Day 14 of #epicvapple. I feel a bit like a marathon runner entering the last few miles. The end is in sight, just have to get there.
Today's reporters are @mslopatto and @Siliconlaw. We're getting a few more expert witnesses from Apple today: UCLA's Dominique Hanssens; James Malackowski, CEO of Ocean Tomo; and Aviel Rubin from Johns Hopkins
YGR says she felt "too much stress" to watch the Warriors-Lakers game last night.
"I haven't decided what I'm going to do," YGR says. But "one or both of you won't be happy, so it's going to go to the court of appeals."
Apple's Veronica Moye calls UCLA's Dominique Hanssens
Hanssens is a professor of marketing who focuses on consumer behavior.
Hanssens was asked to survey U.S. iPhone users aged 13 and up. He also reviewed the work of Epic's survey expert Peter Rossi.
He did two surveys: one of users who visited the App Store and one of users who play Fortnite. In the second survey, he focused mostly on boys since they tend to play Fortnite more. For the users under age 18, they obtained parental consent for them to participate
The main goal of the App Store survey was to find out the extent to which they used other electronic devices, Hanssens said. He also wanted to know if there were other devices they could use but choose not to.
The focus is on the recurring behavior, not the frequency, he said. They asked about device availability, ie present in the household or at work.
Available would include devices owned by other members of a person's family. An individual might not use it, but it is there, Hanssens says.
In the Fortnite survey, they wanted to find out availability of other devices on which they could play games, he says.
In the first survey, Hanssens says 92% of respondents had another device available they regularly used. 
In the Fortnite survey, Hanssens said that 97% of respondents had another device and 94% said they had used it to play games in the last 12 month
Anyone who said they had access or used a Windows phone, he excluded. He also took out anyone who took less than 2 minutes or more than 16 minutes to do the survey.
Epic's expert Rossi didn't ask about regular use, just use. But Hanssens said Rossi's results were consistent with his.
Rossi asked about a hypothetical scenario. And he didn't pretest his final survey questions, Hanssens said. His failure to pretest that may have impacted his results, Hanssens says.
In an earlier version of the survey, Rossi used language that was "forward-looking" about what a user would do in the future. In the final version, he used a "backward-looking" scenario, Hanssens said.
That backward scenario conflates ideas and might impact how users respond, he says. It increases the percentage of people who would be "Stickers," meaning they would keep the same behavior.
Twice as many people said they didn't know in the final survey as they did in the first two versions of Rossi's survey, Hanssens says.
Also, the number of people who said they would stick significantly increased between the first two versions and the final survey, Hanssens says. It likely reflects "yes" bias, the likelihood that respondents say yes to go along with the survey questioner.
Hanssens said all he did was ask users about availability and usage, whereas Rossi used a hypothetical about price increases. He doesn't think Rossi's results are reliable.
Moye is done. Epic's Lauren Moskowitz is now up for cross.
Hanssens says he would not consider himself an expert on general survey design. He also does not remember whether he has previously done a survey on smartphones.
Hanssens said he didn't know what a SSNIP test was before he was deposed in this case (small, but signficant non-transitory increase in price). So he was not aware his survey was going to be used for that purpose.
Hanssens asked respondents about device availability over the past 12 months. But he agrees he didn't ask them whether they currently have that device available, so it's possible they don't have it now.
He also didn't ask about whether respondents were willing to move to another device.
Moskowitz says an example Hanssens gave was a device used by a member of their family or one owned by a friend. He agrees.
So available for regular use could have meant asking your friend could I use your phone to make a call or check my email, Moskowitz says. Hanssens agrees. He says he wasn't asked to determine what they were using it for, only availability.
Hanssens says his survey is about usage not ownership. Moskowitz is now drilling down into some of the numbers.
Professor LaFontaine used those numbers to say that "most iPhone users have access to other devices." Moskowitz says she is implying they currently have access but Hanssens survey doesn't imply that.
