words from a colons

Nobody talks about sideloading apps on iOS

Sep 25th, 2019 history

One of the oft-touted differences between Android and iOS is that Android lets you install apps from 'unknown sources', and iOS does not. This common knowledge is baked into almost all commentary written about mobile device security. For example, there was a lot of excitement after WWDC 2016 when Apple announced that free developer account certificates would be able to load apps onto iOS devices, but this is only for enrolled devices and the apps stop working after a week. There's also a lot of recent talk about Epic's decision to distribute Fortnite for Android outside of the Play Store, which is implicitly impossible with iOS.

Screenshot. A native iOS prompt saying 'public.boxcloud.com would like to install “Snapchat++”'. The selectable options are 'Cancel' and 'Install'. 'Install' is the primary action, bold and blue. Behind the prompt, a website is visible, showing a summary of an app called 'Snapchat ++', authored by someone called 'Unknown'. Features offered include 'Increased Recording', 'Custom Notifications', and 'Enhanced screenshoting'

The trouble is, though, that this premise is catastrophically incorrect. Anyone can go to a website in Safari, download an app bundle, tap an 'Install' button in an alert that pops up, and the app will be installed. The first time you do this with an app from some rando, you'll also need to explicitly trust the signing authority in Settings. iOS won't tell you how to do this up-front, but it's not hard; certainly no harder than disabling Gatekeeper. No Mac is required, no developer account is required, and the app will run indefinitely. It's about as easy to do as enabling untrusted sources in Android.

This is not hypothetical. This is being done at volume in the wild.

Screenshot. The iOS settings app. Explanatory text says 'Apps from developer “iPhone Distribution: Shenzhen Yunxun Technology Co., Ltd.” are not trusted on this iPad and will not run until the developer is trusted.' Beneath this text, there's an inviting blue button labelled 'Trust “Shenzhen Yunxun Technology Co., Ltd.”', and then there's a list of apps that are signed by this entity. The only item in the list is 'Twitter ++', an app that uses the official Twitter app icon. Opposite the name of the app, the word 'Verified' is shown.

There's a website called BuildStore which sells subscriptions for access to their database of apps that can be installed this way, including open-source emulators and modified versions of apps like Facebook with 'additional features'. Scarier, though, are the places that offer this for free, like iEmulators. Given the cost of hosting and the inherent price of the ability to offer this service (which we'll get into in a bit), it seems reasonable to assume that the people running this free service are expecting to make a profit, somehow.

BuildStore's practice of selling access to other people's open-source software is questionable, but the 'improved' social media apps category offered by iEmulators is terrifying. I am not equipped to disassemble an iOS app and work out what it does, and I don't want to make accusations about any specific application distributors, but if I was the 'Unknown' person who distributes these [social media website]++ apps and I wanted to make money unscrupulously, I know some things that I would do. I'd sell ads and send you paid notifications. I'd use all the compute time I could get to mine cryptocurrency. I'd record everything you did in the app. Once you granted camera permissions, I would never turn them off. Once you granted access to your photos library, I would use EXIF data to build a history of everywhere memorable you've ever been. I'd use each and every API that Apple don't allow to be used in apps distributed in the App Store to gather as much personal information about you as possible, and I'd sell all of it. I'd also, naturally, gather your login credentials.

Twitter ++, which I briefly ran on a wiped device to see what it was like, injects ads into the signup process in a slick-enough way that there is clearly some serious technical skill behind these apps. I have no doubt that much of the rest of the above is being done, too.


BuildStore requires the unique identifier of enrolled iOS devices, which almost certainly means they're just signing apps with developer provisioning profiles, rather than using TestFlight or the Volume Purchase Program store for their review-free distribution. I am unwilling to pay them to confirm this. The unrestricted distribution that free sites like iEmulators are able to do, however, is made possible by the Apple Developer Enterprise Program.

With the Apple Developer Enterprise Program, for $300 per year, you get to distribute apps to as many devices as you like. According to their license agreement, use of your apps on these devices should be:

(i) on Your physical premises and/or on Your Permitted Entity’s physical premises, or (ii) in other locations, provided all such use is under the direct supervision and physical control of Your Employees or Permitted Users (e.g., a sales presentation to a Customer)

The agreement goes on to explain that posting enterprise-signed apps on a public website is explicitly prohibited. Clearly, this is not being enforced, at least not particularly rigorously.

