[HN Gopher] Apple silently fixes iOS zero-day, asks bug reporter... ___________________________________________________________________ Apple silently fixes iOS zero-day, asks bug reporter to keep quiet Author : DemiGuru Score : 294 points Date : 2021-10-13 19:14 UTC (3 hours ago) (HTM) web link (www.bleepingcomputer.com) (TXT) w3m dump (www.bleepingcomputer.com) | woliveirajr wrote: | Seems that no credit, no bount, nothing, has become the way that | Apple deals with the iBugs Hunters. | | And all it takes is one of those unsong heros giving up on | reporting to Apple and, instead, reporting to some 0-day company, | and some ransonware go brrrr | croutonwagon wrote: | I'm surprised it hasnt happened yet. IT seems apple is possibly | openly hostile and uses "red tape" as an excuse to obfuscate | communication and frustrate those trying to do right by them | instead of just posting it to github and calling them out on | twitter. | | Its one of a few reasons I have made some in-roads into moving | off the platform. | tptacek wrote: | These vulnerabilities do not enable ransomware. | _jal wrote: | I'm sure people are selling them, although I think it would | only become public by accident. | | At least some are going the back to the Full Disclosure days... | | https://twitter.com/jonathandata1/status/1448037463419674625 | threeseed wrote: | This comment is just nonsense. They regularly credit security | researchers: | | https://support.apple.com/en-au/HT201222 | | Seems like this in case it's just a mistake that was made. | supernova87a wrote: | Why are people out to crucify Apple for a story that's still | being resolved? The article clearly says: | | "... _Due to a processing issue, your credit will be included on | the security advisories in an upcoming update. We apologize for | the inconvenience, " Apple told him when asked why the list of | fixed iOS security bugs didn't include his zero-day_..." | | "... _We saw your blog post regarding this issue and your other | reports. We apologize for the delay in responding to you, " Apple | told Tokarev 24 hours after publishing the zero-days and the | exploit code on his blog_... | | "... _We want to let you know that we are still investigating | these issues and how we can address them to protect customers. | Thank you again for taking the time to report these issues to us, | we appreciate your assistance_... " | | The company hasn't denied the bounty, they're just incompetent / | slow on this process. | | Feels like everyone is out to paint <x> company with just | confirmatory bias using whatever half-baked story is available. | Even I feel for company leaders in this kind of shitty journalism | environment. And the rest of the comments here are just autopilot | piling on the echo fest. | smoldesu wrote: | >Why are people out to crucify Apple for a story that's still | being resolved? | | >The company hasn't denied the bounty, they're just incompetent | / slow on this process. | | People probably expect more from... _checks notes_ The world 's | most valuable and successful modern corporation. | efleurine wrote: | And iOS users should be grateful that they report those bugs | to Apple to get paid. They could also sell it to some spying | companies and may be those pay well and very fast | tptacek wrote: | Or maybe they don't pay for these bugs at all. | ewagsjr wrote: | Ya, if I interpreted this right, also really convenient that | they seem to be dragging their feet on a $100,000 bounty. | mike_d wrote: | Devil's advocate here: I've worked the other side of managing | bug bounties. | | It is entirely possible the researcher found something but | didn't realize how deep the problem went. Apple may have | released an incremental patch and is working on fixing a larger | issue they found when digging into it. | | When this has happened in the past, from the researchers | perspective things seem quiet/delayed because we obviously | can't share details of a larger vulnerability with them. All we | can really do is ask for more time. In the end it all works out | and they get paid out/credited for the original+follow on bug. | vlovich123 wrote: | Why wouldn't the company communicate to the researcher "we | found a larger issue related to this. your bounty will be | upgraded to X. Please restart the clock for public | disclosure" or something along those lines. Seems like better | communication would create a win-win situation. | thaumasiotes wrote: | > In the end it all works out and they get paid out/credited | for the original+follow on bug. | | I've worked on the company end of bug bounties too, and it | does happen that a report just falls through the cracks. | Seemingly-inactive reports do need a certain amount of | maintenance; you don't