Apple won't let EFF release a DRM-free app

I’m saddened to see EFF – an organization I very much respect – resort to Greenpeace-like sensationalism, using other organizations as a target in order to gain attention for themselves.

It’s indefensible for Apple to insist that creators allow it to add its proprietary DRM to other people’s creative work against those peoples’ wishes.

I’ll tell you what’s indefensible: It’s indefensible for EFF to insist that they somehow deserve to be exempt from the same rules that everyone else must conform to – and in fact the rules that govern the core philosophical underpinnings of the app store – because reasons.

7 Likes

What would be the benefit of that? It would just make paid apps easy to pirate, making it a lot harder for developers to make money. (A big part of the reason iOS has better apps than Android is that devs find it more worthwhile to develop for since there’s less piracy.) Any developer who wants their app to be freely available to everyone can already just price it as free. And anyone who wants to look inside an app to see what makes it tick can just open up the package file in iTunes.

1 Like

Isn’t this strong evidence that making code signing (“DRM”) optional would create an even greater flood of malware?

And yes, technically my phone and tablet are general computing devices. But I use them for more limited and specialized purposes, and on those devices I am much more interested in security and reliability than I am in an abstract “freedom to tinker”. If I’m going to tinker that way on a box it’s damn well not going to be the box I rely on for phone calls and mobile access to the Internet. I bought a Raspberry Pi for tinkering instead.

If code signing and DRM were the same things maybe? Not sure how to answer this since they aren’t the same thing. You sign your own apps before submitting them to apple, the DRM is bundled around the app per localized app store tied to the purchasers apple id so that they cannot install other people’s apps, nor apps from other regions stores. Code Signing != DRM. It is the DRM that keeps a person from Canada from installing apps from the USA apple app store, or you from sharing an app you purchased with a friend, not in ensuring an app is approved by apple, that is the double layer signing.

Yes they are technically general computing devices, and much much more powerful then most people realize. The OS that runs the phone part of your iPhone is chock full of security issues and holes that are not patched. The locked general purpose computing iOS side that is the walled garden isn’t locked for security nor does it run the phone part of the hardware other then providing an interface for the dialer. It is locked solely for financial market control. Locking down the functionality doesn’t increase the security of the phone, that is a common misconception. The DRM part doesn’t add to the security, the signing does. Google app store requires you to sign submitted apps but doesn’t require DRM. If you only install signed apps on an android device your device is just as secure, you just have the option to do more if you choose, that is all.

Did you know the iPhone is more powerful then most circa 2002 computers and just as if not more capable? The iPhone 5 was more powerful then the fastest mac powerbook ever made! These aren’t whimpy single purpose devices in our pockets, they are far more capable then you realize. When you unlock the power of the device in your pocket it is really a very powerful computer you have there that can do some truly amazing things. You might not have interest in that personally, but that doesn’t negate the ability. I have a friend who has a jailbroken iPhone 5 that he uses a bluetooth mouse and keyboard with and a wireless monitor, so his iPhone acts as his full on regular computer, he does all his writing, web browsing, email, everything most people use computers for, all wirelessly from the cigarette pack sized micro-computer in his pocket. There is a reason over 6% of US iOS devices are jailbroken (36% in china).

While not what’s being discussed this is interesting to consider when underestimating the computational power in your smartphone: Smart Phones vs. Vintage Super Computers

No would ever force you to tinker on any device you didn’t want to. :slight_smile: It is nice to have that option though if you do want to. Your old iPhone that you are no longer using can be used as an apple tv if you jailbreak it, it also makes a killer wifi router, just to name 2 things it is very capable of doing if allowed, in fact it can do both at once with power to spare. These things aren’t locked down for your benefit or security, the manufacture doesn’t provide any way for you to unlock them for your own purposes even though you “own” them. That is the point of the jailbreaking software, control over something you own so you can make your own choices if you choose to do so, no one has to jailbreak, but the option to open the device’s functionality should be available from apple really, imho.

For people like the EFF, VLC, any open source project. Many open source projects can’t spawn iOS versions because they are under licenses that do not allow drm. Apple could still provide the option to DRM with out requiring it. The whole point is you don’t have to choose all or nothing one or the other, you can allow both options to exist.

4 Likes

I know… Stop giving them your money.

EFF wants me to install their begging bowl alert app but doesn’t want me to use signed code. Makes perfect sense.

…and I can give only one like. :frowning:

The “freedom to tinker” is EVERYTHING BUT ABSTRACT!

You should have a choice. One checkbox somewhere in the configuration. It should be your choice to not uncheck it. You never know in advance when such insta-jailbreak will be useful for you too; even if you are interested in the box’s “security and reliability” today, you may want to be able to reuse the thing as something entirely different, manufacturer-unexpected and unapproved once you decommission it from its original duty.

Your insistence on not having a choice is indirectly harming everybody including yourself.