In theory, though, this should be fine! In theory, iOS is a reasonably secure operating system, and all apps have to ask permission to get access to sensitive information. In theory, there's no reason iOS couldn't safely host arbitrary apps and still be orders of magnitude safer than macOS. You can't stop stuff like cryptocurrency miners, but you can at least stop invasive fingerprinting and data gathering. In theory.

App Store review is supposed to be an important protection here. Their automated reviews will catch use of private APIs and such, but there's a lot that the humans don't catch. iOS still contains a bunch of mechanisms apps can use to do malicious things that should be prevented by App Store policies and review, but aren't. People have been doing pretty shady stuff on the App Store for years now, and Apple only reliably remedies it once it's already a story. In the meantime, they'll arbitrarily reject any app that a given reviewer has a political, social, financial, or functional objection to, and be stubbornly uncommunicative about it until enough people or press outlets get mad about it.


So why don't Epic use enterprise certificates for Fortnite? ‘Obviously,’ I hear you cry, ‘it's against the terms, so Epic's enterprise certificate would get revoked immediately if they tried to distribute Fortnite outside of the App Store,’ and you're right. Such a flagrantly contract-violating move for such a popular app from a big company would get massive press coverage, and be shut down within hours. If Apple's primary concern here was security, though, Epic's certificate would be the least of their worries. Apple know damn well that Epic's not going to distribute malware, and we know that the primary reason they want to keep stuff in the App Store is for that hot 30% revenue cut. The long-term existence of third-party iOS malware distribution sites should hammer this past the point of deniability, but everyone covering these platforms either ignores their existence or, worse, doesn't know about them.

iOS is living in the worst of both worlds. Nobody acting above board is allowed to distribute apps outside of Apple's control, but there's a thriving market of independently-distributed malware that nobody talks about. It would be nice if at least one of these downsides could be eliminated.

Being Reimu

Oct 28th, 2014 history

It's a little after 7 A.M. on the morning of Saturday the 25th of October. Leicester is still, cold, cloudless, and a little misty, although the sun is rapidly burning it off. A man on his morning walk sees us approaching on the pavement and considers us for a moment. Shortly, he comes to his conclusion and knowingly asks, “Good night, lads?”

A man in a high-visibility jacket standing atop a university building looks down and sees us walking by. He puts his fingers in his mouth and wolf-whistles at us. “Hey, ladies!” then, to his friend, “there's two lads…”

Cirno and I are heading to MCM (a nerd convention in London), but we've a long way to go and we're pretty conspicuous.

Two white dudes dressed as Touhou characters. The one on the left (Reimu, in a frilly red dress and long brown wig) is hitting the one on the right (Cirno, wearing a short blue wig, a blue dress, and wire fairy wings) with a home-made gohei.

We're still presenting as white dudes. We know that when we get home we can take the costumes off and revert to our usual, privileged state. It doesn't hurt that we are not wearing makeup and these particular costumes make it clear even to people who don't recognise the characters that we are very much still white dudes. Still, we are drawing attention to gender in a way that takes people out of their comfort zones, but because we are not us, we can view their reactions with detachment.

Reactions are varied, fascinating, and occasionally frightening. Some compliment us with slightly sneering irony. Some compliment us with sincerity. Some children ‘whisper’ to their parents as we pass (“whoah-ha-ha-ha… that's a man…”), some parents approach us with their kids and ask with genuine interest what we're dressed up for. The train conductor tells us we're pretty and the next people he deals with ask why they don't get the same treatment. Everybody laughs.

At MCM itself, we are barely an anomaly. Lots of people are in costumes. People are relaxed. Many ask for photos. One guy calls “Reimu!” and quickly looks in the other direction, too nonchalantly. A few apparent first-time visitors are more surprised; one woman remarks “That's a boy! Dressed as a girl! Shocking.”

While waiting for Marisa to show up and complete the troupe, a man who is “here with [his] nephew” approaches us and speaks for a while and asks some mostly innocuous questions, but he seems to be dancing around saying what he actually wants to say. It is like he is either trying to prove that he is Totally Cool With This or is trying to decide if he even wants to be here at all. We humour him.

The man who takes our order at dinner gets super into the spirit of it, asking who we are and complimenting us. After taking our orders, he calls us ‘girls’ and then immediately fears he has crossed a line and gets sheepish and apologetic and quickly scampers off. I later try to communicate to him that we are more than okay with being referred to in character, but I mess up and probably make it worse. (If you're reading this, I'm sorry. We're cool.)


Disembarking from a London Underground train, we meet That Guy. That Guy is heading home from his Important Job. That Guy is white and middle-aged and wearing a suit. That Guy is boarding the train at the door we are leaving from. That Guy does not have long before we will be out of his life forever, but That Guy very much wants us to know that He Has Feelings About This.

“Psh,” he snorts with powerful indignation. “I hope that's fancy dress.”

Firstly, yes, of course it's fancy dress. These are not practical clothes. I'm carrying a piece of dowel with strips of paper taped to the end and my friend here has wire fairy wings on his back. We are having a bit of fun.

Secondly, though, and more importantly, what the fuck does it matter to you if it's not, Guy? And why did you feel the need to let us and our fellow passengers know of your disapproval? Are we a sign of the coming apocalypse? An invitation for Satan to bring about babies having babies and cats living with dogs? Shit, man, people might even find themselves attracted to us, and that wouldn't be right, dammit!


On the train back to Leicester, we are approached at our seats by a smiling woman. “I saw you earlier on the train into London,” she says, “you look exactly the same. Have you had fun?”

We appreciate the curiosity and chat for a bit.

I found her opening remark especially interesting not because of anything to do with our costume or any kind of maliciousness on her part, but because that middle part was just a thought that she had had. It was not intended for us. Something weird was happening, and she dropped her guard for a moment. She said something that made no sense except as part of an inner monologue in which she was trying to work out if we were the same people she saw earlier or not. It's scary that that can happen.


The sun has long since set when we get back to Leicester. People have started their evening of drinking and the roads are still busy. We are honked at a few times, a near-toothless man walking out of a pub blesses us, and my pulse doubles every time we have to walk past a man. The majority of interactions we had were positive, but the ones that were not all smacked of people getting very upset about Gender Stuff. It was fun, but I am glad to get the costume off.

I'm lucky that I can.

I don't use Notification Center, and it makes me sad

May 13th, 2014 history

As an Android and OS X user, I was excited when Apple announced that they were going to integrate something resembling Growl into Mountain Lion. Growl was, at the time, a surprisingly critical part of the OS X ecosystem. Apple bringing Growl's responsibilities in-house seemed long overdue.

I have barely touched Notification Center since a couple of days after Mountain Lion was released. What follows is an attempt to rationalise exactly why that is.

Action

One of my favourite things about Android's notification interface is that if I get an email that I do not have to act on, I can archive it right from the notification. I use this a lot.

Notification Center's transient notifications recently got similar little buttons added to them. You can reply to an email right there, provided you decide to act on it and can get your mouse up to the button within five seconds of the notification appearing. If you miss this opportunity, you are out of luck, because the persistent versions of notifications do not retain these buttons.

Persistence

When you have pending notifications on Android, it's like having a splinter. You can ignore them, and if you are busy, you can even forget they're there, but you won't feel right until they're gone.

As an example, here's before:

A messy status bar full of icons vying for attention.

And after:

The same status bar, but with no icons. Much cleaner.

Feels better, right? You now know, without taking any action, that there's nothing left for you to deal with right now. And everything is tidy.

Here's Notification Center's entire visible UI when you have notifications pending:

An icon that one can assume is supposed to represent notifications, with no badges or any indication that something important is here.

And when you do not:

Literally exactly the same image as the previous one.

Nothing changes.

Notification Center doesn't get back to you when you are no longer busy; you have to get back to it. There is zero motivation to look in the slide-out drawer unless you already know there's something there because you saw it earlier and made a note of it.

That bears repeating. This notification system requires you to remember that a notification appeared while you were busy (or briefly on the other side of the room) and follow up on it. Like an animal.

Retention

…so it goes unchecked. Notifications come in, and stay in, and will remain until you dismiss them.

Except that's not true at all. What actually happens is that each app has a rotating collection of the five most recent notifications they emitted. Thus, if you get a lot of emails, Notification Center is useless for triage. If you get a lot of tweets, Notification Center is useless for sampling. In all cases I've encountered, the app that spawned the notification is a superior tool for catching up on things. Further, most of them have icon badges or menu bar widgets to constantly remind you that something is worth your attention, making Notification Center entirely redundant.

Dismissal

Every now and then, though, I accidentally open the drawer when trying to scroll or something, and I get wistful. I look at countless notifications for things I have already dealt with and I think of what could have been. I look mournfully at my phone, sigh, and dutifully click all the tiny X buttons.