> You can read Apple’s announcement on being forced to comply but as you do you so, I’d like you to remember one thing: every nightmare scenario they describe for the security of users in the EU is exactly what currently happens on Macs everywhere in the world.
There's 1.5 billion iPhone users vs 100 million Mac users, Apple believes that at least part of the reason for that difference is the security model of iOS. E.g., arguably the largest changes Apple has made to the Mac since introducing the iPhone is implementing security measures based on iOS.
> There's 1.5 billion iPhone users vs 100 million Mac users
It’s beyond hilarious, after years of seeing Apple users fight back against the idea that the Mac’s better security relative to windows Windows has anything to do with its smaller user base, to see Apple users insist that the Mac’s smaller user base relative to the iPhone is what makes it more secure.
I don't really understand your argument, e.g., "seeing Apple users fight back against the idea that the Mac’s better security relative to windows Windows has anything to do with its smaller user base".
Are you saying there was some dispute between where folks were saying Mac's tigher security someone made the platform less popular? I've never heard this. (Also for the record, I personally wouldn't make any case about Mac's security being better than Windows.)
Also side point, I said this is what Apple believes, not "Apple users". I.e., I don't think anyone cares what I think, but Apple behavior on a number of fronts points to Apple believing this (e.g., sandboxing in Mac App Store, reading between the lines of the App Store restrictions, notarization).
Those are probably different groups of people. I'll definitely agree that the Mac would see more security issues if it had the install base of Windows or iOS.
John Gruber for example used to rail against the Security by Obscurity argument (correctly, IMO), but makes the same security by obscurity argument today.
I don't think that's some big secret, but also irrelevant to the point I'm making. I said Apple believes that they're security model on the iPhone is important to it's popularity. Apple making a bunch of money on the App Store does not contribute to the iPhone's popularity, therefore it's not relevant to my original statement.
What you are really trying to say is that Apple doesn't actually believe the security model is important, instead it's just about collecting money from the App Store, that's a valid interpretation, I just believe that Apple values the iPhone's long-term popularity higher than it values the short-term profits from the App Store. The fact that they can have both is mighty convenient for Apple.
Not only do I think it's relevant, I think it's the whole point. The security argument is the outcome of finding the most useful, contentious point that would support them continuing to make the gobs of money. It's the same way 'think of the children' is used for arguing in favour of various types of censorship - everyone in the know is aware it's not the real reason but we live in a society where calling someone out for BSing is considered rude, or bad politics. So the rest of us have to nod along while being treated as fools.
The TAM is saturated. Taking share from Android is difficult. Making more humans use smartphones is difficult. Making more humans is difficult. Extracting more rent is not. So the idea that the security is more important for future revenues than the ability to exploit the userbase doesn't hold up, particularly when there isn't and can't be an alternative with a different security model.
The growth potential comes from future devices that are facilitated by this security model. E.g., you can't have Adobe Creative Cloud's updater process, Zoom, Dropbox, etc... all running their background processes on a resource constrained device like say, AR glasses. This is why Apple is betting the farm in this security model despite its ongoing issues. Apple's future of computing is easily, verifiably, incompatible with a Mac-like security model. This isn't up for debate.
If your argument is a more open model than Apple currently has for the iPhone that might be good argument. But I was replying specifically to the authors comparison to the Mac. My point is that Apple believes having a Mac-like security model for the iPhone would make it less successful, as evidence by there aggressive push to make Mac security more iPhone-like, without enforcing iPhone-style revenue sharing (e.g., you can buy and download software from anywhere without giving Apple a cent).
For the sake of argument lets take as given that the Mac was unacceptably insecure (John Hodgman smirks at Justin Long “I knew it!”) until the iOS security model was applied.
It’s also not clear that the EU requires the PWA engine to also be replaceable but I’m personally in favor of that so we’ll stipulate that’s the case as well.
The term “security model” is doing all the work here.
The EU has no requirement for the “security model” to be changed. They require the browser engine to be replaceable.
The argument that Apple’s security model is the only one that can provide security is not sufficient. Those making this argument need to also prove that the browser engine can only be secure when made by Apple.
And yet the entire history of computing, and especially the history of browsers, browser engines, and app engines in general, have consistently shown that no one company has a monopoly in being able to make secure browser engines, competitive pressure has helped security across the board, and non first party browser engine makers have often made far more secure browser engines than the first party makers.
Apple fans are obscuring the issue by shouting “security model”. The real question is why this security model is irrecoverably damaged by replacing a first party browser engine by a third party one.
And why Apple, at a time of much greater computing power, much more advanced computer science, and far more advanced in browser engine theory and technology, is unable to do what Microsoft was forced to do 2 decades ago.
> The argument that Apple’s security model is the only one that can provide security is not sufficient. Those making this argument need to also prove that the browser engine can only be secure when made by Apple.
I don't think they're making the argument that this is the only one that would work, but that's a silly statement to even debate. Just coming up with a hypothetically security model that might work, is a huge difference from forcing a company to implement it. They're arguing against the second one, the idea that they should be forced to do this, by way of stating the current system works. That doesn't require address hypothetical other systems. I also don't think such verification of hypothetical systems is even possible. We have trouble enough understanding the security of existing systems.
"The MacOS security model has not suffered as Apple asserts." What does this mean? macOS security has radically changed on a number of fronts since the introduction of the iPhone. E.g., sandboxing, notarization, script execution/Apple Events, file-system access, microphone access, video access. I have no idea what your statement means.
> You can read Apple’s announcement on being forced to comply but as you do you so, I’d like you to remember one thing: every nightmare scenario they describe for the security of users in the EU is exactly what currently happens on Macs everywhere in the world.
There's 1.5 billion iPhone users vs 100 million Mac users, Apple believes that at least part of the reason for that difference is the security model of iOS. E.g., arguably the largest changes Apple has made to the Mac since introducing the iPhone is implementing security measures based on iOS.