> Yes, Apple determines what app gets to the device. Who in the world would think otherwise? - it’s part of their marketing for the iPhone.
You used to think otherwise. You claimed that the package sent to the device was signed by the developer. It is not. Apple (or China) works as a MITM who can modify the package however they like with no way for the user to verify that malware hasn't been inserted. F-Droid allows the user to verify that the package contents hash the same as what they would build locally.
> Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China?
Yes. Because the App Store has this MITM vulnerability and China gets to MITM all US services (with blessed MITM status for iCloud that even defeats Apple's "E2E" encryption for their other services), they can replace the Signal package with a compromised one.
>> Despite the Play Store having far more users than the App Store, it has infected far fewer users.
> How do you know?
Unlike Apple; F-Droid, Google, and Amazon allow security researchers to analyze apps on their respective stores instead of blocking their access. Lower case count despite higher test rate isn't a guarantee that fewer people have been infected, but it is strong evidence for that conclusion.
False. If I claimed that, you’d be able to quote me.
> … (or China) works as a MITM who can modify the package however they like
Seems like this is total bullshit. Do you have any evidence that China can modify the packages?
> Are you suggesting that China gets to re-sign software going to devices either a) inside and/or b) outside China? Yes. Because the App Store has this MITM vulnerability and China gets to MITM all US services (with blessed MITM status for iCloud that even defeats Apple's "E2E" encryption for their other services), they can replace the Signal package with a compromised one.
The seems like bullshit. There is no indication of an MITM vulnerability between the developers and Apple, nor is there one between Apple and users. China cannot MITM packages based on what you have said so far.
Yes, Apple can change package contents. Numerous App Store features make use of this to deliver partial packages and device specific binaries.
Nothing about this mechanism gives China an MITM.
>> Despite the Play Store having far more users than the App Store, it has infected far fewer users. > How do you know? Unlike Apple; F-Droid, Google, and Amazon allow security researchers to analyze apps on their respective stores instead of blocking their access. Lower case count despite higher test rate isn't a guarantee that fewer people have been infected, but it is strong evidence for that conclusion.
So you misled people by claiming this as fact, when it’s actually just speculation.
How do you know the case count is lower, and the test rate is higher?
Your claim about aggregate Android malware numbers being lower than iOS was false: https://www.pandasecurity.com/en/mediacenter/mobile-security...
Here you go:
>> People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo.
>This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?
If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context. I interpreted your response as charitably as possible.
> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?
I explained how app distribution works and assumed you could work it out. It looks like my assumption was mistaken, so here it is step by step: 1. The package sent to the device is not signed by the developer but by Apple or China. https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.
Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.
> There is no indication of an MITM vulnerability between the developers and Apple, nor is there one between Apple and users.
Once again, the biggest MITM is between the developer and users, which F-Droid's reproducible builds prevent.
> Your claim about aggregate Android malware numbers being lower than iOS was false:
My claim was about malware from the Play Store and the Amazon App Store.
Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.
It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.
Nothing I said before or after contradicts that.
> I interpreted your response as charitably as possible.
No. You read something into it that simply isn’t there.
> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?
> 1. The package sent to the device is not signed by the developer but by Apple or China.
This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.
> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall
> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.
None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.
If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.
> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.
I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.
>> Your claim about aggregate Android malware numbers being lower than iOS was false:
> My claim was about malware from the Play Store and the Amazon App Store.
Yes and it is false.
> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic
I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.
It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.
Nothing I said before or after contradicts that.
> I interpreted your response as charitably as possible.
No. You misrepresented my response.
> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?
> 1. The package sent to the device is not signed by the developer but by Apple or China.
This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.
https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall
3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.
None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall. If you have a link that does, I would be interested to see one, otherwise I think we can safely call this a lie. You know there is no evidence for it, but you are claiming it anyway.
> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.
I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.
>> Your claim about aggregate Android malware numbers being lower than iOS was false:
> My claim was about malware from the Play Store and the Amazon App Store.
Yes and it is false.
> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.
I will continue to call out lies and bullshit when it’s clear that is what is being presented. You have so far not substantiated the facts you have been challenged on, and your arguments rely on claims which you can’t support.
It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.
Nothing I said before or after contradicts that.
> I interpreted your response as charitably as possible.
No. You misrepresented my response.
> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?
> 1. The package sent to the device is not signed by the developer but by Apple or China.
This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.
https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall
3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.
None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall. If you have a link that does, I would be interested to see one, otherwise I think we can safely call this a lie. You know it’s not true, but you are saying it anyway.
> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.
I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.
>> Your claim about aggregate Android malware numbers being lower than iOS was false:
> My claim was about malware from the Play Store and the Amazon App Store.
Yes and it is false.
> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.
I will continue to call out lies and bullshit when it’s clear that is what is being presented. You have so far not substantiated the facts you have been challenged on, and your arguments rely on claims which you can’t support.
