in you.
If on the other hand, we have good solutions to those problems that don’t require an App Store, then I would love to know about them and if it’s true, I’ll happily concede that I’m wrong.
Fdroid is hardly full of malware. There's a big range between locked down like Apple and "click here to install bonzibuddy" like Windows. It doesn't have to be black or white.
Yet somehow more iOS users have been hit with malware (see Xcodeghost) than Google and Amazon Android users combined, despite there being far more of the latter and despite the latter being able to install whatever they want on their devices.
Another option would be changing the legislation. I wouldn’t hold my breath in the case of USA but rest of the world should certainly limit the monopoly of walled gardens as it limits the competition.
They pretty clearly have a monopoly on iOS app stores.
Now we can skip the part where somebody says that you can't have a monopoly on your own product and then I point out that monopolies always look like that because their product is the only one in the market, and the reason that android app stores and iOS app stores are different markets is that you can't install Android apps on iOS devices or vice versa.
> Now we can skip the part where somebody says that you
> can't have a monopoly on your own product
No, we actually cannot skipt that part.
Or maybe we can skip the part where you are human and not a camel and then discuss how many days can you spend in a desert without water?
We can skip (could have skipped?) that part because I already posted the rebuttal:
> monopolies always look like that because their product is the only one in the market, and the reason that android app stores and iOS app stores are different markets is that you can't install Android apps on iOS devices or vice versa.
I feel like it's worth pointing out that in the industry that spurred the development of anti-monopoly legislation, there were ~20 major companies. Or ~150, if you go by the definition of "large" established ~30 years later. (By either definition, there's 7 today in the same industry, if you're wondering).
> Surely by moving the goalposts you can make everything look like a monopoly.
Walmart doesn't have a monopoly on SAE 5w30 motor oil. You can't make it look like a monopoly when it isn't one, because when it isn't you can identify competitors who sell substitute products to the same customers.
> In the end both mobile platforms have practically the same popular apps.
The market they have a monopoly on is iOS app stores, not individual apps.
It's very straight forward. For Google Play to be in the same market you would have to be able to use it to install apps on your Apple iPhone. Since you can't, it isn't, and since there is only one app store that can, it's a monopoly.
Notice that it has nothing to do with the fact that Apple also makes the phones, outside of control over the phone being used to enforce the app store monopoly by locking out competitors. If Amazon for some reason had the only app store for Apple iOS devices, they would be the one with a monopoly in that market.
Because it is a lot of hand-waving bullshit. This "walled garden" talk gets tiring fast. And, uh oh, big surprise, you have to actually behave according to ToS you signed. How can it be, hmmm? Nobody forces you to sign anything. Go have your own platform and distribution chanells.
Oh, you want to be where the money is? Well, than. Maaaaybe there is some correlation between being the walled garden and the place there the money is?
That doesn't invalidate the point, it reinforces it: when you sign up for an Apple-style "walled garden" you cede all control of whether or not your app ships — and, assuming you do ship, whether or not your users can keep using your app.
You being tired of it doesn't change anything. ¯\_(ツ)_/¯
I feel bad for the developer. But every time I see stories like this, I also feel a little jolt of validation regarding my choice as a developer to leave the Apple ecosystem in 2008.
At the time, the App Store (iOS) was new, and I was working on porting our SSH-based encrypted remote access tool[1] from Mac to iPhone. I had been doing mainly Mac OS X development for almost 10 years.
I had the proof-of-concept port from Mac to iOS working, but the amount of insane hoops I had to jump through (because it used "strong encryption" (we forked PuTTY SSH)) seemed, initially, like a trip the DMV. It gradually started feeling more like the movie Brazil.
I remember going directly from WWDC to the local office of (searches old files) the "Bureau of Industry and Security" (wat) and talking to some guy who had NO idea what I was talking about when I told him my company was trying to make an iPhone app that used encryption and that Apple had told me I needed to get his agency's approval. (Nice guy, though.)
Ultimately, working through the Apple documentation, I learned I had to do a bunch of weird stuff, like sign up for antique government systems that only worked on Windows XP, and provide personal info, and make a PIN, and submit an application to SNAP-R, and submit a "BIS-748P supporting document: how the Product meets the criteria of the Cryptography Note as mass market encryption software" along with a "BIS-748P supporting document: additional information to supplement our application for review and commodity classification request, in accordance with Supplement No. 6 to Part 742 of the EAR" along with "BIS-748P supporting document: sample marketing copy and brochure text" and a "BIS-748P supporting document: illustrations depicting the software in operation" and then finally a "BIS-748P supporting document: source code listings for all encryption-related source code used in the product"... that last was a ridiculous 500-page or so hard copy printout of the source code to PuTTY with the few dozen places we'd changed it (to make it multithreaded to fit better with our app architecture, haha, because I was young and dumb then).
