Apple won't let EFF release a DRM-free app

Funny how Apple also manages to stop such disreputable people like Amazon from opening up their app store.

So, you go buy a shiny new $500 iWhatever, and you still don’t actually OWN it because you do not get the final say about what goes on there.

That is why I like Android. If there is an app that Google does not allow, I can get it from other sources. I can even get Android Apps from HUMBLE BUNDLE!

Imagine buying the newest Chevy to find out that you can only buy gasoline and tires at Chevy dealerships. Yeah, it’s kind of like that.

5 Likes

Again, for the majority of iOS users, myself included, this doesn’t seem to be a problem.

I’m happy there are choices like this in the smartphone market. I’m happy I don’t have to run a virus scanner on my phone.

Remember that this is an ip-capable device that is always on, knows where you are, and contains your most private of communications. This is why I don’t jailbreak or attempt to install from Cydia. This is why if I were Android-inclined, I wouldn’t install apps from anything but the most trusted of sources.

Edited to add:

Actually it’s nothing like that. tires and gasoline are consumables that your car will not run without. All consumer cell phones work out of the box and do not require apps to function.

A more apt comparison might be: imagine buying a car that contains a GPS device and discovering that you could only load maps from a single vendor.

1 Like

Let’s be realistic here. You NEED apps. If not, you would save yourself a lot of time an money buy just buying a basic flip phone. Apps are the whole reason for owning a smart phone.

Now, as to security, it also depends upon motive. Do you think that allowing another app store would also impact their ability to suck every last penny from their customers?

I remember when Apple went after Amazon wanting 30% of each book sale through the Amazon app. Was that about security?

Apple also went after DropBox for pretty much the same thing. Security again?

Sorry, but their very history shows that they are all about locking people in and trying to squeeze every last penny out of them. If this were NOT their history, I might agree with you about security.

I would rather be free in a harsh land than be trapped in a velvet prison.

4 Likes

Incorrect. I would estimate that 90% of my smart phone usage is in apps provided with the phone. What makes a smartphone truly useful is the Web and there’s a great browser bundled with every iPhone.

Do I make use of other apps? Surely. But the iPhone launched (quite successfully) without the ability for 3rd parties to write apps for it. As a phone, an ipod, an internet browser, an email device, a camera, a pager… it works quite well out of the box. I completely reject the idea that Apps are the “gasoline” of the cell phone world.

I’d say the non-Apple apps I spend the most time are probably Facebook and a CTA tracker. Both of which could be done through safari, but I find the native apps to be a bit faster.

Irrelevant to the conversation about security, and a statement that shows you have a profit-motive-based bias against Apple.

There’s no reason it can’t be both, but frankly that profit-motive doesn’t bother me very much. It apparently doesn’t bother the app developers very much either as they still earn far more from Apple’s eco system than they do from Androids, despite a massive imbalance in install-base.

It’s good we have choices, then, isn’t it? When it comes to my phone, it doesn’t feel like a prison at all to me.

You know what’s hilarious? Android is immune to the equivalent of the Masque attack EVEN IF YOU INSTALL FROM OTHER SOURCES. That’s what happens when you don’t base security on a walled garden.

5 Likes

[quote=“Kevin_Harrelson, post:42, topic:49632”]So, you go buy a shiny new $500 iWhatever, and you still don’t actually OWN it because you do not get the final say about what goes on there.

That is why I like Android. If there is an app that Google does not allow, I can get it from other sources. I can even get Android Apps from HUMBLE BUNDLE![/quote]

So buy an Android device, and be happy. I’ll buy an iPhone, and I’ll be happy. Everyone gets what they want, and everyone wins.

It’s just a wee bit preposterous to suggest that the world must conform to your personal wishes when there are clearly many, many people on the other side of the fence that are perfectly happy with the conditions present in the current app store.

1 Like

You mean the MasterKey vulnerability from a couple years back?

Edited to add:

Regarding walled gardens:

This is exactly the sort of thing a walled garden is designed to prevent.

If you ready what i said i explained how many open source projects are written under or include code that prohibits DRM, kinda the point of being open.