In its opening statement, Apple used the 95% regularly used or could have regularly used but doesn't qualify that to indicate Hanssens survey doesn't indicate current availability, Moskowitz says
You didn't ask survey respondents whether they use the game console to play games, Moskowitz says. Hanssens said if a survey user said they have a game console he assumed they used it to play games. He said he doesn't know whether they used it to use Netflix, for example
"I didn't test it because these game consoles are designed specifically for games," Hanssens says.
Moskowitz is pointing out that the highlighted areas, he assumed they played games but didn't ask directly.
Hanssens didn't offer a definition of "regular use" or "regularly," but left it up to survey respondents to decide what they thought it meant.
Moskowitz says he doesn't know how frequently they use the device. Hanssens agrees. He thinks its unlikely that a respondent would say they regularly use a device if they used it only once a year.
In his pretest, Hanssens didn't specifically ask if respondents were confused by "available to use." One respondent said in the pretest he thought it was vague.
Hanssen did not change his survey at all in response to the pretest, he confirms.
Hanssens said he didn't do any research on how consumers think about the difference between a computer, smartphone and tablet. He owns a Microsoft Surface and said he would check both computer and tablet if asked.
Hanssens acknowledges he found this result "surprising" considering Windows phones are no longer sold
In response, Hanssens then excluded any respondents who said they had access to Windows phones. Meaning he cut out 30 percent of his respondents. Moskowitz says that was 151 of the 500 respondents.
That meant he also cut 43% of his respondents in the Fornite survey.
Moye is now back up for re-direct.
When using a hypothetical, its more important to do a pretest, Hanssens agrees. The switch from forward to backward looking created more confusion, he says.
Moye is asking about the Microsoft results. Hanssens said when he took those numbers out, his results were the same. Microsoft now has a phone market, so survey respondents might have been referring to that.
Regularly used is not ambiguous in the context of his survey, Hanssens says. It's a common English language term and he wanted survey respondents to define the term themselves. "I did not want to impose a certain frequency cycle on them," he says.
Hanssens says he drinks coffee every day and goes to the dentist four times a year. He would say he does both regularly. He wanted the respondents to decide what it meant to them.
Hanssens said he didn't think it was necessary for him to ask if a user plays games on a game console because it's what they are made for and he didn't want to ask something that obvious.
Hanssens says he didn't read LaFontaine's testimony or listened to it, so he's not in a position to asses how she used his data.
It would not be appropriate for him to have spoken with LaFontaine before he did his survey because it might have impacted him, Hannsens says.
Hanssens says he is an expert in marketing surveys, and the survey he was asked to do here would fall into that category.
Hanssens is done now. Apple's Richard Doren calls James Malackowski.
While they are waiting, Doren notes that the judge didn't say hello to Phil Schiller this morning when going over who was in the court. YGR says good morning to Schiller.
James Malackowski is CEO of Ocean Tomo oceantomo.com/team/james-mal…
Malackowski started working at a litigation damages firm. At age 25, he started an IP boutique. He moved into venture capital, and then started Ocean Tomo 18 years ago.
His company has 65 employees who focus on IP valuation. He works with LES, the Licensing Executive Society, "a group you probably have never heard of" (Note: I have, I've even been to their annual conference, what does that mean about me?)
He's also a certified CPA.
Malackowski has testified more than 50 times. He has actually testified before YGR before (Netlist v Diablo). She apologizes but doesn't remember him.
At its core, IP is a tool for economic development, Malackowski says. It encourages the investment needed to innovate.
If you are running a business and it needs investment, you need to be able to predict the return while be, Malackowski says. He is familiar with the DOJ/FTC guidelines on IP and antitrust.
We are now looking at them: ftc.gov/system/files/d…
Doren is reading from this graph, the sentence about "free-riding"
Malackowski says he reviewed Epic's experts and they don't discuss the intersection of antitrust and intellectual property. "Not in any way"
Malackowski said he was tasked with looking at the iOS "innovation footprint."
Malackowski says Apple has substantial investment in intellectual property, developers including Epic have used it, and Epic's request for an injunction would require a "compulsory license" for Apple's IP
Malackowski used SEC filings to graph out Apple's R&D spending. Apple has spent in excess of $1.1 billion.
