Sep 25th, 2019 history
One of the oft-touted differences between Android and iOS is that Android lets you install apps from 'unknown sources', and iOS does not. This common knowledge is baked into almost all commentary written about mobile device security. For example, there was a lot of excitement after WWDC 2016 when Apple announced that free developer account certificates would be able to load apps onto iOS devices, but this is only for enrolled devices and the apps stop working after a week. There's also a lot of recent talk about Epic's decision to distribute Fortnite for Android outside of the Play Store, which is implicitly impossible with iOS.
The trouble is, though, that this premise is catastrophically incorrect. Anyone can go to a website in Safari, download an app bundle, tap an 'Install' button in an alert that pops up, and the app will be installed. The first time you do this with an app from some rando, you'll also need to explicitly trust the signing authority in Settings. iOS won't tell you how to do this up-front, but it's not hard; certainly no harder than disabling Gatekeeper. No Mac is required, no developer account is required, and the app will run indefinitely. It's about as easy to do as enabling untrusted sources in Android.
This is not hypothetical. This is being done at volume in the wild.
There's a website called BuildStore which sells subscriptions for access to their database of apps that can be installed this way, including open-source emulators and modified versions of apps like Facebook with 'additional features'. Scarier, though, are the places that offer this for free, like iEmulators. Given the cost of hosting and the inherent price of the ability to offer this service (which we'll get into in a bit), it seems reasonable to assume that the people running this free service are expecting to make a profit, somehow.
BuildStore's practice of selling access to other people's open-source software is questionable, but the 'improved' social media apps category offered by iEmulators is terrifying. I am not equipped to disassemble an iOS app and work out what it does, and I don't want to make accusations about any specific application distributors, but if I was the 'Unknown' person who distributes these [social media website]++ apps and I wanted to make money unscrupulously, I know some things that I would do. I'd sell ads and send you paid notifications. I'd use all the compute time I could get to mine cryptocurrency. I'd record everything you did in the app. Once you granted camera permissions, I would never turn them off. Once you granted access to your photos library, I would use EXIF data to build a history of everywhere memorable you've ever been. I'd use each and every API that Apple don't allow to be used in apps distributed in the App Store to gather as much personal information about you as possible, and I'd sell all of it. I'd also, naturally, gather your login credentials.
Twitter ++, which I briefly ran on a wiped device to see what it was like, injects ads into the signup process in a slick-enough way that there is clearly some serious technical skill behind these apps. I have no doubt that much of the rest of the above is being done, too.
BuildStore requires the unique identifier of enrolled iOS devices, which almost certainly means they're just signing apps with developer provisioning profiles, rather than using TestFlight or the Volume Purchase Program store for their review-free distribution. I am unwilling to pay them to confirm this. The unrestricted distribution that free sites like iEmulators are able to do, however, is made possible by the Apple Developer Enterprise Program.
With the Apple Developer Enterprise Program, for $300 per year, you get to distribute apps to as many devices as you like. According to their license agreement, use of your apps on these devices should be:
(i) on Your physical premises and/or on Your Permitted Entity’s physical premises, or (ii) in other locations, provided all such use is under the direct supervision and physical control of Your Employees or Permitted Users (e.g., a sales presentation to a Customer)
The agreement goes on to explain that posting enterprise-signed apps on a public website is explicitly prohibited. Clearly, this is not being enforced, at least not particularly rigorously.
In theory, though, this should be fine! In theory, iOS is a reasonably secure operating system, and all apps have to ask permission to get access to sensitive information. In theory, there's no reason iOS couldn't safely host arbitrary apps and still be orders of magnitude safer than macOS. You can't stop stuff like cryptocurrency miners, but you can at least stop invasive fingerprinting and data gathering. In theory.