want to just trust that everything | will work out in the end. (That said, as long as you get | responses when you ping the company, things are working in | the background.) | | (edit to followup: in about 18 months of this, I encountered | one report that had fallen through the cracks. Obviously, | there might have been others that never came to my attention | at all, but the companies are tracking things much more | carefully than researchers often assume.) | bellyfullofbac wrote: | Because those emails are probably lies, they're just delaying | and delaying and hoping it will just go away, and writing fake | "We're sorry"'s when they're forced to. | Spooky23 wrote: | Some security people love to hand-wave and issue prophecies of | doom for attribution and attention. It's great chum for writers | -- easier to run with some guys grievance than research a more | substantive story. | tptacek wrote: | There's a spectrum of quality to these stories, and one sign | that you're tending towards an end of that spectrum is the | use of the term "zero-day" without qualification. These are | bug bounties; _all of these bugs are zero days_ , no matter | how severe (or not) they are. It's literally the least | important detail in the story about how a bounty is being | handled. | xondono wrote: | The "Apple Hater" market is as big as the "Apple fanboy" | market, maybe even bigger! | throwaway37284 wrote: | I understand what you're saying and in most cases, most | companies, most products, you are correct and I would | absolutely agree. In this case it is an IOS zero-day. I'm not | sure of the number of people on the planet using IOS but the | chances of that zero-day being applicable to the phone in your | pocket at one point aren't too bad. I do think Apple should be | held responsible, their massive amount of sales has given them | a massive amount of responsibility that they are not stepping | up to. | polack wrote: | "Since then, Apple published multiple security advisories (iOS | 14.7.1, iOS 14.8, iOS 15.0, and iOS 15.0.1) addressing iOS | vulnerabilities but, each time, they failed to credit his | analyticsd bug report." | | "Two days ago, after iOS 15.0.2 was released, Tokarev emailed | again about the lack of credit for the gamed and analyticsd | flaws in the security advisories." | | They didn't give him credit in the last 5 advisories. Really no | excuse for that imho. If Apple keeps this up then why would | anyone report bugs to them when you can just post it online and | get credit for it right away? Or sell it on some 0-day site. | glenstein wrote: | Exactly, that's the issue. This is a RT*A scenario. | tptacek wrote: | If credit is what you care about, it's straightforward to | ensure you get credit without working with Apple's bounty | program. You can do what P0 does and provide a fixed timeline | after which you're publishing, and nobody credible is going | to hold that against you (in part because P0 has established | this norm). | efleurine wrote: | Obviously credit is important for them as a proof of | competence. If the company does not give them credits how can | they build their business, portfolio. You can jus say I was | the one who discovered this. | | Every field works in a certain way and when it comes to | bounty you want to make a name for yourself. You can't just | pull up and say you are the one | | But yeah may be they should just sell it to third-parties | stefan_ wrote: | > they're just incompetent / slow on this process | | > I feel for company leaders in this kind of shitty journalism | | You're not making sense. Plus Apple has a history of being | incompetent and slow on this. | coldtea wrote: | > _Plus Apple has a history of being incompetent and slow on | this_ | | Have they, really? Just because you find this instance here | and there of such a story where they were, doesn't mean they | have a history of being incompetent and slow on this (the | same way someone who hit 99% of their three-pointers doesn't | have a history of being an awful shooter). | | That's how they fare long term: | | https://www.pandasecurity.com/en/mediacenter/mobile- | security... | smoldesu wrote: | Apple's bug bounty is notoriously slow to respond, to the | point that it has posed legitimate security concerns in the | past: particularly their rhetoric around Thunderspy amused | me. | | https://habr.com/en/post/579714/ | | https://thunderspy.io | QuizzicalCarbon wrote: | How can we reasonably say Apple is moving slowly to fix | bugs when we don't know how much work is going on behind | the scenes? A slow response can just be a slow response. | smoldesu wrote: | I can reasonably say it because _all_ of their | competitors have less cash, yet many of them respond | faster than Apple