Apple's U.S. patent grants and applications, from Malackowski. There are 25,000 patent assets on the chart, he says.
The applications are an indication of future innovations since those are for technologies still being developed, Malackowski says.
"Apple has a significant and sustained commitment to innovation both through investment" and IP, he says.
Malackowski said he did additional research on technology underlying the iOS ecosystem. He (and his staff) manually reviewed 3,500-4,000 of Apple's patents
Malackowski is now looking at this: apple.com/legal/intellec…
There is a connection between the R&D dollar, the intellectual property and the products on the market, he says.
He has a demonstrative he's looking at that I don't have, but it's based on this section of his report
Morning break now. Back in 20.
Back now. Malackowski is still on the stand.
They are now looking at a specific patent that relates to Metal.
Now another patent that relates to UIKit patents.google.com/patent/US86202…
Malackowski says he identified 4,900 copyrights and 1,500 trademarks that relate to the iOS platform
Malackowski went through various APIs and identified the number of patents or patent applications that relate
Now Malackowski is describing a graph that has the growth of apps in the App Store. It has grown more than than 500%, he says. 2011 was an "inflection point" for the App Store.
Apple's investment and innovation has benefits for consumers, Malackowski says, because it has given them a "diversity of choice" in apps. There have been hundreds of billions of app downloads.
There has been "consistent, sustained" growth over the 2010s, Malackowski says. There is a relationship between that investment, the protection of IP and consumer use.
Malackowski is looking at a court filing in which Epic identified various APIs it uses in Fortnite.
Epic acknowledged it used various SDKs to make Fortnite available on iOS and Mac. "You can't not use them if you want to be on the platform," Malackowski says
Based on those documents, Malackowski found that Epic has used 285 Apple U.S. patents and applications
As the owner of this IP does Apple have the right to exclude others from using it? Doren asks. Absolutely, that is the core grant of the Constitution, Malackowski says.
Now looking at the Apple Developer Agreement. It offers a "limited" license to use Apple's IP, Malackowski says.
The Apple Developer Program License Agreement allows additional use of APIs and SDKs in exchange for $99, Malackowski. It offers a limited license to Apple's IP and requires apps go through app review and be solely distributed through the App Store, he says.
Over the course of his career, Malackowski says he has seen more than 1,000 IP licensing agreements. Apple's DPLA is standard for what you would expect to see for use of IP, he says.
Malackowski says he looked at Epic's requested relief: They are asking for a defacto compulsory licensing agreement without payment and it would harm innovation. It would take away Apple's control and provisions in its license agreement
It would impair Apple's IP because they would no longer receive compensation negotiate for use of the IP. They would be compelled to continue to support Epic in its store. This would be you can use my stuff and I have to keep performing for you now and forever, he says
Going back to the DOJ/FTC IP guidelines, Malackowski says Epic's remedies would allow it to "free-ride" on Apple
Epic's request remedy does not take into account Apple's right to compensation for its IP, Malackowski says.
Epic's remedy "would increase Apple's costs, reduce compensation and reduce incentives to innovate through defacto compulsive licensing," Malackowski says.
Epic's Lauren Moskowitz is now up for cross.
Moskowitz is asking Malackowski about cases he testified in where courts found his testimony was "unreliable," "methodologically flawed" and "improper"
Malackowski was in one of the Oracle v Google copyright matters. The court determined his opinion was "contrary to the facts"
(Sounds like he represented Oracle in that dispute)
We're up to five cases now. As I don't cover patent cases, not sure if that's a lot of disquals or not. (He said he has testified in about 50 cases)
Ok, so he's been disqualified in six out of about 50 cases where he was hired to be a testifying expert.
Malackowski says he did no do a financial evaluation or appraisal of Apple's IP. He didn't try to put a "dollar amount" on Apple's IP, Moskowitz says. He agrees.
Malackowski acknowledges he did not chart Apple's R&D relative to its revenue, profit, market cap or total assets. He also didn't look at how it compares to other companies.
