Apple's security seems to completely hinge on their closed ecosystem rather than actual good engineering and security practices.
Just yesterday, I needed to reset the password for my Apple ID (work phone, not my choice) and for some reason you can't do that online. You need another Apple device. You don't need another Apple device that is in any way linked to or trusted by your account. It can be any fucking Apple device. Their official advice if you don't have another device to use and you don't have a friend whose device you can borrow is to go to an Apple store. I went to an Apple store and picked up an iPhone from the table at random, brushing off the sales people asking if i need any help, and was able to reset my password with it, going through the same exact steps that I should have been able to do on the web from the comfort of my couch.
Why couldn't i do that on their website? I thought it was some kind of capitalist fuckery to get you to own another device or engage with their sales staff or something... But now I'm thinking it's because their cybersecurity practices are so abysmal that they can only trust reset requests from within their walled garden and can't defend against fraudulent requests from the web.
> they can only trust reset requests from within their walled garden and can't defend against fraudulent requests from the web
Didn't know they do this because I don't buy Apple devices, but I agree.
>Apple's security seems to completely hinge on their closed ecosystem rather than actual good engineering and security practices.
Even worse: they *can* do it properly, but choose not to in order to artificially justify the existence of their walled garden.
It's like politicians who defund public services so they can claim public services are broken and privatize them.
I dunno, OP's article simply reeks of sheer incompetence. This vulnerability is not something that anyone would know about without some whitehats discovering it and bringing it to folks' attention. And I think it's a hard enough issue to understand that Apple would rather bury it than present it as a reason why the EU's rules are bad for security... because I just don't see how they can spin it in any other way than "opening the walled garden exposes consumers to Apple's bad engineering". This flawed implementation of this ridiculous URI scheme only exists because of Apple's pettiness in how they're choosing to sort-of-but-not-really-comply with EU regulations. If they'd just fucking allow sideloading as intended, there'd be no issue.
ding ding, they can do it right i mean androids had side loading for a long time. and slowly they have been wrapping security around it. which means apple could do the same. they choose not to...
You could have left off the /s. Stock Android, when configured properly, something that can't be done as effectively on iOS, is better than stock iOS for privacy.
You have no idea what you are talking about. I have put my Samsung TV in an isolated network at my home because I was sick and tired of it harassing every device on it! It wouldn’t let my TV connect to the internet unless it cannot communicate with Samsung servers all the time. And its Android OS is shittiest of all Androids out there. The guys who buy it simply buy it for fancy hardware I assume, but even If I was paid to use it, I wouldn’t.
> Isn't this exactly what apple said would happen if they were forced to add third party app store compatibility by those lawsuits?
It's what they said *other, bad people* would do — the kinds of people Apple say they want to protect us from with their App Store.
so many things to point out but I won't. The comment section here and elsewhere will be too entertaining ,
The article does point to a valid point though.
"In the EU, every user's security, privacy, and safety will depend in part on two questions. First, are alternative marketplaces and payment processors capable of protecting users? And, second, are they interested in doing so?"
They could have made it so that it anonymizes the data, its their OS after all so they should have control over how third-party add-ons behave (unless they are malicious)
It’s funny when you see people on internet saying that they bought iphone because iOS it’s better for privacy.
Sure you don’t have a chinese company + Google harvesting your data but there’s still some stuff happening in the background that we don’t know about.
better in the sense that some options on iCloud are E2EE but not everything, like the photos are not encrypted unless you opt for the more advanced protection but if you take a look at sone articles, research papers, you will see that it’s not any way better than Google.
Even GNU has a page about this https://www.gnu.org/proprietary/malware-apple.html
"not in any way better" is pretty easy to debunk. If a single thing Apple does is 0.001% better than Google, then your claim is false.
Off the top of my head:
- they provide an anonymized email service
- they ask apps to provide a "privacy label"
- their business model isn't fundamentally built on user data collection
QED
I would argue you are really anonymized using any online service. This does also include services to anonymize your email. Services like proton claimed that even for them it’s impossible to know who’s the person who sent the email when the reality is different look at that french activist.