App Store review is supposed to be an important protection here. Their automated reviews will catch use of private APIs and such, but there's a lot that the humans don't catch. iOS still contains a bunch of mechanisms apps can use to do malicious things that should be prevented by App Store policies and review, but aren't. People have been doing pretty shady stuff on the App Store for years now, and Apple only reliably remedies it once it's already a story. In the meantime, they'll arbitrarily reject any app that a given reviewer has a political, social, financial, or functional objection to, and be stubbornly uncommunicative about it until enough people or press outlets get mad about it.
So why don't Epic use enterprise certificates for Fortnite? ‘Obviously,’ I hear you cry, ‘it's against the terms, so Epic's enterprise certificate would get revoked immediately if they tried to distribute Fortnite outside of the App Store,’ and you're right. Such a flagrantly contract-violating move for such a popular app from a big company would get massive press coverage, and be shut down within hours. If Apple's primary concern here was security, though, Epic's certificate would be the least of their worries. Apple know damn well that Epic's not going to distribute malware, and we know that the primary reason they want to keep stuff in the App Store is for that hot 30% revenue cut. The long-term existence of third-party iOS malware distribution sites should hammer this past the point of deniability, but everyone covering these platforms either ignores their existence or, worse, doesn't know about them.
iOS is living in the worst of both worlds. Nobody acting above board is allowed to distribute apps outside of Apple's control, but there's a thriving market of independently-distributed malware that nobody talks about. It would be nice if at least one of these downsides could be eliminated.
Oct 28th, 2014 history
It's a little after 7 A.M. on the morning of Saturday the 25th of October.
Leicester is still, cold, cloudless, and a little misty, although the sun is
rapidly burning it off. A man on his morning walk sees us approaching on the
pavement and considers us for a moment. Shortly, he comes to his conclusion and
knowingly asks, “Good night, lads?”
A man in a high-visibility jacket standing atop a university building looks
down and sees us walking by. He puts his fingers in his mouth and wolf-whistles
at us. “Hey, ladies!” then, to his friend, “there's two lads…”
Cirno and I are heading to MCM (a nerd convention in London),
but we've a long way to go and we're pretty conspicuous.
We're still presenting as white dudes. We know that when we get home we can
take the costumes off and revert to our usual, privileged state. It doesn't
hurt that we are not wearing makeup and these particular costumes make it clear
even to people who don't recognise the characters that we are very much still
white dudes. Still, we are drawing attention to gender in a way that takes
people out of their comfort zones, but because we are not us, we can view
their reactions with detachment.
Reactions are varied, fascinating, and occasionally frightening. Some
compliment us with slightly sneering irony. Some compliment us with sincerity.
Some children ‘whisper’ to their parents as we pass (“whoah-ha-ha-ha… that's a
man…”), some parents approach us with their kids and ask with genuine interest
what we're dressed up for. The train conductor tells us we're pretty and the
next people he deals with ask why they don't get the same treatment. Everybody
At MCM itself, we are barely an anomaly. Lots of people are in costumes. People
are relaxed. Many ask for photos. One guy calls “Reimu!” and quickly looks in
the other direction, too nonchalantly. A few apparent first-time visitors are
more surprised; one woman remarks “That's a boy! Dressed as a girl!
While waiting for Marisa to show up and complete the troupe, a man who
is “here with [his] nephew” approaches us and speaks for a while and asks some
mostly innocuous questions, but he seems to be dancing around saying what he
actually wants to say. It is like he is either trying to prove that he is
Totally Cool With This or is trying to decide if he even wants to be here at
all. We humour him.
The man who takes our order at dinner gets super into the spirit of it, asking
who we are and complimenting us. After taking our orders, he calls us ‘girls’
and then immediately fears he has crossed a line and gets sheepish and
apologetic and quickly scampers off. I later try to communicate to him that we
are more than okay with being referred to in character, but I mess up and
probably make it worse. (If you're reading this, I'm sorry. We're cool.)
Disembarking from a London Underground train, we meet That Guy. That Guy is
heading home from his Important Job. That Guy is white and middle-aged and
wearing a suit. That Guy is boarding the train at the door we are leaving from.
