undefined | Better HN

0 pointszepto4y ago0 comments

> I am well aware of the sizes of the stores.

So you compared the absolute numbers, knowing it would be misleading.

> Are you aware that the relative amount of malware is is not merely proportionally less?

You wouldn’t expect them to be merely proportionally less.

You’d expect malware authors to put their efforts where the money is.

> People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo.

This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

> Google's and Amazon's app stores are not open source but built for an open source platform, together have far more users than the Apple App Store and far fewer malware installations.

Doesn’t seem remotely true - here’s just one recent example:

https://threatpost.com/unpatched-android-app-billion-downloa...

And while we are at it, what’s your source for the half billion malware installs you claim on iOS?

0 comments

lern_too_spel4y ago

> So you compared the absolute numbers, knowing it would be misleading.

I gave the absolute numbers thinking you were smart enough to convert 0 proportionally. I certainly didn't know that it would confuse you.

> You’d expect malware authors to put their efforts where the money is.

That would be a good point if the stores were incompatible. However, it is possible to write an app that you can publish to the Amazon App Store, the Google Play Store, F-Droid, and the hundreds of Chinese app stores. Despite this, F-Droid has had zero infections. Despite the Play Store having far more users than the App Store, it has infected far fewer users.

> This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

You are clearly not aware that the package submitted to Apple is signed by the the developer, and the package delivered to the user is signed only by Apple. Apple (or China) determines what app actually gets to the device. https://developer.apple.com/forums/thread/12880

> Doesn’t seem remotely true - here’s just one recent example:

Your example is a vulnerability in an app that can be exploited to access that app's data. It is not a malware app, and there is no evidence that any users had malware that attacked that app, let alone that any such malware was being distributed by any of the stores. By that standard, 100% of iOS users are exploited because Safari is so bugridden.

Half billion was an external estimate for xcodeghost. Apple's internal estimate pegged the number of users infected by just half of the identified malware apps at 125 million. https://www.vice.com/en/article/n7bbmz/the-fortnite-trial-is...

zeptoOP4y ago

>> Doesn’t seem remotely true - here’s just one recent example: > Your example is a vulnerability in an app that can be exploited to access that app's data. It is not a malware app, and there is no evidence that any users had malware that attacked that…

It doesn’t matter. Your claim: “Google's and Amazon's app stores are not open source but built for an open source platform, together have far more users than the Apple App Store and far fewer malware installations.” is still bullshit.

https://www.pandasecurity.com/en/mediacenter/mobile-security...

> I gave the absolute numbers thinking you were smart enough to convert 0 proportionally.

We’ve established that this the targets are not proportionally attractive.

> I certainly didn't know that it would confuse you.

This is a public conversation, I’m sure you didn’t expect It would confuse me, but it would obviously mislead casual readers. Have you considered this?

> That would be a good point if the stores were incompatible. However, it is possible to write an app that you can publish to the Amazon App Store, the Google Play Store, F-Droid, and the hundreds of Chinese app stores. Despite this, F-Droid has had zero infections.

That still doesn’t mean it’s worth targeting f-droid. Unless you have numbers on attempted malware that has been blocked from the f-droid store, and similar numbers for the other Android stores, this like of reasoning is complete bullshit.

> Despite the Play Store having far more users than the App Store, it has infected far fewer users.

How do you know?

>> This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

>> You are clearly not aware that the package submitted to Apple is signed by the the developer, and the package delivered to the user is signed only by Apple.

What makes you think I’m not aware of this?

> Apple (or China)

Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China?

Everyone knows that all governments can legally require Apple to block apps. Unless you are claiming that China can do more than this, this is another obviously misleading statement.

> determines what app actually gets to the device. https://developer.apple.com/forums/thread/12880

Yes, Apple determines what app gets to the device. Who in the world would think otherwise? - it’s part of their marketing for the iPhone.

lern_too_spel4y ago

> What makes you think I’m not aware of this?

> Yes, Apple determines what app gets to the device. Who in the world would think otherwise? - it’s part of their marketing for the iPhone.

You used to think otherwise. You claimed that the package sent to the device was signed by the developer. It is not. Apple (or China) works as a MITM who can modify the package however they like with no way for the user to verify that malware hasn't been inserted. F-Droid allows the user to verify that the package contents hash the same as what they would build locally.

> Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China?

Yes. Because the App Store has this MITM vulnerability and China gets to MITM all US services (with blessed MITM status for iCloud that even defeats Apple's "E2E" encryption for their other services), they can replace the Signal package with a compromised one.

>> Despite the Play Store having far more users than the App Store, it has infected far fewer users.

> How do you know?

Unlike Apple; F-Droid, Google, and Amazon allow security researchers to analyze apps on their respective stores instead of blocking their access. Lower case count despite higher test rate isn't a guarantee that fewer people have been infected, but it is strong evidence for that conclusion.

1 more reply

j / k navigate · click thread line to collapse

0 comments

lern_too_spel4y ago

> So you compared the absolute numbers, knowing it would be misleading.

I gave the absolute numbers thinking you were smart enough to convert 0 proportionally. I certainly didn't know that it would confuse you.

> You’d expect malware authors to put their efforts where the money is.

> This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

> Doesn’t seem remotely true - here’s just one recent example:

zeptoOP4y ago

https://www.pandasecurity.com/en/mediacenter/mobile-security...

> I gave the absolute numbers thinking you were smart enough to convert 0 proportionally.

We’ve established that this the targets are not proportionally attractive.

> I certainly didn't know that it would confuse you.

This is a public conversation, I’m sure you didn’t expect It would confuse me, but it would obviously mislead casual readers. Have you considered this?

> Despite the Play Store having far more users than the App Store, it has infected far fewer users.

How do you know?

>> This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

>> You are clearly not aware that the package submitted to Apple is signed by the the developer, and the package delivered to the user is signed only by Apple.

What makes you think I’m not aware of this?

> Apple (or China)

Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China?

Everyone knows that all governments can legally require Apple to block apps. Unless you are claiming that China can do more than this, this is another obviously misleading statement.

> determines what app actually gets to the device. https://developer.apple.com/forums/thread/12880

Yes, Apple determines what app gets to the device. Who in the world would think otherwise? - it’s part of their marketing for the iPhone.

lern_too_spel4y ago

> What makes you think I’m not aware of this?

> Yes, Apple determines what app gets to the device. Who in the world would think otherwise? - it’s part of their marketing for the iPhone.

> Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China?

>> Despite the Play Store having far more users than the App Store, it has infected far fewer users.

> How do you know?

1 more reply

j / k navigate · click thread line to collapse