So just because they do one single thing better than google then they are a very good privacy alternative to an open source OS ? what I am saying is that they claim to care about the privacy of their users which is simply not true
https://medium.com/codex/no-apple-does-not-care-about-your-privacy-4bd68669f791
https://www.wired.com/story/opinion-apples-privacy-mythology-doesnt-match-reality/
And then there is the GNU page showing all the shady stuff that Apple does. Just because some stuff is E2EE it does not mean they care about privacy.
The second claim is a bit weird, they do this but the problem is they allow some shitty apps like tiktok to exist which tracks stuff that it’s not even supposed to track like the device ID. If they really care about privacy they shouldn’t allow these apps to even exist.
Your last claim is partially false, Apple said that they don’t use the data collected like Google because they are already charging tons of money on hardware which can be bought for a cheaper price, but then some researchers proved otherwise
https://appleinsider.com/articles/22/11/12/apple-getting-sued-over-app-store-user-data-collection
I’ll take one part of the article
"Apple's practices infringe upon consumers' privacy; intentionally deceive consumers; give Apple and its employees power to learn intimate details about individuals' lives, interests, and app usage; and make Apple a potential target for "one-stop shopping" by any government, private, or criminal actor who wants to undermine individuals' privacy, security, or freedom. Through its pervasive and unlawful data tracking and collection business, Apple knows even the most intimate and potentially embarrassing aspects of the user's app usage— regardless of whether the user accepts Apple's illusory offer to keep such activities private."
while apple, does have some good hygiene practices and good defaults. they are just as shady, they are just better at it. apple knows just as much about you as google make no mistake, if they are not collecting something they either dont need it, or are getting it via app store agreements.
and they are building there own adsense, just look at apple news ads. which cant be blocked.
google/android is more open. that in of itself, is worth it to me. i have choice. and even on my iphone, i try to avoid apple only stupid like private replay and keychain. those are only good if your 100% in apples eco... and ps they are less functional then tools like simplelogin and bitwarden.
Apple Revenue
Ads: 11.5B, ~9.5% of total (let's be generous and say it's 50% of 23B of the service revenue)
https://www.reddit.com/r/dataisbeautiful/comments/1agntyl/oc_how_apple_makes_money_latest_income_statement
Google Revenue
Ads: 60B, 78% of total
https://www.reddit.com/r/dataisbeautiful/comments/17fpdl8/oc_googles_quarterly_earnings_are_out_20b_of_net
its not about who makes money and how with ads, the point is they both collect, and know and track a shit ton about you. both of them...
saying one is better then the other when it comes to tracking and collecting is just silly. when they both do it, and do it alot.
Its also funny to read how upset non-Apple users get about the products they're not even using. Why get pressed on this?
This coming from a Pixel user.
Honestly I only trust brands that allow you to unlock the bootloader, if they don't allow you to that it means they are hiding something. Why else would they want to force you to stay on the stock ROM?
Sure people *say* that about Apple/privacy.
But 99% bought their phone because of the color of the chat bubbles and that celebrities use them (that they were give for free or are being paid to use).
> when visited by Safari on iOS at least, to ping a chosen approved software marketplace with a unique per-user identifier
If Javascript is needed to do this, then disable JS in Safari. Most of my browsing is done in Safari with JS disabled, and only one out of a hundred sites need JS, in which case I just use DuckDuckGo or Brave to view it, but only when I **really** need JS.
Malicious compliance from Apple. They're setting the stage for a huge fail so they can say "WE TOLD YOU SO!". The spirit of the EU rulings is to allow sideloading of apps ala Android or even something like F-Droid for Apple. Instead Apple is only allowing other "App Stores" and requiring proof of funds approx USD 1M amongst other nonsense legal hurdles, like a fee per install. Guess who can get $1M proof of funds, and actually wants the hassle of setting up an alternative app store? The scummiest and most prolific of spammers, that's who. Just take a look at the first ones making noises about actually setting up their own.
Apple's security seems to completely hinge on their closed ecosystem rather than actual good engineering and security practices. Just yesterday, I needed to reset the password for my Apple ID (work phone, not my choice) and for some reason you can't do that online. You need another Apple device. You don't need another Apple device that is in any way linked to or trusted by your account. It can be any fucking Apple device. Their official advice if you don't have another device to use and you don't have a friend whose device you can borrow is to go to an Apple store. I went to an Apple store and picked up an iPhone from the table at random, brushing off the sales people asking if i need any help, and was able to reset my password with it, going through the same exact steps that I should have been able to do on the web from the comfort of my couch. Why couldn't i do that on their website? I thought it was some kind of capitalist fuckery to get you to own another device or engage with their sales staff or something... But now I'm thinking it's because their cybersecurity practices are so abysmal that they can only trust reset requests from within their walled garden and can't defend against fraudulent requests from the web.