does. | calibas wrote: | You're framing this as if it's all about the bounty and Apple | just hasn't gotten around to it yet. That's only a small | fraction of the story and could easily be forgiven. If I wanted | to make Apple look good, I'd focus on that part, but that would | be rather biased to ignore the whole picture... | | Tokarev discovered 4 iOS 0-days, then reported them all to | Apple back in May. After months of Apple's continued refusal to | fix or even publicly acknowledge all four of the issues, | Tokarev made all of them public on GitHub. | | Weeks passed, and now it's today. Apple has yet to fix or | publicly acknowledge two of the four security vulnerabilities. | That should make Apple look bad because it's some fundamentally | irresponsible security practices. | | Yes, I'm biased. I'm human, not a computer, and it's stuff like | this that makes me biased towards Apple. They should receive | negative publicity for this, then they should change how they | do things. At the very least, app developers and users should | be warned about the two issues that have yet to be fixed. | tptacek wrote: | I don't know anything about Apple's bug bounty program except | that there's a prevailing attitude that it is not the well- | oiled machine that Google's bug bounty program is perceived | to be, and I'm not super interested in making a case for | Apple here. But because this is a recurring theme in every | discussion about every bug bounty run by anyone: | | * There are valid reasons that bugs can take longer to fix | than you'd expect; the most notable of them is when the bug | you found is actually systemic, or has a deep root cause, and | the real fix for the vulnerability is more complicated than | the surface bug. Without a hard timeline, some shops will | work to get the root cause fixed on some bugs even at the | cost of an increased timeline, because the patch for the | surface bug reveals the pattern and amplifies risk to | customers. | | * As a reporter, you can take some measure of control over | the process back by providing a fixed timeline (like the P0 | 90 days). There's no negotiation needed; you give the vendor | time to fix and they either do or don't, but either way | you're going public. That is a valid way to go about things, | but may cost you the bounty. | | * These things are bug-dependent, and the process that runs | for a zero-interaction RCE won't be the same as the process | that runs for a bug that requires a malicious app store app | and only gives access to the contact database. | | * Message boards tend to expect that big vendors can just | shell out for the bounty as a show of good faith. It's easy | to see why they believe that. It makes sense. But it also | creates broken incentives. The limiting reagent on bugs isn't | bounty dollars (these are indeed barely even rounding errors | to major vendors), but rather programmer time. If you pay out | for weak, stuck-in-process bugs, you create incentives that | redirect programmer time to those weak bugs and away from | more significant bugs; as angry as you can reasonably be | about a malicious app being able to snarf your contacts, if | you're rational, you're a lot more concerned about memory | corruption flaws, which is what you really want people | spending their time on. | amatecha wrote: | Probably because the 0days have been fixed and the public have | received the benefit of the security researcher's report to | Apple, but he hasn't received any recognition or compensation | through the bounty program via which he reported the | vulnerabilities? | [deleted] | kamilman0 wrote: | Could it be that maybe they try to uphold the reputation of Apple | by doing so? But it doesn't make sens either way because they | could have just paid those guys and then everyone is happy. | That's just some ass-backwards logic. I am an Apple fan and I'm | not going to defend this. It's just plain bad behavior on their | side. | kjaftaedi wrote: | It seems like the last person you would want to dick around | would be someone who seems to be extremely good at finding | extremely valuable vulnerabilities. | aborsy wrote: | The need for Linux phones, in a market dominated by two companies | and one government, is more than ever! | | Hope we soon get a usable Linux phone. | beermonster wrote: | Such a market need grows daily. Hopefully only a matter of | time. | reginold wrote: | PinePhone is our only hope! Still a ways off from being | consumer ready but it's heading in the right direction. | Buttons840 wrote: | "Only option"? What about Purism phones? | coldtea wrote: | >Apple silently fixes iOS zero-day, asks bug reporter to keep | quiet | | Isn't that standard procedure for any company faced with a 0-day, | prudent, and