That Guy does not have long before we will be out of his life forever, but That
Guy very much wants us to know that He Has Feelings About This.
“Psh,” he snorts with powerful indignation. “I hope that's fancy
Firstly, yes, of course it's fancy dress. These are not practical clothes. I'm
carrying a piece of dowel with strips of paper taped to the end and my friend
here has wire fairy wings on his back. We are having a bit of fun.
Secondly, though, and more importantly, what the fuck does it matter to you if
it's not, Guy? And why did you feel the need to let us and our fellow
passengers know of your disapproval? Are we a sign of the coming apocalypse? An
invitation for Satan to bring about babies having babies and cats living with
dogs? Shit, man, people might even find themselves attracted to us, and that
wouldn't be right, dammit!
On the train back to Leicester, we are approached at our seats by a smiling
woman. “I saw you earlier on the train into London,” she says, “you look
exactly the same. Have you had fun?”
We appreciate the curiosity and chat for a bit.
I found her opening remark especially interesting not because of anything to do
with our costume or any kind of maliciousness on her part, but because that
middle part was just a thought that she had had. It was not intended for us.
Something weird was happening, and she dropped her guard for a moment. She said
something that made no sense except as part of an inner monologue in which she
was trying to work out if we were the same people she saw earlier or not. It's
scary that that can happen.
The sun has long since set when we get back to Leicester. People have started
their evening of drinking and the roads are still busy. We are honked at a few
times, a near-toothless man walking out of a pub blesses us, and my pulse
doubles every time we have to walk past a man. The majority of interactions we
had were positive, but the ones that were not all smacked of people getting
very upset about Gender Stuff. It was fun, but I am glad to get the
I'm lucky that I can.
May 13th, 2014 history
As an Android and OS X user, I was excited when Apple announced that they were
going to integrate something resembling Growl into Mountain
Lion. Growl was, at the time, a surprisingly critical part of the OS X
ecosystem. Apple bringing Growl's responsibilities in-house seemed long
I have barely touched Notification Center since a couple of days after Mountain
Lion was released. What follows is an attempt to rationalise exactly why that
One of my favourite things about Android's notification interface is that if I
get an email that I do not have to act on, I can archive it right from the
notification. I use this a lot.
Notification Center's transient notifications recently got similar little
buttons added to them. You can reply to an email right there, provided you
decide to act on it and can get your mouse up to the button within five seconds
of the notification appearing. If you miss this opportunity, you are out of
luck, because the persistent versions of notifications do not retain these
When you have pending notifications on Android, it's like having a splinter.
You can ignore them, and if you are busy, you can even forget they're there,
but you won't feel right until they're gone.
As an example, here's before:
Feels better, right? You now know, without taking any action, that there's
nothing left for you to deal with right now. And everything is tidy.
Here's Notification Center's entire visible UI when you have notifications
And when you do not:
Notification Center doesn't get back to you when you are no longer busy; you
have to get back to it. There is zero motivation to look in the slide-out
drawer unless you already know there's something there because you saw it
earlier and made a note of it.
That bears repeating. This notification system requires you to remember that
a notification appeared while you were busy (or briefly on the other side of
the room) and follow up on it. Like an animal.
…so it goes unchecked. Notifications come in, and stay in, and will remain
until you dismiss them.
Except that's not true at all. What actually happens is that each app has a
rotating collection of the five most recent notifications they emitted. Thus,
if you get a lot of emails, Notification Center is useless for triage. If you
get a lot of tweets, Notification Center is useless for sampling. In all cases
I've encountered, the app that spawned the notification is a superior tool for
catching up on things. Further, most of them have icon badges or menu bar
widgets to constantly remind you that something is worth your attention, making
Notification Center entirely redundant.
Every now and then, though, I accidentally open the drawer when trying to
scroll or something, and I get wistful. I look at countless notifications for
things I have already dealt with and I think of what could have been. I look
mournfully at my phone, sigh, and dutifully click all the tiny X buttons.