VLC has been pulled from the APP store 3 time, and yes it is poised to return and felix has been doing a great job pushing everything in the project forward for its return. He has been very instrumentalr in getting that back on track, I’ve been in communication with him about this throughout the process. It HAS been available for iOS non-drmed the entire time, if you are jailbroken, it has never been dropped as a project it has just struggled with staying in the store because of the very requirements being discussed. Don’t believe it? I encourage you to email felix and ask him yourself. The reasons it was pulled were different each time and complex, but one of the times was because it included a library for decoding that didn’t allow DRM and the library’s author requested the pull.

Also, btw. I replied to all your other previous points, in my reply to @snej, i just chose to reply to his comment because it was essentially covered the same points but was clearer and hence easier to address.

but hasn’t because like you said it is the exact same thing as the masque attack. the wall has zero impact on this type of attack, that isn’t what the wall is for. it isn’t for security at all, it is to prevent piracy and control the marketplace.

2 Likes

No, i address that, and like i say myself the speed is a side tangent and only mentioned to emphasize how powerful the device really is. ability to control the device, hackability as you refer to it, doesn’t have to be at the expense of security, nor does the existence on one option require the preclusion of the other option. Just because YOU don’t want to “hack” your current phone doesn’t mean you shouldn’t be able to, or that everyone else shouldn’t be able to, or that you might not want to hack an older phone you have lying around for a secondary purpose. If you own a device you should be able to use it as you choose, even if that means agreeing to negate a support period/contract, ie. i choose to unlock this device and forfeit all future apple support for this device.

Yes, but you don’t have to install apps from anywhere other then the app store, and android prompts you if you go to install apps from anywhere else with a security warning, the exact same as when you go to install an enterprise signed app on an iphone. they are almost identical processes and prompts… if you want to publish on google app store, you sign the app then google signs it, the exact same as when publishing on the apple app store, except the google app store doesn’t require drm, which is the point of this entire article/thread. i’ve developed both enterprise and regular apple iOS apps and android apps, so i’ve had a chance to work with both side by side, they aren’t as different as you think imho.

3 Likes

No, those attacks are not the same as a Masque attack at all. Those attacks take a legitimate app off the Google Play store, inject malware into it, and then make it available on an alternate download location.

This is absolutely not possible under Apple’s scheme. Injecting code breaks the signing. You can do something like this to jailbroken Apple devices, but not unjailbroken ones, because they can only run apps that are signed by Apple.

If Apple’s walled garden doesn’t provide security, how do you explain the difference in available malware between the two platforms?

Easy peasy: manually vet the trustworthiness of what you are installing from unofficial sources.

It is then your decision to take the risk or not. And it should be your decision to risk it or to play it safe, not a corporate decision to forbid you from trying.

It is not about security. It is about the control of money flows.

And then you cannot run on your own device even your own software you wrote yourself, without jumping through fruity hoops. Bleh.

1 Like

Not strictly On Topic, but sharing because it’s vaguely relevant (and amusing).

1 Like

I was asked to provide an example of where a walled garden improved security. I’ve done so.

It’s quite clear that I’m never going to change the mind of people who are not even willing to entertain the idea that there are real, functional tradeoffs to both approaches, and that some people would prefer that choice to be in their grasp.

I’m quite aware of the advantages of being able to run your own code on devices you own. I put a mod chip into my original xbox and used it as an amazing media center way back in the day of tube televisions and 4:3 ratio content.

But you and redesigned appear to be unable to grasp the concept that there are people who don’t want to worry about the provenance of their software. That don’t want to have to spend 30-60 minutes figuring out if they should trust that flappy bird clone not to pillage their contact list or send all their IMs to a third party. That Apple provides a tangible service to me and several million other happy iPhone owners that is worth the money they make by doing so.

If you cannot even acknowledge that, then I see no reason in continuing this conversation, if there ever was one in the first place.

1 Like

“Those asshats” being EFF, right? Because they are free to pursue any number of other DRM-free alternatives to getting their app on iOS, including a Web app, or releasing the source code so people can build the code themselves for the phone. But those two options don’t let them play the victim and get all sorts of sympathy clicks, do they? Asshats, indeed.