the right thing to do? | jtsiskin wrote: | Zerodium (https://zerodium.com/program.html) pays out $2 million | dollars for an iOS "full chain with persistence" exploit. $500k | for an iMessage RCE. Up to $100k for an iOS "information | disclosure" exploit (likely what this would have fallen under). | Paid for via bank wire or Bitcoin/Monero/Zcash in 1 week or less. | And legal. | | Next time someone finds one of these, I wonder where they will | report it to.... | netsec_burn wrote: | See my comment history for a firsthand account of Zerodium. | DSingularity wrote: | Is it moral though? What do they do with these exploits? If it | is to help advance the agendas of countries like Israel and | Saudi Arabia how would you feel submitting exploits to them? | lccarrasco wrote: | People worried about the morality aspect could sell the | exploit, donate the money and report the issue to the | manufacturer anyways. | doopy1 wrote: | I don't think Zerodium payouts are lump sum... I believe | they are staggered in order to mitigate against this stuff. | tptacek wrote: | So far as I know, essentially all grey market | vulnerability sales are tranched, which is an important | consideration when comparing bounty payouts to the grey | market. | tptacek wrote: | They sell them to the IC. | miohtama wrote: | You can choose between a rich murderous dictator and an | arrogant IT company that does not give you a proper credit. | Either way you are screwed as a security researcher :( | [deleted] | ethanbond wrote: | Uh, if your consideration is purely what happens to _you_ , | sure. If you have any thought in your mind about what will | happen to other people due to your work, then it's nowhere | near the same. | AustinDev wrote: | Trillion dollar companies are people under the US | constitution and they don't seem to care about that so | why should everyday citizens? | tptacek wrote: | Zerodium doesn't list "information disclosure" for smartphones. | "Information disclosure" from an email server means | exfiltrating the emails. Zerodium will almost certainly not | outbid Apple for the `gamed` vulnerability here (maybe for | publicity). | comeonseriously wrote: | I wonder what would happen if everyone that knows about this just | starts pounding Apple's online presence (twitter, fb, etc) in | protest of their actions. Would they relent and pay up? | threeseed wrote: | Apple definitely needs to improve its processes in order to | ensure he and others gets credit. | | But he is over-reacting about the confidential line. When I | worked at Apple years ago I added a similar line when dealing | with external people. And in every email I have sent whilst | working for telcos, banks etc over the last decade a similar line | has been included automatically at the footer. It's more a | boilerplate polite request not a demand. | wilde wrote: | That's not clear at all. I'd be twitchy too if I had $100k on | the line and the other party had repeatedly messed up over | months of interactions. | ziddoap wrote: | It is of note that this is not the standard footer attached to | outgoing e-mails. | | It's the first line of the email after the greeting, manually | written in. | threeseed wrote: | Not all emails will trigger the automated footer if they use | it at all. They never did when I was there. | | And being a very serious security vulnerability (enough to | warrant its own release) they are probably just being | cautious. | | It really is a polite request not some legal demand. | ziddoap wrote: | I didn't mean for my comment to come across as disagreeing | with your overall point - just highlight that there is (in | my mind) a fairly big difference between auto-generated | footers attached to outgoing emails that you referenced (re | banks, teclos) and explicitly written instructions at the | beginning of an email. | IndySun wrote: | Apple the corporation religiously and sometimes aggressively | portray themselves as virtuous, safe, and honest, but this | behaviour suggests those qualities are marketing tools. | DemiGuru wrote: | As an apple fan myself, I agree that this type of practice | renders the platform less secure rather than more secure. | Everyone ends up losing. | killingtime74 wrote: | For want of a nail the kingdom was lost. Just pay the stupid | bounty | o_m wrote: | I wish Apple would do a feature freeze for iOS and macOS for a | couple of years, then focus on fixing bugs, improving security | and optimizing performance instead. | sbarre wrote: | But money! | ballenf wrote: | Here's a fun conspiracy theory proposed entirely in jest: | | Apple doesn't want to patch zero-days used by US authorities in | order to alleviate pressure on its encryption practices. | | So they really only want to fix