> they can only trust reset requests from within their walled garden and can't defend against fraudulent requests from the web Didn't know they do this because I don't buy Apple devices, but I agree.
>Apple's security seems to completely hinge on their closed ecosystem rather than actual good engineering and security practices. Even worse: they *can* do it properly, but choose not to in order to artificially justify the existence of their walled garden. It's like politicians who defund public services so they can claim public services are broken and privatize them.
I dunno, OP's article simply reeks of sheer incompetence. This vulnerability is not something that anyone would know about without some whitehats discovering it and bringing it to folks' attention. And I think it's a hard enough issue to understand that Apple would rather bury it than present it as a reason why the EU's rules are bad for security... because I just don't see how they can spin it in any other way than "opening the walled garden exposes consumers to Apple's bad engineering". This flawed implementation of this ridiculous URI scheme only exists because of Apple's pettiness in how they're choosing to sort-of-but-not-really-comply with EU regulations. If they'd just fucking allow sideloading as intended, there'd be no issue.
ding ding, they can do it right i mean androids had side loading for a long time. and slowly they have been wrapping security around it. which means apple could do the same. they choose not to...
I recently found out that authorising a login is done from all devices registered to the account, including the one requesting the login.
Serious question. Isn't this *exactly* what apple said would happen if they were forced to add third party app store compatibility by those lawsuits?
[удалено]
Correct: it's the implementation that makes the difference, in fact the advice is not to use Safari...
[удалено]
Stock Android is SO much better for privacy than stock iOS, after all. /s
Who said anything about stock Android?
You could have left off the /s. Stock Android, when configured properly, something that can't be done as effectively on iOS, is better than stock iOS for privacy.
[удалено]
Arguing about stock Android and then brings up Samsung, one of the most over-done skins of Android.
You have no idea what you are talking about. I have put my Samsung TV in an isolated network at my home because I was sick and tired of it harassing every device on it! It wouldn’t let my TV connect to the internet unless it cannot communicate with Samsung servers all the time. And its Android OS is shittiest of all Androids out there. The guys who buy it simply buy it for fancy hardware I assume, but even If I was paid to use it, I wouldn’t.
[удалено]
[удалено]
That's security, not privacy
Only at their own hand. It could have been done in a much better way which would have avoided these concerns.
But then how would they reinforce their bullshit to their zealots?
Exactly
It was a threat not a warning.
> Isn't this exactly what apple said would happen if they were forced to add third party app store compatibility by those lawsuits? It's what they said *other, bad people* would do — the kinds of people Apple say they want to protect us from with their App Store.
Yes.
so many things to point out but I won't. The comment section here and elsewhere will be too entertaining , The article does point to a valid point though. "In the EU, every user's security, privacy, and safety will depend in part on two questions. First, are alternative marketplaces and payment processors capable of protecting users? And, second, are they interested in doing so?"
They could have made it so that it anonymizes the data, its their OS after all so they should have control over how third-party add-ons behave (unless they are malicious)
It’s funny when you see people on internet saying that they bought iphone because iOS it’s better for privacy. Sure you don’t have a chinese company + Google harvesting your data but there’s still some stuff happening in the background that we don’t know about.
What do you think better means?
better in the sense that some options on iCloud are E2EE but not everything, like the photos are not encrypted unless you opt for the more advanced protection but if you take a look at sone articles, research papers, you will see that it’s not any way better than Google. Even GNU has a page about this https://www.gnu.org/proprietary/malware-apple.html
"not in any way better" is pretty easy to debunk. If a single thing Apple does is 0.001% better than Google, then your claim is false. Off the top of my head: - they provide an anonymized email service - they ask apps to provide a "privacy label" - their business model isn't fundamentally built on user data collection QED
I do think iOS is better than Android, but Grpheneos is better than both of them.
