159
First ever iOS trojan discovered — and it’s stealing Face ID data to break into bank accounts
(www.tomsguide.com)
to the largest Apple community on Lemmy. This is the place where we talk about everything Apple, from iOS to the exciting upcoming Apple Vision Pro. Feel free to join the discussion!
Apple Hardware
Apple TV
Apple Watch
iPad
iPhone
Mac
Vintage Apple
Apple Software
iOS
iPadOS
macOS
tvOS
watchOS
Shortcuts
Xcode
Community banner courtesy of u/Antsomnia.
This is a small taste of what sideloading will bring to all of your parents who own iOS devices!
I honestly can’t wait for the gong show to begin.
Just like the cookie law and GDPR before it, the intention might be good, but the implementation is so botched that it’s just going to be a huge mess.
Hope a couple of emulators and porn apps will be worth it for those that advocated for this crap.
Most of the advocates for it use Android instead anyway and aren't likely to be impacted at all.
Android users are not forcing you or pushing for how Apple users use their phones. I don't get where this adversarial stuff comes from. We already have this feature.
sideloading or not, you can just socially engineer vulnerable folks into installing trojans you your phone. as proven by this post.
there will always be a way regardless if you are stuck inside a competition-free walled garden or not.
MFA or not, you can always social engineer people into getting access into their bank account. There's even SS7 attack for SMS based MFA. So, let's just abolish passwords and MFA all together and everyone hold hands to sing Kumbaya and be hippies together.... right? No, of course not. You do not weaken an established system because there's ways for bad actors to act maliciously. Vast majority of Apple users doesn't care for side loading and would benefit from the security that comes with the walled garden, very few Apple users (and the Lemmy user base does not a represent a statistically significantly broad representation of the user base) knows enough to care for otherwise, but are now getting dragged along for the ride.
Thats like blaming a knife for the users inability to understand you have to grip it by the handle.
That vast majority can continue using their phones as if nothing ever happened. Nobody is forcing them and more choice is good.
Even if they are not using the feature they will benefit from competition in the space. That's the only sane way within capitalism. This far outweights the very small perceived risk a very small minority of users may or may not be subjected to the very same social engineering attack thats already being exposed by the article.
Its not us Lemmy or Android users pushing for this and dragging you along, we already have that feature, its fine. Its regulators wanting to mitigate the effects of a monopoly and this is benefical for the industry as a whole.
Again, you even said it yourself, most users can (and will) always keep the feature off anyway. Nobody is forced to use it and Apple will sure make it difficult anyway.
There are plenty of apps people are forced to install; apps used for international airport entries, apps that’s used by everyone professionally, or worse yet, that one state-owned chat app grandma uses back home because everyone else uses it around her. All it take is one of them deciding they don’t want to be part of the strict review process and that their ability to further spy on their users are worth the core technology fee, and now people would be forced to use third party app stores with questionable review process. The “scare screen” before they add the third party App Store? That’s just going to be another thing users blindly click through due to notification fatigue.
At least for the time being, the current proposal put forth, Apple should still theoretically be able to revoke apps from third party app stores, and they still retain entitlement (sandbox/low level hardware access) signing rights. Once those checks and balances are taken away… then all hell breaks loose and those not super tech savvy (read: 99%+) will be hurt the most. At least I am comfortable enough to look out for myself 🤷
android can sideload apps since its inception and this was never an issue. i doubt it will be with ios.
Because Google already lets apps do anything they want no matter how malicious. There's no reason to leave the Play Store.
Apple has people sneak past their rules on occasion because screening is hard, but they have and enforce rules that protect your privacy that malware companies like Facebook don't want to follow.
Android has a permission system (with flaws) not too dissimilar to iOS.
Both systems had apps sneak past it in clever but very similar ways to bypass them. Both were curbed by screening after being found.
I really doubt Facebook will force anyone to install their app from outside the store. You are talking about something that normies will barely be able to do.
I'm not talking about permissions.
I'm talking about their store policies. Google is far more permissive about malicious behavior than Apple is. Companies that have no reason to bypass the play store because it already allows them to spy to an obscene degree will bypass the App Store when given the opportunity, because it does not.
I dont think Google is as permissive as you say, but regardless, they won't. Try and get a normie to enable and install a sideloaded app on Android and you will see what I mean.
The amount of social engineering required just makes this point moot. Might as well get them to do the same MDM attack illustrated in this article. Its not any less secure.
Facebook can and will.
The entire reason they don't on Android is because there's literally no benefit to it.
They won't because most users won't be able to.
The permission system on both OSes is baked into the OS itself not the store. Theres literally no benefit to it on either platform unless Meta starts distributing actual OS exploits.
This is very unrealistic.
It absolutely has happened on Android. The Russian government has launched their own app store, as an example of a state-owned-and-operated third party app store.
Additionally, once both iOS and Android are opened up, the capability to control the end-to-end distribution on both platforms simultaneously becomes a much larger incentive for major corporations; gone are the days where some users receives some features earlier because the other app store have not pushed the update yet -- they control it end-to-end.
I mean, I should be abundantly clear: simply operating a third party store does not equate to malicious intent. Some would argue the corporation case above could be considered beneficial for users. However, having third party stores with varying degree of security capabilities increases attack vectors for bad actors, and thereby making it more difficult for everyday users to manage -- an additional layer of complexity iOS users have not had to deal with for many years and very very few has signed up for.
Are all russians forced to use it? If so did that come because of sanctions? If thats the case you just highlighted a great reason to open up. If not I don't really see an issue because thats the whole reason behind this change.
Big corpos will never choose to force users to do things the hard way unless they absolutely must. Most normies wouldn't be able to use their product. And most privacy protections are built into the OS, not the store.