zero-days that are known broadly | or get media attention. And they don't want to give too much | incentive to researchers to report zero-days to Apple instead of | selling them to the highest bidder (which may ultimately be the | largest governments with the greatest ability to regulate Apple). | jjcon wrote: | > alleviate pressure on its encryption practices. | | Apple is not that different from the status quo on end to end | encryption as to necessitate a conspiracy (probably even in | jest ). They have no icloud encryption, no photos encryption, | no device backup encryption etc etc. | ballenf wrote: | Would that still apply if a target has iCloud backup turned | off? | dev_tty01 wrote: | One small correction. They do have backup encryption. As a | matter of fact, your various account passwords are only | backed up if you keep the encrypt option turned on. | | https://support.apple.com/en-us/HT205220 | | As far as the original article, I agree completely that not | paying and crediting these folks in a timely manner is just | stupid and will reduce Apple security long term. | heavyset_go wrote: | Apple holds the keys to encrypted iCloud backups. | dev_tty01 wrote: | Yes, they do have some way of using your iCloud account | credentials to get to the backup key. Given the level of | customer support needed for forgotten backup keys, they | have probably chosen this as the lesser of two evils. | | If you don't like that "feature," don't do iCloud | backups. I do direct backups as described in the support | link. Apple doesn't have those keys. | ballenf wrote: | I do wonder how much longer local, machine-based backups | will continue to be supported. Could easily see a future | model dropping the cable entirely, dropping local backup | and modestly upping the free iCloud storage. | selectodude wrote: | iPhones have supported Wifi backup to local computer for | a decade now. | threeseed wrote: | So then explain this page: | | https://support.apple.com/en-au/HT201222 | | Why would they bother fixing any of the bugs ? | rlt wrote: | Next level conspiracy theory: Apple employs, knowingly or | unknowingly, CIA/NSA agents who intentionally introduce these | bugs. | [deleted] | tptacek wrote: | It would indeed be a next-level conspiracy theory to suggest | the NSA planted an employee at Apple to introduce a | GameCenter bug that lets you read a cache of contacts, rather | than, you know, just taking the whole device over, which is | what "zero day" usually implies. | tptacek wrote: | This is indeed silly, because the zero-day vulnerabilities that | the IC exploits provide full kernel-level access to devices, | and this just lets you read contacts from an app you install | from the app store (which does local API-level surveillance | already) on the device. | smoldesu wrote: | You've got the wrong ideas. The government isn't using the same | exploits as you and me, their backdoors are hidden much better | and offer far more comprehensive control than just a silly | Gamecenter vuln. | paxys wrote: | If Apple was complicit in US authorities breaking into their | devices they wouldn't be doing so via publicly exploitable | vulnerabilities. Bugs making their way into the "wrong" hands | decreases trust in their ecosystem. It makes much more sense to | just add a backdoor. | post_break wrote: | What a slap in the face. This guy is owed a boatload of cash, and | typical Apple just kicks the can down the road. Next time I hope | he sells his next vuln to the highest bidder. | tptacek wrote: | Who's the next highest bidder after Apple for a bug in `gamed` | that allows you to access GameCenter and download contacts? | It's a significant vulnerability, but there's e.g. no price | list entry on Zerodium (you can take Zerodium more or less | seriously, this is just a data point) for anything but code | execution, which this vulnerability isn't. | WesolyKubeczek wrote: | > Who's the next highest bidder after Apple for a bug in | `gamed` that allows you to access GameCenter and download | contacts? | | Anyone who actually pays money or golden bars within a | reasonable timeframe? | | > It's a significant vulnerability, but there's e.g. no price | list entry on Zerodium | | On this scale I think it's "Contact us and we negotiate" sort | of price. | tptacek wrote: | Who? Speculate as to who they might be. The six figure | numbers you're familiar with are for code execution bugs. | This is obviously not that. So they're not anybody that | quotes prices for bugs, or anyone directly comparable to | them. | | Governments can already pay prices comparable to the | supposed bounty valuation of this bug for code execution. | They're probably not shelling out six figures in gold bars | for a bug that exfiltrates contact