Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Announces WWDC 2023 Schedule, Including Keynote Time

RalfTheDog said:
Any software that runs on a system with untested software is compromised. If you are just running a game or something, that is no big deal. If you are running software that has a security component, it is a big deal. In a corporate environment, you go a step father and only allow software from a very small list. Better yet, you don't allow the user to install their own software at all. IT automatically uploads and updates the software that runs on your device. Each update to an app is examined before it is sent out to users. People can run whatever software they want on their own devices, but they can't touch the company network and quite often, they can't bring their own devices into the building.

Going back to home users, software from third party stores tends to be unreliable at best or trash at worst. If their software is compromising the OS, it will likely make your software look bad. Why deal with bugs that are brought into the system by "Developers" that can't even follow the platform's guidelines?
Click to expand...
That's what sandbox is for.

You don't believe in Apple's own security then?

With this mentality it's not about sideloading but about 3rd party software in general.

And keep in mind - sideloading is optional. You don't want to sideload? Fine! Nothing changes for you. Just continue using App Store as majority of users would. Do I want to trust something other than App Store? My choice, my responsibility. Hell, sideloaded software may be even safer than App Store's one. Why? I can compile open source code and sideload it and so it will be code I can review and trust. Same can't be said about App Store - there have been many cases of fraudulent and sketchy apps there.

You can sideload even today - but you need developer's account for 99 USD per year. More money to the Apple today. With free sideloading, everyone is basically developer for free. So nothing changes from the security standpoint.
 
Last edited:
  • Like
Reactions: nt5672
hacky said:
That's what sandbox is for.

You don't believe in Apple's own security then?

With this mentality it's not about sideloading but about 3rd party software in general.

And keep in mind - sideloading is optional. You don't want to sideload? Fine! Nothing changes for you. Just continue using App Store as majority of users would. Do I want to trust something other than App Store? My choice, my responsibility. Hell, sideloaded software may be even safer than App Store's one. Why? I can compile open source code and sideload it and so it will be code I can review and trust. Same can't be said about App Store - there have been many cases of fraudulent and sketchy apps there.

You can sideload even today - but you need developer's account for 99 USD per year. More money to the Apple today. With free sideloading, everyone is basically developer for free. So nothing changes from the security standpoint.
Click to expand...
Developers accounts are not sideloading. I have a developers account myself. If I was not able to test my own software, it would be worthless. I just don't want my software running on a compromised device, then take the hit when the compromised device is used to infiltrate my customer's network. All I am asking is a simple flag that says, "If this customer sideloads software from a different app store, don't let them run my code."
 
RalfTheDog said:
Developers accounts are not sideloading.
Click to expand...
Let's agree to disagree.

Developer account is exactly the same thing as sideloading. You can literally put anything on your own phone with developer account. And you can do this even without developer account by selfsigning the app (but it lasts only 7 days until you have to re-sign the sideloaded app).

So this all is just about whether to have 99 USD developer account's ability for free or not.

RalfTheDog said:
All I am asking is a simple flag that says, "If this customer sideloads software from a different app store, don't let them run my code."
Click to expand...
Uh, I really dislike that some developer would manage what apps I have installed on my phone. Fortunately I'm quite sure EU would not let this idea pass.

Anyway, if you live outside of the EU, you may be in luck. It is expected, that sideloading will be limited only (geolocked) to the EU.
 
  • Like
Reactions: Tim Apple’s Glasses and nt5672
RalfTheDog said:
Any software that runs on a system with untested software is compromised. . . . . .
Click to expand...
Good point and I agree. But you seem to trust Apple to make that decision and I seem to trust myself to make that decision. I don't need a nanny telling me how to live my life, you seem to get comfort in that.

I know how often Apple gets that wrong, I know how to easily get past Apple's reviews, I know the dark side that you seem to not want to acknowledge just so you can sleep at night. I also know that if side loading were available I could and would add a firewall that I control, so I can see and limit Apple's and others nefarious activities.

Apple does not want to open up side loading because it wold expose their hypocrisy with respect to privacy and security.
 
  • Like
Reactions: 3530025
nt5672 said:
Good point and I agree. But you seem to trust Apple to make that decision and I seem to trust myself to make that decision. I don't need a nanny telling me how to live my life, you seem to get comfort in that.

I know how often Apple gets that wrong, I know how to easily get past Apple's reviews, I know the dark side that you seem to not want to acknowledge just so you can sleep at night. I also know that if side loading were available I could and would add a firewall that I control, so I can see and limit Apple's and others nefarious activities.

Apple does not want to open up side loading because it wold expose their hypocrisy with respect to privacy and security.
Click to expand...
Just use Wireshark.
 
hacky said:
Let's agree to disagree.

Developer account is exactly the same thing as sideloading. You can literally put anything on your own phone with developer account. And you can do this even without developer account by selfsigning the app (but it lasts only 7 days until you have to re-sign the sideloaded app).

So this all is just about whether to have 99 USD developer account's ability for free or not.


Uh, I really dislike that some developer would manage what apps I have installed on my phone. Fortunately I'm quite sure EU would not let this idea pass.

Anyway, if you live outside of the EU, you may be in luck. It is expected, that sideloading will be limited only (geolocked) to the EU.
Click to expand...
If they do, I won't sell my software in the EU. For the most part, I trust the EU far more than I do the United States. That said, if you run software from a third party app store, every app on your device is compromised. If the newly compromised software connects to your network, then your network is compromised.
 
RalfTheDog said:
That said, if you run software from a third party app store, every app on your device is compromised. If the newly compromised software connects to your network, then your network is compromised.
Click to expand...
I'm not sure you understand the concept of security. What network are you talking about? Your application backend?

Well if your application backend relies just on the fact, your app is separated from others - I have some news for you: your backend is not secured and can be hacked easily even without compromised devices.

You have to count with bad actors and those are able to target your backend without compromising other devices. And if you talk specifically about security of the compromised phone - guess what. That's responsibility of the phone's owner. That's the responsibility of the user, who chose to sideload.

It definitely is not your (developer's) responsibility. Your responsibility is to secure your own backend - and security of your backend definitely does not relate to the compromised phone of the user of your app at all.

Disclaimer: My job includes pentesting and security of the internal networks...
 
  • Like
Reactions: nt5672
When is RealityTWO coming? :D


I mean, this stuff is old news by now. Gimme specs on RealityTWO Gurman! Do we get colors? How about different straps? Can I get one in 24Karat gold? What about suspenders for my battery packs? THESE are the questions that run through my mind...
 
Last edited:
What is the liklihood of seeing a new magic trackpad and keyboard? I'm looking at buying both, but if there's a chance of a new one being announced, I'll wait.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back