And if some gvmnt wants to spy and control its users they will regardless of how restricted the walled garden is, the NSA and similar exemplifies this perfectly.
Let's park the specific geopolitical powers for a moment, because I cannot speak on behalf of countries and their intentions.
People are inherently different, and have different mindsets and believes. You and I clearly don't fully agree on whether or not iOS App Store should be opened up for example; and while our lack of alignments are fairly benign, there will always be entities on different ends of our own individual biased points of views. Some of these are relatively minor (like the App Store), others are far more significant (like privacy concerns). There are plenty of world powers that would prefer to have access to more private information, and they are, as of today, without third party App Stores, having a much harder time doing such on the Apple iOS ecosystem. This is because in order to run anything, you'd have to get through Apple's stringent review process, and while there are plenty of terrible things we'd like to see gone from the App Store, they've got years of experience in heuristic detection, are generally fairly good about detecting malicious apps, and can revoke notarization when something does slip through.
Now, a hypothetical world power with drastic different view than you or I (and we don't even have to agree with each other here) could start their own third party App Store, and bypass a lot of the checks and balances currently in place. "Don't install that app store, and don't install apps from it" is not an answer if they are in a position of power over you for whatever reason. I've called out a couple; maybe you need to pass through their country and their travel authorization at their airport is done via an app distributed only through their own app store; maybe you have family residing in such an area, and their only way to communicate with you is through a chat app through such an app store; etc. etc.
That is the problem this opens up. And while government entities have a lot of surveillance capability, they're not having a lot of success with modern day end-to-end encryption, which is why there's continuous legislative attempts against encryption while hiding behind the guise of child protection / anti-terrorism / national security / etc. etc., and the demand is often to have government known backdoors in the encryption -- I trust you're savvy enough to know how absurd that sounds that we don't need to go into detail here.
Everything that's came to light so far seems to create a net negative experience for vast majority of iOS users -- third party stores that peels away layers of security and losing ability to use PWA are just two casualties we've became aware of so far. The gong show will likely continue and we'll just have to wait to see what else comes to light as it further plays out.
My point this whole time is that this hypothetical world power doesn't need an open store to make things easier. If they did, they would be doing this to Android already. And no, its not unnecessary because the relevant checks and balances are mostly baked into the OS, not the store. This simply ain't a thing.
Getting users to install spyware by their own volition is much harder than simply cooking up an exploit to spy on users, or spying directly through the ISPs. Or by triangulating your location through cell towers. Or by legislating backdoors.
I specifically mentioned the NSA not to be political but because they are verifiably already doing the things you said can hypotetically be done, but to both OSes, right now, despite the security measures in place, and for many many years now. Police can effortlessly hack any phone through 4g using equipment called stingrays, right from your pocket, look that one up. There was never a need to make iphones more open and fair to the users to make it happen. Beause its already happening regardless.
Apple is probably peddling this security narrative, but its a fallacious argument at best. And it happens every single time we force them to be good against their will.
I clearly hit a brick wall here so imma just head out, have a good day, and relax about it, its gonna be good for everyone if it comes to pass.
Eh, it’s already possible without sideloading
It's almost impossible without sideloading, requiring heavy social engineering and it is lockable by Apple. Whereas it has the possibility to become common-place with sideloading as it's requested in the lawsuits from Epic and by most of the anti-Apple folks on reddit/lemmy.
My parents android devices (with optional sideloading) are fine.
I have a feeling iOS users will be about the same despite Apple's attempts to fearmonger it.
Exactly. It would be complicated to pull off something like this via side loading given that Apple’s proposal requires apps to be hosted on an alternative store rather than just being a single app that you could download (like APKs on Android). The paragraph below from their Newsroom post about the changes being made also suggests there will still be some form of app review happening for apps even if they aren’t being hosted on the App Store.
It would be easier for a scammer to use an MDM profile like they did with this scam rather than trying to trick people into side loading.
TestFlight isn’t the same as sideloading. And preventing sideloading has no effect on your IT illiterate relative handing over MDM control to a malicious actor.
Would you blame sideloading if your relative gave a random “fraud specialist” at their bank their online banking password and they had their bank account drained? That’s the essentially same kind of attack that happened here
You missed my point entirely. Once sideloading is available Trojan authors no longer need you to install an MDM to infect your parents devices.
They will still have to social engineer the target to get it enabled and installed.
I get your point, but where I don’t agree is that sideloading is more insecure than already exploited systems. What safety does disabling sideloading provide when the same user vulnerable users are able to be socially engineered to bypass several restrictions and install the test flight app or a management profile to give hackers control?
It’s not as if sideloading is going to be allow users to click a malicious ad that pops in at the last second where the real download button should be. It is going to behind the same multiple step processes that the current test flight or MDM vectors are
What safety does several layers of effective safety that removed this threat quickly and obviously prevented it from becoming a widespread issue provide?
And that is not what people are pushing for for sideloading. People want to be able to have alternative app stores with their own sets of rules that will not require test flight or MDM vectors.
The app was available (via testflight) to download even without sideloading...
And got kicked off by Apple, as per the article... A thing that can't be done in the future that a lot of people who use Android want to force onto Apple users.
I think the current proposed implementation would still allow Apple to revoke apps from third party stores, and they'd still control entitlements internally. Having said that, there's plenty of pushbacks already, and I haven't caught up as to whether or not EU approved their proposal yet. In all cases, as I said earlier, just like the cookie law and GDPR, the DMA maybe came from a good place with some good ideas, but the implementation is so broken, what companies will do to comply with the word of the law will be a gong show.
This is not Android users forcing anything upon you. Its about antitrust. No one will force you to enable sideloading.
Hell, Apple will probably heavily discourage anyone from trying it.