lists from apps that | have to be installed from the app store. | | The non-bounty market clearing price for a lot of scary | sounding vulnerabilities is $0. | gjs278 wrote: | there is no next highest bidder, you live in a cyberpunk | fantasy land | ambientenv wrote: | > Next time I hope he sells his next vuln to the highest bidder | | And thereby accomplishing what, exactly? There is still merit, | albeit not from a material wealth standpoint, for doing the | right thing for the right reasons. | ClumsyPilot wrote: | "There is still merit, albeit not from a material wealth | standpoint, for doing the right thing for the right reasons" | | There seems to be the strange wordview where ordinary joe | must be morally impeccable but its corporate leadership can | be as immoral as they come. | | Like the richer you are, the less rules you have to follow. | Surelly it should be the other way round? | celim307 wrote: | I agree somewhat, the users which include me get caught in | the crossfire if someone releases a zero day out in the wild, | but I also think there needs to be a negative feedback to | these tech giants that expect work for free. | | But in the grand scheme of things, does it even punish the | tech giants? They have so many claws in a users life, and in | the case of apple, your only other choice is google or a | bunch of shady oems. | | At the end of the day the only people who pay for it are | users themselves, their data is comprised and irreversibly | out there | aviraldg wrote: | Forcing Apple to do the right thing the next time. | kbenson wrote: | You can rely on the vast majority of people to do the right | thing when it's in their best interests. | | You can likely rely on a good majority of people to do the | right thing when it isn't for or against their interests in | any substantial way. | | I'm not sure the amount of people that will do the right | thing when it's not in their best interests by some small but | noticeable amount. | | I'm also not sure the amount of people that will do the right | thing when it's vastly against their best interests, but it's | bound to be far less that the prior group, and I suspect it's | way below a majority. | | The point isn't that these people aren't doing the "right | thing", it's that these programs are designed to align doing | the right thing with the best interests of the researchers, | so noting that we might get more results that are not in the | best interests of society at large or the company in question | if they don't hold up to what they agreed to is not only a | valid observation, it's the likely outcome if we're to expect | these programs exist for a reason. | | To put this in perspective, say you find a suitcase with a | million dollars in it. You can turn it in, or you can keep it | for yourself. If there's no real expectation you'll get | anything if you turn it in, how does the reasoning go in your | head? What if you know you'll get 10% for finding it and | turning it in? What if you live in abject poverty? What if | you have $60k worth of medical bills for a family member to | pay off? | vadfa wrote: | >And thereby accomplishing what, exactly? | | ...$$$$? | basisword wrote: | I could accomplish the same thing by robbing a bank - | doesn't make it the right thing to do. | akomtu wrote: | Unless it's a mafia's bank. | spicybright wrote: | Doesn't make free work for a for trillion dollar | corporation something noble to do. | | By that logic, a grocery store giving away everything for | free is the right thing to do. Doesn't lead to anything | sustainable though. | young_unixer wrote: | Robbing a bank is immoral, selling information about how | a piece of software works, in my humble opinion, is not. | Or if it is, then it's not even close to the level of | "wrong" that is robbing a bank. | mrtesthah wrote: | And what if that information gets weaponized against | journalists in an authoritarian regime? | ClumsyPilot wrote: | You know what gets weaponised? | | Actual weapons our government sold to Saudi and other's. | Bud wrote: | Except that as this thread demonstrates, there is no | realistic possibility of this researcher _actually making | more $$$ in real life_ by trying to find another bidder. | smoldesu wrote: | Zerodium pays more for the exploits, and unlike Apple, is | willing to compensate you in non-traceable currency. | AustinDev wrote: | Trillion dollar companies don't care about merit for doing | the right thing. Why should this guy in the future? | pcbro141 wrote: | Maybe he doesn't want dissident journalists and activists | to get spied on and chopped to pieces? | | That sounds like a good enough reason to report these bugs | for someone with morals. | lern_too_spel wrote: | Dissident journalists