Hacker News new | past | comments | ask | show | jobs | submit login
Security researcher discloses Safari bug after Apple delays patch (zdnet.com)
34 points by caiobegotti on Aug 25, 2020 | hide | past | favorite | 11 comments

Another proof that Apple, by restricting use of alternative browsers, does not have a goal of security in mind but control.

> Does Apple permit iPhone users to set a browser other than Safari as the defaultbrowser?

> iPhone users cannot set another browser as the default browser. Safari is one of the apps that Apple believes defines the core user experience on iOS, with industry-leading security and privacy features.


It's especially ironic, when you consider the whole anti-competitive lawsuit against Microsoft and them bundling Internet Explorer with Windows back in the day.

Now Apple just gets away with the same thing, but even worse (because they don't even allow other competing browsers on their iOS platform at all).

It's kind of puzzling to me.

I'm not saying I agree with Apple, but the difference is that Microsoft had at the time more than 90% of desktop computer market share in the US. For Apple and smartphones, it's about 50%.

Part of that control they're seeking includes ensuring a positive user experience.

Chrome and Firefox don't really prioritize efficiency anyway, but they're particularly bad in that category under macOS, and that would transfer to iOS versions as well. That's a problem for Apple, because users aren't going to attribute their phone getting hot and draining batteries quickly to their choice of browser, they're going to attribute it to the phone.

If Apple were to allow third-party web engines, they'd likely have to institute an approval process that includes rigorous testing of energy usage, resource consumption, etc and reject engines that don't meet the bar.

Do they monitor the battery usage and resource consumption of alternative mapping or communication applications? These offer a superior experience over the Apple default, and alternative browsers like Firefox offer a superior experience over the default on Android, but Apple prevents these superior experiences on its devices, leaving its customers vulnerable to security issues like this one with no recourse.

As of iOS 14, you'll be able to change the default browser (and email client). Still no alternative browser engines, but it's a start.

> iPhone users cannot set another browser as the default browser

iOS 14: Here’s an early look at how you’ll be able to change default apps https://9to5mac.com/2020/07/21/ios-14-heres-an-early-look-at...

One of the new and most awaited features of iOS 14 and iPadOS 14 is the option to change the default browser and email apps. Users will have to wait until developers update their apps to be compatible with iOS 14 in order to set them as default apps. However, 9to5Mac was able to try this new feature to see how it works.

>> iPhone users cannot set another browser as the default browser

> iOS 14: Here’s an early look at how you’ll be able to change default apps

I'm not sure you're talking about the same thing. IIRC, Apple forbids other browser engines, but allows alternative browser apps that use the Safari engine.

For instance: Firefox for iOS exists (https://apps.apple.com/us/app/firefox-private-safe-browser/i...), but it's basically just an integration of Safari with Firefox services:

> It is the first Firefox-branded browser not to use the Gecko layout engine as is used in Firefox for desktop and mobile. Apple's policies require all iOS apps that browse the web to use the built-in WebKit rendering framework and WebKit JavaScript, so using Gecko is not possible. (https://en.wikipedia.org/wiki/Firefox_for_iOS)

Apple is really bad at dealing with security researchers, and would rather figure out ways to silence them than prioritize fixing anything. For a more fleshed out argument about this, see this Twitter thread I posted last week (which starts out talking about Epic Games but quickly moves through the Corellium lawsuit to focus on this topic).


I believe the lead here is this part (and goes on):

"However, the real issue here is not just the bug itself and how easy or complex it is to exploit it, but how Apple handled the bug report."

Actual bug and disclosure timeline: "Stealing local files using Safari Web Share API" https://blog.redteam.pl/2020/08/stealing-local-files-using-s...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact