thinking about my iPhone-using non-nerd family, i believe the security warnings are a good thing and should not be outlawed.
a good part of recommending a iPhone to non-technical people has always been that it does not have Android's massive security problems. it feels like the EU is doing its citizens a(nother) disservice here.
People should stop pretending Apple products are secure in any sense of the word. Pegasus software and similar have been working just fine on iPhone. For literal _years_.
Apple is fundamentally incapable and more to the point unwilling, to protect the users from external threats but especially from Apple itself. They are abusing their control over iOS and strip mining the users for data regardless.
Nation state level malware is an entirely different threat profile to the one most people are worried about when it comes to their non-tech relatives. Most people are more worried about protecting their relatives from the mobile phone equivalent of “Bonzai Buddy”, not “Stuxnet”
Except in that case, the RDF is still so strong that Gruber literally tried to shrug it off as being "not that expensive, for a scam":
> > Instead, the scam LassPass app tries to steer you to creating a “pro” account subscription for $2/month, $10/year, or a $50 lifetime purchase. Those are actually low prices for a scam app — a lot of scammy apps try to charge like $10/week.
(emphasis mine)
Lucky people, I guess? They could have been scammed for more?
He also claims, without any way to know, that "it doesn't look like this was made to steal LastPass credentials".
The whole article is very much a "yeah it sucks and shouldn't happen, but this is no big deal, really, why are you getting all up in Apple's face about it?" vibe.
When people say Apple products are secure, we’re not saying they’ll stand up to the world’s top hackers, we’re saying when we visit grandpa we won’t find that he’s installed a toolbar in his browser that’s vacuuming up his bank password every time he types it. I know that if one of my relatives installs a sketchy app suggested by a popup, it can’t sit in the background and snoop on them without even being opened. There’s no Cha$e app in the app store pretending to be the official Chase banking app.
For sure it’s still possible to “hack” someone who is using Apple products (using social engineering for instance) but entire classes of mischief are off the table because of how Apple locks things down.
The purpose of Lockdown is for people who (a) have a reasonable chance of being targeted by state actors and (b) if they were would expect significant impact to their wellbeing.
For everyone else the existing security controls are more than sufficient.
This whole legislation probably wouldn't exist if Apple wasn't so greedy and manipulative for all these years. Apple has been bundling real security with brazen anti-competive behaviors, pretending they're all or nothing.
If you don't want to be overcharged 10x for payments, the only option is fraud and malware (as opposed to processing payments at a market rate, or allowing vetted payment providers, having APIs for external subscriptions integrating with iOS's subscription management, etc.).
Sandboxing and app reviews for malware are great, but Apple bundled them with rejecting apps for competing with Apple ("duplicating" their functionality), mentioning competitors' names, lower prices elsewhere, or showing nipples anywhere (nipples can't hack your iPhone). They've been intentionally blurring the line between what they select as appropriate for their boutique child-friendly store, and what users have right to do with devices they thought they own.
> i believe the security warnings are a good thing and should not be outlawed.
Here's the thing. They're only warning on non-App Store apps, which to me is also problematic, because it creates a perception of security on the App Store which isn't actually real. LassPass, anyone?
Apple can allow actual turds like that on the App Store without a security warning, but the most inspected/reviewed app on an external store is getting a "downloading this app may be risky".
At minimum, I think iOS should have something similar to the system in macOS which blocks known malware/badware.
Some kind of local heuristics that can flag suspicious apps and informs the user when something fishy may be afoot may also be good. There are a number of patterns common to malware/scamware that an ML model should have little trouble picking up on — weird domains, convoluted URLs, recognizable brand mimicry, etc.
> Apple customers already voted with their wallets, myself included.
And I'm an Apple customer who is pushing for this. And writing this very comment from a Mac Studio connected to a Pro Display XDR while my MBP sits on a stand next to my iPhone and iPad, and my Apple Watch on my wrist.
We are not homogenous, and this borderline conspiracy isn't useful.
I don’t think asking who is behind the lobbying is a conspiracy theory - in fact ignoring it is probably more dangerous.
Most Apple users don’t care about third-party stores or even know what that means. The ones that do and also want it aren’t big enough to lobby so it’s companies with something to gain that are doing to lobbying. Nothing conspiracy about that.