and activists can use devices from | vendors that care about security enough to run a working | bug bounty program. | rurp wrote: | Unfortunately exercising consumer choice works a lot | better in a healthy free market than it does in one | controlled by an oligopoly. I totally agree that people | should try to avoid buying from companies that do immoral | things, but it can be quite hard in a consolidated | market. | afrcnc wrote: | No, he's not. Those are low-priority bugs and the only thing | that made them stand out was the fact that he dropped them | online without a patch. RCEs get priority in patching, and his | priv esc issues were not as important. | r00fus wrote: | He dropped them online after a significant period of delay. | Already discussed here on HN. [1] | | [1] https://news.ycombinator.com/item?id=28637276 | bawolff wrote: | Can't we hope they go for full-disclosure instead of selling to | the highest bidder? Selling to the highest bidder just hurts | apple users not apple. | akira2501 wrote: | > just hurts apple users not apple. | | As a first-order effect, sure.. but Apple is not immune to | the damage that this causes either. More importantly, their | failure to pay or honor their commitments would be the root | cause of this in the future. | | They opened this "bug bounty" door on their own, they are | solely responsible for it's success or failure. | artful-hacker wrote: | This is just one more nail in the already air-tight coffin Apple | has built for themselves. I seriously don't understand why people | stick with Apple products, they are getting much harder to use, | they lock you in to their gimped ecosystem, and their hardware is | constantly failing to be reliable. | watermelon0 wrote: | There is no better alternative (at least for some people)? | | Just some examples: | | - Integration between their devices cannot be matched by others | | - Apple Watch has the largest app collection, great integration | between iOS and Watch apps, smooth animations/UX, the most | accurate GPS of smart watches | | - Handover of AirPods between Apple devices is a lot better | than with other Bluetooth headphones | | - (subjective) iOS has a lot better UX/animations than Android | slownews45 wrote: | Are these comments real? They are surprisingly close minded for | a hacker news site. | | If you can't see the value apple offers, that's fine, but to be | blind to what they offer others seems odd. | | I've yet to be scammed by apple's app store. Ie, I can cancel | my subscriptions easily, bad apps you can even get a refund on | if prompt etc. | | I have been repeatedly screwed by websites run by developers | outside of apple. These websites have been LOADED with | trackers, they have impossible to cancel subscriptions, they do | all sorts of dirty tricks (I'm tired of the intercom type | follow-up emails - sorry I missed you, give me one last chance | etc). | | I get it, the dog eat dog crapfest is appealing to some, but | Apple offers an alternative, and for some people that has | value. And yes, I get it, the folks making these eye blinding | slow websites have lots to say about apple, but my weather app | opens promptly on apple, whereas the ad littered weather pages | online bog my machine (with 100x the memory) down. | johnmaguire wrote: | I'm so happy Linux is an option on the computer. | | When it comes to phones I feel stuck behind a rock and a hard | place - choose iPhone, with poor Linux integration and threats | to passively scan files on my phone and forward them to LEO? | Sure, they have a decent record with security but these bug | bounty reports haven't been great. | | Or choose Android, with its poor privacy record, a result of | being built by an ad company that's already scanning my phone | and mining it for data? | | edited to add - While I'd love to see a true competitor in this | space (i.e. not based on Android - those projects don't seem to | work out well as a result of being half-in/half-out of the | ecosystem) I don't see how it's possible without the support of | the large tech players - Facebook, Instagram, Snapchat, | WhatsApp, Twitter, and Spotify at minimum, to say nothing of | the long tail. | atatatat wrote: | > Or choose Android, with its poor privacy record, a result | of being built by an ad company that's already scanning my | phone and mining it for data? | | GrapheneOS.org | lern_too_spel wrote: | Android doesn't scan your phone and mine it for data. Apps on | Android scan your phone and mine it for data. Apps on iOS | _also_ scan your phone and mine it for data. The major | difference between the two is that Android lets you choose | which apps to put on your phone. | nijave wrote: | "Android" doesn't but Google Play services & bundled