I think I addressed it a moment ago. You are wrong and your imagination regarding possible uses and reuses of your gadgets is grossly limited.

Look at what are you using for, apps-wise; many don’t even need to touch the cellular radio. It is a general computing device, and you are merely confused by its form factor disguise.

This.

Like, being all a-ok technically and security-wise, but going against some obscure corporate rules of The Fruit?

And it would be totally the users’ responsibility. Do the people need The Fruity Policeman to protect them even against their will?

Why not give the people a choice? A checkbox to disable the signing annoyance at user’s desire will do. And/or an ability to manually approve a single application.

The major butthurt people have with GPL seems to me to be the inability to take something for free, pervert it and make it incompatible, and then release it out. The LGPL flavor for libraries is a good example how things can work well; the important parts that deal with file formats and comm protocols are “untouchable” and you can keep your secret sauce in the rest of the binary if you are inclined so.

And this is a major argument against the Walled Orchard of Apple.

Could there be some sort of e.g. a browser plugin to round the prices? (Isn’t it out there already?)

5 Likes

They want to put the website in your face (general usage of “your”).

The Apple approval process is a massive security theater. It seems like they’re keeping you safe, surely they must be, otherwise they’d just be doing this to harass and bully all the small developers for nothing.
Except that they don’t really test for stability, or security, or to protect it’s end users.
If they did they would be sending developers clear feedback and statement on that fact, instead it’s a meaningless statement that you violated one of the ten thousand ambiguous rules of their mystic tome , but not to worry if you just re submit a day later the exact same submission will magically no longer violate any rules.

5 Likes

From what I understand, you need to agree to their EULA just to get the dev kit which requires agreeing to not do that.

2 Likes

If the agreement is unenforceable, just lie. Lying to a megacorp is not even ethically wrong.

3 Likes

I think you can get Xcode without joining the dev program right? Or, how do high profile developers do it? eg: PDANet, IntelliScreen, 3G Unrestrictor etc?

The always-on signing requirement is a big reason why iOS is still more secure than Android.

Really? So if signing was always required, then Android would be just as secure?

Funny, signing is always required on Android.

3 Likes

Installable web apps are cool and easy to write, but they aren’t as integrated into the OS as native apps. Specifically, they can’t run in the background or push notification, which sound like something the EFF app would want to do.

FWIW, I understand the (security) reasons behind this and don’t have a problem with it. After all, that’s what Phonegap is for.

The DRM complaint about software whose source you can make easily accessible on Github seems really specious.

I’ve been an iPhone developer since 2008 and previously worked at Apple for 16 years, so yeah, I understand the basic facts about performance. They’re pretty off-topic for this thread, anyway.

I think you’ve misunderstood or just ignored my point about preferring my phone to have security over hackability. It’s nice that it’s so fast, yes. That does not imply that I want to hack the device or tinker with it. There are plenty of other small-but-fast thingies out there I can do that with, which are not mission-critical to my everyday life.

Many open source projects can’t spawn iOS versions because they are under licenses that do not allow drm.

Well, from my point of view that’s the fault of the license. I won’t work on projects that have restrictive licenses like the GPL. Fortunately most stuff I run into nowadays uses friendly licenses like Apache, BSD, MIT…

2 Likes

That doesn’t mean much since the code does’t have to be signed by anyone trustworthy (like the Google store.) Users can install apps from Joe-Bob’s Warez Barn or from an email attachment:

“You have the option of installing Android apps and games from sources other than Google Play (sometimes known as sideloading). The problem is that many third-party app stores are not safe. If you choose to download an APK file and install it yourself, you could be putting malware on your device. You may also be sent an APK file in an email or a text message, or you could be prompted to install one after clicking on a link in your web browser. It’s best not to install these unless you are certain it is safe.” –DigitalTends

This is no security at all, really. Or rather, it’s putting the responsibility onto the end user, who typically knows nothing about computer security.

How many actual pieces of malware have made it onto the Apple App store?

How many have made it on to Google Play?

The answers, as best as I can discover:

1 proof-of-concept app made it to Apple’s App store. It ceased working under iOS7. It required the app to download and assemble snippets of code into actual malware.

For Google Play, the numbers seem to range from “only a few” to “thousands”

That’s pretty good theater.

2 Likes

There are lots of non-Apple tools that let you develop code that will run on jailbroken devices:

http://iphonedevwiki.net/index.php/Main_Page

1 Like

Unsigned or unDRMed? Pretty sure you don’t need DRM to have authenticated code.

2 Likes

There is nothing that keeps open source projects off of the App store.

edit: It appears that VLC is not currently available, though. No reasons have been given for this, so the public is left to speculate if it was VLC or Apple that pulled it. VLC devs say it will be back this year:

http://www.tuaw.com/2014/12/30/vlc-for-ios-to-return-in-2015/