Apple vs the Law

Somehow, Android manages to do it. Not only for browsers; all apps have JIT access without any entitlement/review needed.

It doesn't seem like the average Android user is worse-off because of that, security-wise.

And Android apps can be installed from apk files without any Google involvement whatsoever. All apks are self-signed anyway and signing identity only comes into play for updates, not initial installation. As in, when you first install an app, it doesn't matter who signed it, but installing an update over an existing app requires the new apk to be signed with the same certificate as the initial one. This is to protect the potentially sensitive data in app's private storage (under /data/data).

But iOS requires that everything be signed by Apple in one form or another. Even debug builds of your own apps you run on your own device from Xcode. IMO, it is absolutely unacceptable to market your devices as general-purpose ones, make the SDK public, but still be an intermediary in app distribution for no good reason whatsoever. I'm surprised the EU is so seemingly patient with Apple's clearly contemptuous conduct.

The average Android user is far worse off security-wise than the average iOS user, and it isn't even close.

How so? As of late, Android FCZC exploits pay out more than iOS ones do at the moment[1]. And anecdotally from what I hear from friends involved in security, Android is very well hardened at this point and is equal to iOS despite having a much wider surface area for attacks.

[1] https://opzero.ru/en/prices/

Average Android users are not targeted by exploits.

Would you say that's primarily due to JIT, or maybe due to the budget for security patches for most Android devices being a tiny fraction of what Apple has?

You missed my point. My point is that if Apple wants to add this now, it's going to cost them engineering resources.

You think side loading on Android cost Google "nothing" to implement and maintain? No, it costs them engineering resources to support that feature. It's a good feature to support and it's beneficial to users. But it's not free, it doesn't magically insert itself into the Android codebase if they "comment out an `if` statement" as the GP suggested.

Also, Android is gradually adopting many iOS-like permissions and security models. We recently updated our Android apps related to reading and writing to the file system. Why is that? Because the free-for-all they shipped with was heavily abused by developers.

Google engineered and maintains the system that allows you to install APK files. This is my point. The fact that they have developed a security model around APK updates is exactly what I'm talking about.

If Apple wants to offer something similar, now, they are going to have a lot of work cut out for them.

You're not thinking this through, it's not a magic button Apple presses. They are going to have to develop a ton of frameworks just to get something like installable APKs.

Apple allows developers to use iCloud and Maps for free. Presumably because you distribute through the App Store. So if they allow for side-loading they're going to have to lock down and split their App Store "services" into a separate framework — hey, sounds familiar? Just like Google Play services.

Separating out all of Apple's authentication layers, paid and cloud services, and ensuring apps can be cleanly distributed without dependencies on those things it not a trivial engineering exercise.

I'm not trying to imply that Apple should not comply with the DMA. I believe they should. I also believe that it would be a seriously complicated thing to extract their App Store services from their developer APIs in such a way that people could develop against a baseline SDK sans Apple services.

Sounds like they're better off then, since they're not getting targeted?

No, the threat to most users is losing their device, cloud backups, sensor permissions, and the like. The price of a remote zero click has nothing to do with whether your phone offers end to end encrypted cloud backups (which Android does not) or secure bioauth (remember when Android vendors shipped various insecure versions of face unlock before giving up on replicating Face ID?).