apps | do | noneeeed wrote: | Likewise. I'm in the market for a new phone. I want to get | something top of the line and then keep it for at least 5 | years, so good updates etc. But I have serious issues with | both Google and Apple at this point. | | For me it isn't really the tech companies that need to buy in | to make an alternative phone OS viable, but things like | banks. Online mobile banking is one of the main things I use | my phone for after web browsing and messaging. The | probability that it won't work on some third OS is what puts | me off trying some of the alternatives. | johnmaguire wrote: | Great point. I recall some banking apps placing | restrictions on logging in without SafetyNet, e.g. which | also puts some of the other Android-based OS's out of the | running. | h4waii wrote: | I get that a lot of the Android-based projects don't pan out, | but LineageOS has been going for quite a while now, CalyxOS | is relatively new, and GrapheneOS (previously CopperheadOS) | have successfully established themselves as the defacto | hardened Android platform. | | You can download the source, modify it, and build them all | freely. Hopefully more people can get involved and move the | needle instead of only lamenting how they don't succeed while | not actively trying to help them succeed. I mean this in a | respectful way. | johnmaguire wrote: | > Hopefully more people can get involved and move the | needle instead of only lamenting how they don't succeed | while not actively trying to help them succeed. | | That's totally fair. I don't really have the time or | Java/Kotlin/mobile familiarity to jump in here, and these | aren't skills I can easily apply elsewhere in my career, | personally. | | > LineageOS has been going for quite a while now, CalyxOS | is relatively new, and GrapheneOS (previously CopperheadOS) | | My impression of these OSes is that they still rely on | Google Play Services - or if not, micro-G which has many | shortcomings. When most of the ecosystem doesn't work until | you invite Google back in, it doesn't seem like a true | alternative IMO. | | Admittedly I haven't personally tried running any of them. | Which one would you recommend trying if I were aiming to | rid myself of Google's omnipresence? | ev1 wrote: | You can install Lineage without Play, and only use | Lineage. | | Graphene does not require Play Services, but it only runs | on a small subset of Android phones that are ~$500+ here | (heavily discouraged to use anything older than 4a 5G) | rOOb85 wrote: | You can run one of those os's without any Google | services. Paid apps are almost certain to not run, and a | bunch of other apps that rely on the services. But almost | all the apps I use work great. | | I have used CalyxOS and it's a great os. I did use microG | and 98% of the apps I use worked flawlessly. If you have | a supported phone, I'd definitely give it a shot. | heavyset_go wrote: | > _I don 't see how it's possible without the support of the | large tech players - Facebook, Instagram, Snapchat, WhatsApp, | Twitter, and Spotify at minimum, to say nothing of the long | tail._ | | This wouldn't be much of a problem if it wasn't for Google's | SafetyNet that prevents Android apps from running on hardware | and software platforms that Google doesn't approve of. You | wouldn't need support from large companies if you were able | to run the apps they already release for Android. | | Compatibility layers like Anbox or Waydroid that allow you to | run Android apps on Linux can't run SafetyNet-enabled apps, | despite having no problem running other Android apps. | | SafetyNet prevents compatibility layers like WSL 1 & 2, | Proton or WINE with Android support from coming to Windows or | other platforms, as well. | nijave wrote: | What's SafetyNet have to do with anything? It's opt it | device attestation the app creator has to implement | | It's not Android/Google forcing SafetyNet on you, it's app | developers insisting you need some special end user setup | paul7986 wrote: | iOS 15 from release date has had the most bugs I've ever | experienced with any former versions of iOS. Siri would revert | back to Dragon style text to speech randomly is one thing I | noticed frequently. | rgovostes wrote: | The advisory credit and bug bounty fiasco aside, when I reported | a security vulnerability to Apple in 2010, they wrote, "Because | of the potentially sensitive nature of security vulnerabilities, | we ask that this information remain between you and Apple while | we investigate it further." It seems to just be a standard | inclusion in their correspondence, and not unique to this | exchange. ___________________________________________________________________ (page generated 2021-10-13 23:00 UTC)