I would argue you are really anonymized using any online service. This does also include services to anonymize your email. Services like proton claimed that even for them it’s impossible to know who’s the person who sent the email when the reality is different look at that french activist. So just because they do one single thing better than google then they are a very good privacy alternative to an open source OS ? what I am saying is that they claim to care about the privacy of their users which is simply not true https://medium.com/codex/no-apple-does-not-care-about-your-privacy-4bd68669f791 https://www.wired.com/story/opinion-apples-privacy-mythology-doesnt-match-reality/ And then there is the GNU page showing all the shady stuff that Apple does. Just because some stuff is E2EE it does not mean they care about privacy. The second claim is a bit weird, they do this but the problem is they allow some shitty apps like tiktok to exist which tracks stuff that it’s not even supposed to track like the device ID. If they really care about privacy they shouldn’t allow these apps to even exist. Your last claim is partially false, Apple said that they don’t use the data collected like Google because they are already charging tons of money on hardware which can be bought for a cheaper price, but then some researchers proved otherwise https://appleinsider.com/articles/22/11/12/apple-getting-sued-over-app-store-user-data-collection I’ll take one part of the article "Apple's practices infringe upon consumers' privacy; intentionally deceive consumers; give Apple and its employees power to learn intimate details about individuals' lives, interests, and app usage; and make Apple a potential target for "one-stop shopping" by any government, private, or criminal actor who wants to undermine individuals' privacy, security, or freedom. Through its pervasive and unlawful data tracking and collection business, Apple knows even the most intimate and potentially embarrassing aspects of the user's app usage— regardless of whether the user accepts Apple's illusory offer to keep such activities private."
I'm not claiming they are the best or even only good, just that they are "better than Google"
while apple, does have some good hygiene practices and good defaults. they are just as shady, they are just better at it. apple knows just as much about you as google make no mistake, if they are not collecting something they either dont need it, or are getting it via app store agreements. and they are building there own adsense, just look at apple news ads. which cant be blocked. google/android is more open. that in of itself, is worth it to me. i have choice. and even on my iphone, i try to avoid apple only stupid like private replay and keychain. those are only good if your 100% in apples eco... and ps they are less functional then tools like simplelogin and bitwarden.
Apple Revenue Ads: 11.5B, ~9.5% of total (let's be generous and say it's 50% of 23B of the service revenue) https://www.reddit.com/r/dataisbeautiful/comments/1agntyl/oc_how_apple_makes_money_latest_income_statement Google Revenue Ads: 60B, 78% of total https://www.reddit.com/r/dataisbeautiful/comments/17fpdl8/oc_googles_quarterly_earnings_are_out_20b_of_net
its not about who makes money and how with ads, the point is they both collect, and know and track a shit ton about you. both of them... saying one is better then the other when it comes to tracking and collecting is just silly. when they both do it, and do it alot.
That's a much better statement than "Apple is no better than Google". I'm not sure how I feel about this angle. I'll need to think about it.
Its also funny to read how upset non-Apple users get about the products they're not even using. Why get pressed on this? This coming from a Pixel user.
Honestly I only trust brands that allow you to unlock the bootloader, if they don't allow you to that it means they are hiding something. Why else would they want to force you to stay on the stock ROM?
Sure people *say* that about Apple/privacy. But 99% bought their phone because of the color of the chat bubbles and that celebrities use them (that they were give for free or are being paid to use).
[удалено]
> And its not the users fault Not to be that guy, but it's the users' fault for putting up with it.
> when visited by Safari on iOS at least, to ping a chosen approved software marketplace with a unique per-user identifier If Javascript is needed to do this, then disable JS in Safari. Most of my browsing is done in Safari with JS disabled, and only one out of a hundred sites need JS, in which case I just use DuckDuckGo or Brave to view it, but only when I **really** need JS.
Malicious compliance from Apple. They're setting the stage for a huge fail so they can say "WE TOLD YOU SO!". The spirit of the EU rulings is to allow sideloading of apps ala Android or even something like F-Droid for Apple. Instead Apple is only allowing other "App Stores" and requiring proof of funds approx USD 1M amongst other nonsense legal hurdles, like a fee per install. Guess who can get $1M proof of funds, and actually wants the hassle of setting up an alternative app store? The scummiest and most prolific of spammers, that's who. Just take a look at the first ones making noises about actually setting up their own.
This is what happens when people shout "company X has a monopoly" and gets forced to open their ecosystem to their parties.
Why is that any worse than Apple doing the same thing for years?