I understand that. I am not opposed to that. They should have the choice of NOT clicking the “root my phone” offer in the depth of the configuration, or NOT going to a non-default app store, or so.

They should however not advocate denying OTHERS the ability to do so. They won’t lose anything by demanding that choice and then not taking advantage of it; but they may gain if they decide otherwise later. You may be happy with what you have today; you aren’t guaranteed to have the same opinion tomorrow if conditions change. Hedging for that alternative is generally a good idea.

By asking for that option you are not giving up the advantages of one side of the tradeoff. You are however gaining the choice of changing your mind and getting the other side later. Could you please explain how do you benefit from NOT having this future option?

I would be happy if the Fruit offered a hardware insta-unlock by removal of a SMD 0-ohm resistor or solder jumper, or by scratching apart a designated line on the circuitboard. Even that little is what I would consider friendly behavior.

I repeat: they aren’t doing it for “security”, they are doing it for money.

1 Like

Asshats being those who want to control MY access to things that I want. You can read into that what you want (and I’m sure you will).

1 Like

read up on the masque attack again, it HAS been used to replace legitimate apps downloaded from apples store with ones that are injected with malicious content, that is how it got its name. On unjailbroken iOS devices. It is worse then downloading a pre-injected version directly, legitimate apps download from the apple app store can be swapped out under your nose without you even knowing. But I already explained that several times, you countered with prompted for provisioning cert, i remind you that you get the same prompt on android in the same situation and once you have the provisioning cert you aren’t prompted again. The last two rounds of attacks that compromised a lot of iOS devices, didn’t prompt as they used pre-installed provision certs, and they swapped out signed apps downloaded from apples app store with ones injected with malicious code. It happened. Twice. round and round we go again…

I already have. You misunderstand where the security comes from. It isn’t the DRM/wall, it is the double signing. One isn’t required to have the other. Since you conflate those two things over and over again you don’t see the difference between them. They aren’t the same. Also I explain that the base OS has numerous security holes allowing iPhones to be compromised, and qualifies under both your security points, you cannot install anything to it, and it isn’t general purpose computing, how do you explain it being so rife with vulnerabilities if those two things are the basis for security? Or at least that was the question I asked last time…

No we grasp it fully well and explain that in our replies. You don’t have to give up one ability to have the other. You can allow the device to only install double signed apps without the DRM wall, and only if a user agrees to unlock the device at their own risk. Mac OS X does this EXACT thing, gatekeeper prompts you if you want to install or run an app not signed through apple’s developer program.

You argue that having the devices locked down makes them not general purpose computers, which is a fundamental misunderstanding of both the architecture, what smart phones are, and how apps work.

If you read our replies more carefully, you’ll see not only do we understand all these points, we address them multiple times.

Last point, you may be “safer” locked in a padded room, but you’ve traded your freedom for that safety. Even though I disagree that the wall is the part that contributes to the safety, if I did I’d still be against it on principle, as I don’t believe in trading freedoms for a false sense of security, either on my phone or in the rest of my life. I’d also never argue that just because I don’t care about certain freedoms that no one else should have them either or fail to see their application or value.

1 Like

I understand the seeming safety and comfort of the padded room. I don’t understand people who insist that it is a good thing they don’t have the key and cannot go out when they want.

1 Like

The problem that “users” like yourself have is that you assume everyone in the business of making products should conform to your view of what makes a “good” product. See, the thing is, you are a minority. Most people just want a product that is secure and does the job it is supposed to. Only a tiny, vocal minority of folks are sophisticated (or bored) enough to want to “hack” all of their devices, etc. So throwing rocks at Apple because of business decisions they have made in order to benefit a large majority of their customers is simply a waste of time. If you don’t like the limitations of a given product, don’t buy it. But don’t assume that just because you don’t like it you have some sort of innate right to argue that they are wrong, you are right, and everything should change to your way of doing things. The free market doesn’t work that way. If you WERE right, everyone would use Android and Windows and there would be no market for more secure or reliable offerings from other manufacturers. That alternatives exist is an ample indication that your contention that they are “wrong” is, in fact, wrong.

Eat shit. Billions of flies cannot be wrong.

I’ll show myself out…

2 Likes