It's a bit like the EU thinking that by forcing websites to surface their advertising partners/personal data practices it will encourage people to visit less privacy-invasive websites, when instead it's now rare to find a website that doesn't have the privacy click-through, making the web that little bit more tedious. Amusingly EU's favourite children epicgames.com and spotify.com have to show these pop-ups due to their data collection practices while "evil" apple doesn't have to show these pop-ups because they're not abusing visitor data.
As for 3rd party app stores: Despite the EU's head-in-the-sand approach, I do expect that 3rd party stores will abuse direct access to customers to use dark patterns to exploit additional unwanted purchases, stymie refunds and make it difficult to unsubscribe. Why? Because this is what businesses such as Epic Games, New York Times and Spotify already do with their direct customers. It doesn't have to be malware to be a scam. People cheering for Epic Games seem to forget that just over a year ago Epic Games settled with the FTC for over half a billion dollars in fines for abusing their customers with predatory practices and invading the privacy of children(1).
Side note: It's also rather sickening to see EU's DMA regulators such as Thierry Breton(2) using the marketing hashtag #freefortnite on their tweets. What a perfect demonstration of their lack of neutrality and promoting a company found to exploit its users. They clearly are not working in the interest of consumer protection, that's just a red herring for protectionism.
I always decline the tracking from the websites so the EU laws had an effect giving me the option to decline.
At my work we also did updates , for example purging the user data when they close their account.
See changes happened, too bad that most websites decided to make the popups super evil and try to make it hard to decline, EU did not ask the websites to implement them like that, some other evil capitalists decided that screwing humans for a few dollars is worth it.
I see this as a failure of the legislation and entirely foreseeable. That’s why I blame the EU because “evil capitalists” existed back then too.
I use that example because if the EU wanted to encourage websites to not abuse user data, their legislation didn’t mandate that and the result we have today was entirely expected. Instead they should have legislated for that consumer protection directly.
My point here is that the EU acted naively when they wrote that legislation and I see a repeat of this unwillingness to truly address the problem with the DMA - currently EU politicians are promoting the potential fringe benefits of the DMA while ignoring the much larger, much more probable consumer harms. Noting the FTC fine against Epic Games and Fortnite, certain EU politicians are even promoting one of those “evil capitalists”.
It is plainly foreseeable how the DMA will directly hinder small developers and harm consumers, the only true winner from the DMA are large developers of well known software such as Microsoft and Spotify, whereby the DMA significantly tilts balance in their favour.
GDPR is not about websites or internet, it applies for everything, so the law should not dictate an UX. Be patient , slowly this popups will be declared illegal by the justice system , companies will pay the fines and will fix them.
I think the IT / tech people need to decide on sme standards here and not have EU force one on them. There are some laws about age verification, this shit could have been solved by tech decades ago where you set the user age in the computer/phone OS when you create the account then the OS and browsers work together to ensure under 18 do not access adult websites or apps. Then concerned parents when buy a phone for the children and they setup their email/account they just enter the birthday and the OS/browser will have to do the work to filter the content.
But the tech crowd was busy with other shit and conservatives/religious types will force us all to suffer the consequences and prove Google/Steam/YouTube ... my age
It doesn't affect me on a personal level so it's not a discussion about idealism and having patience.
What I'm describing is a symptom of failed and naive legislation. It's also an exceedingly slow legislature; the GDPR was finished in 2016 and implemented in 2018. Whatever the EU plans for it, it's already done. You don't need patience, you need acceptance.
Per your comment: An often heard theme is that commercial entities should get ahead of the EU/other governmemts to stave off GDPR-like legislation. However this is not just naive to commercial operations, but also to politics:
Once a government makes clear their intention to regulate a practice, businesses scale back their own plans to self-regulate, for the very simple reason that any solutions they would devise are now out of their hands. Whatever changes they implement would only be chance to align with the government's mandate. When we compare privacy protections invented by Apple versus those mandated by the GDPR we see extremely different approaches to the same problem, and Facebook's financials show that Apple's technological approaches have been far more effective, while also not projecting certain "protectionist" themes that are a recurring aspect of EU legislation (i.e. the politics side of introducing protectionism policies and mass surveillance while crying "won't somebody think of the consumers/children".)
A final issue that I'll simply allude to is that many comments on HN are not just poorly researched, but absent knowledge of even recent events. Head in the clouds kind of stuff. Malware isn't hypothetical. Data collection corps such as Facebook and Google using side-loading to subvert OS-level protections/review processes isn't FUD, it's already happened.
