A few days ago, Epic Games filed a lawsuit against Apple, challenging the idea that the Apple App Store--with its high fees and limitation on promotion of anything that isn't an Apple product or payment mechanism--is the only way to distribute apps on iOS. cdn2.unrealengine.com/apple-complain…
To anyone who responds "Apple isn't a monopoly": the actual test of "monopolization" is merely having a "significant and durable market power", not a 100% share; anti-competitive behaviors--such as "tying" and "refusal to deal"--can clearly apply to Apple. ftc.gov/tips-advice/co…
On the "they should also be arguing with console manufacturers" front: we shouldn't forget that Epic has *also* fought back against ridiculous policies from Sony (which dominates the console market), and managed to force their hands on cross-platform play. onezero.medium.com/how-fortnite-b…
And to the "Apple is a great curator" idea: if you truly pay attention, it is a mixed and dangerous bag; *no entity* should have this much power; check out this talk I gave at Mozilla Privacy Lab for numerous examples of the dangers of centralized systems.
(While I am on that subject, I'm going to note my own, personal grudge: that Apple's centralized curation makes them a centralized point of failure subject to being a tool of totalitarian governments; I really loved @gruber finally calling them out on it.) daringfireball.net/2017/07/apple_…
(By setting themselves up as the centralized curation point of applications on all of their hardware, Apple has enabled countries like China to trivially ban the existence of any software they want, whether it be VPNs or applications to organize protests.) theverge.com/2019/10/9/2090…
(Oh, and before anyone tries to claim you can sideload applications using Apple's "free development" profiles, they have consistently worked to limit and cripple these mechanisms; in particular, you can't use this to sideload "network extensions", so Apple can entirely ban VPNs.)
(Meanwhile, Apple's insistence on getting "their cut" of all sales made on their hardware is fundamentally incompatible with a future of decentralized applications and anonymous money: the supposedly "pro-privacy" Apple has gone to war with these efforts.)
What makes Epic Games--and its founder, @TimSweeneyEpic--as "our champion" vs. Apple so exciting is they have the cash and the will to see this through; fighting Apple is almost impossible for most of us, as you need money for lawyers and expert witnesses. wsj.com/articles/why-f…
Which should remind all of us of another lawsuit currently ongoing with Apple: their attempt to crush @CorelliumHQ, the company which launched an iPhone virtualization service to enable security research without jailbreaks and automate testing of iOS apps. arstechnica.com/tech-policy/20…
This lawsuit is frankly egregious: after discussions to purchase Corellium broke down, suddenly Apple decided to sue them instead; then, as part of the case, Apple has thrown subpoenas far and wide, including at the parent companies of Corellium customers. forbes.com/sites/thomasbr…
In its most recent complaint, Apple continues to insist that @Pwn20wnd's usage of Corellium's product to help test and more rapidly develop the Unc0ver jailbreak for iOS 12 was an "unlawful end", entirely ignoring the USC Section 1201(f) interop exemption.
It is ridiculous that Apple insists "good-faith security research" "requires" "responsible disclosure"--a specific model that involves release deadlines--when Apple actually disallows security researchers in their program from using responsible disclosure!
(This is a place where I take particular issue: I know many people who believe in "responsible disclosure" and I work with many *more* people who believe in "full/simultaneous disclosure"; but I don't actually know any security researchers who consider Apple's model to be moral.)
Apple continues to insist they have "never pursued legal action against a security researcher"... but they *have* used the DMCA to take down research and even mere discussion of their platforms; the EFF once had to *file a lawsuit* to get them to back off! eff.org/deeplinks/2009…
What Apple does is cultivate a "chilling effect" on certain kinds of research: when @0xcharlie showed how easy it was to slip exploit code through iOS App Store review, he was banned from the Apple Developer program, so others would be too scared to probe. forbes.com/sites/andygree…
Apple claims to "recognize the critical role that members of the security research community play in Apple’s efforts to ensure its devices contain the most secure software and systems available", and yet they routinely ignore advice and downplay issues :(. threatpost.com/google-bug-hun…
When @i0n1c built a tool to detect malware installed on iOS devices, his application was pulled from the App Store; in a post, he noted Apple's notice "basically says: we do not want our users to have the impression iOS could have security holes. go away". fortune.com/2016/05/17/app…
Apple has gone so far in their attempts to downplay security issues that, in a public argument with Google's Project Zero, they attempted to spin an exploit actively being used as part of the oppression of Uyghur Muslims in China as somehow not important?! arstechnica.com/information-te…
The reality is that Apple has been so hostile to independent security research that they've lost their edge: exploits for Android now cost more than exploits for iOS, a reversal experts generally credit to Google correctly allowing researchers open access. wired.com/story/android-…
All the while, Apple and its employees show up at conferences like @BlackHatEvents and are welcomed with a speaking platform... even as they out-spend companies like Corellium on lawsuits to push judgements that limit the ability to *do* security research. 9to5mac.com/2019/06/27/app…
Companies which wish to speak at security events should be required to sign a non-action pledge on USC Section 1201--which isn't even about infringement: it is a potentially-unconstitutional law about "circumventing" controls and "trafficking" in tools--in order to submit a talk.
So yeah: I don't know if anyone else will agree with me that security events should not allow companies using USC Section 1201--or similar laws around the world: the US got this included in a WIPO treaty--to speak at their events, but if so: poke a conference organizer for me? ;P