And, while I forget a lot of the details (I've just copy-pasted those now, after finding the relevant old files), I remember vividly the moment, sitting there in a Tokyo hotel business center assembling this heavy paper package to FedEx to BIS and just suddenly thinking... wait though — maybe this isn't a game I want to play. We didn't have to do any of this to ship a Mac app — any risk of legal noncompliance was ours, of course, but in reality there was no actual risk. This was all for Apple to cover their ass.
If some government bureaucrat didn't like my application, my app wouldn't ship and the past year of work would be for nothing. And somehow that made me acutely aware that the same thing would be true if Apple for some reason didn't like my app. Like... what if they were planning to roll out similar rich, Mac-centric remote access features in the next OS update. Or, even if they approved it, but later just didn't want to deal some issue that arose around it — they could just revoke my app any time they pleased.
(As seems to be the case with the app in this thread.)
I thought about this for a couple more weeks, and then I took a corporate job doing internal systems development. The app was never finished.
The lack of my app obviously didn't hurt Apple. But looking back, I do feel like the lack of having to deal Apple — and that whole weird power imbalance, of being a peasant plowing fields owned by Apple, hoping to receive some part of the fruits of my labor — probably helped me live a more serene, untroubled life.
[1]: iGet Touch (phone apps were still called "blah blah Touch" then, just like many Mac apps from the early 2000s were idiotically prefixed with "i" (^_^); back then) was never finished — but it was basically a native iOS version of the Mac version, long dead but still archived here: http://nakahara-informatics.com/iget
Pretty sure Apple doesn’t have this capability. What you’re referring too is functionality inside GateKeeper or near GateKeeper.
Which is where Apple marks an application with a specific signature to be malware or dangerous and the OS automatically removes it. This is similar to an antivirus software removing it.
There’s no login functionality, Apple doesn’t see your data and doesn’t do anything on your machine other than remove the offending application. In addition, I’ve only see it used once.
Apple's first wish from the genie in a bottle was for unlimited wishes. So it doesn't really make sense to argue over whether Apple only has x-ray vision or also the ability to walk through walls yet.
Gatekeeper is our benevolent dictator that consolidates power with every update because our connectedness increases the potential for widespread damage from our attackers.
And I'm ok with that, but worry we'll regret things later.
Pretty sure you are completely wrong. It's well documented they have done it in the past and publicly made statements about it --but downvote away idiots!
They have the ability to cause the OS to automatically delete binaries based on checksum, not "remotely login". And every time they have used this awesome power, it has been for good and everybody here would be OK with it.
They have never used this power to like fuck with some developer because he violated YouTube TOS, or used the Taiwanese flag in his app, etc.
As a user, I want my OS vendor to have this power and use it appropriately.
> As a user, I want my OS vendor to have this power and use it appropriately.
As a user I want my OS vendor to have this power with my explicit permission and use it appropriately. I also want to be able to disable this completely if I choose.
There's going to come a time where Apple is going to do something shitty with this ability. Giving up the freedom to run whatever code you want on your computer is dangerous long-term.
> There's going to come a time where Apple is going to do something shitty with this ability.
Or even "someone who has the credentials Apple owns" does it. I presume they require more than one employee to be able to do that, but that only mitigates insider threat, it doesn't remove it. They could also potentially be fooled into doing some damage.
Trust should never be evaluated on whether you think people are trustworthy; bad actors can impersonate, coerce or confuse good actors.
The idiot you are replying to has no clue how apps work on the Mac --remotely killing a bundle identifier is not sufficient to stop a piece of malware. to cleanup a mess, they at least have to run a script that makes all kinds of changes, including to launchd, etc. to me that is a remote login --but someone using the F word can argue semantics and get me downvoted and flagged and whatever (as if I give a damn lol --I have 40 years of experience and 30 of it is programming Macs)
Yep, I do share your concern. They so far haven't done anything shitty with this capability (unlike the one the main thread pertains to, which they have done over and over).
There absolutely should be a mechanism to disable the feature, although I think it should be enabled by default.