Malackowski says he didn't try to disaggregate Apple's R&D into specific products. It's appropriate to include all Apple IP in your analysis? Moskowitz asks. Malackowski says yes because it all works together.
You did not quantify Apple's investments specifically associated with the App Store? Moskowitz asks. Malackowski agrees.
Malackowski acknowledges that the specific cost of development of the App Store was not the basis for the 30 percent commission.
Malackowski agrees that the $99 developer fee and the $299 fee for enterprise provide some return to Apple on its investments. It also makes profits from its devices, he says.
Malackowski says he didn't try to come up with a calculation on what would be a fair return to Apple for use of its IP. It wasn't within his assignment, he says.
If I were a developer who wanted to know what Apple IP I was using, I would not find it in the DPLA, Moskowitz says. He agrees. Apple did not have a list of what patents it is licensing in connection with the DPLA, he confirms.
There does not exist a list what IP is being licensed subject to the DPLA, Moskowitz agrees. He also agrees that a licenses should generally include what is being licensed in it.
The agreement doesn't talk about any specific IP, Moskowitz says. He agrees. Is it your position that the entirety of the IP mentioned in your testimony is licensed under the DPLA? she asks. No, he says.
Malackowski identified the patent, patent applications and trademarks by searching the USPTO system.
Malackowski said there were 165 patents that relate to the App Store. Moskowitz says those patents reference the App Store.
Malackowski says he or his team reviewed all the patents. Most of the review was done by his team. It is technically possible that a patent references the App Store but does not relate to it, he agrees.
They are now looking at the spreadsheet of Malackowski's patents he says relate to the App Store.
One of the patents in his spreadsheet is a design patent related to the graphical user interface for the display screen. Malackowski says “generally app developers are not using Apple’s design patents.” He says this might be included in the license for the DPLA
The patent itself only uses the word's App Store near the end where it says “The App Store trademark is the property of Apple.”
Now looking at this patent: System for determining the quality of sleep patents.google.com/patent/US10368…
Malackowski confirms this patent is in his list as ones related to the App Store.
Malackowski says he doesn't agree that this patent doesn't relate to the App Store. "This would be an example of a tool that is made available" to developers by Apple.
Malackowski said there are about 1,500 trademarks. He doesn't believe those are licensed to developers in the DPLA. How does a developer know if its licensed to use a specific trademark? Moskowitz says. Malackowski said developers would need to talk to in-house team at Apple
Malackowski says he doesn't believe the trademark term "There's an app for that" would be covered by the DPLA.
Did you study the specific developer use of APIs outside of Epic? Moskowitz asks. No, Malackowski says.
She asks about WebKit, which is based on open-source. Malackowski found 62 Apple patents that relate to Webkit. He says he was focused on the Apple portion not the open-source portion.
Not even piece of code or API is protectable under IP law? Moskowitz asks. Malackowski agrees. Some API is subject to fair use, she says. He also agrees. Google v Oracle at the Supreme Court is one of those. He agrees.
(I've been waiting for this to come up for 14 days!)
You did not try to determine whether any of Apple's APIs are subject to fair use? she asks. Correct, Malackowski says.
Returning to the discussion of free-riding: You don't know the reason Apple prohibits stores within stores was tied to IP? Moskowitz asks. Malackowski says he believes Apple's witnesses have testified to that in this trial. He doesn't know if they said directly.
You don't have evidence or documents that shows the reason Apple didn't allow sideloading was to protect IP? Moskowitz asks. Malackowski says yes, Apple wants to protect its IP investments. He can't recall any documents that use that specific language.
Malackowski says some of Apple's trade secrets might be licensed under the DPLA. He also agrees there's no time limit on which Apple gets a commission.
Intellectual property rights are not immune from scrutiny under the antitrust laws, Malackowski agrees.
Apple's Doren is now back up. YGR says that Epic has 3 hours and 10 minutes left in the trial.
Doren asks Malackowski to define a portfolio license. Some patent agreements are asset specific and others are for a company's entire portfolio, he says. The DPLA is a portfolio license, he says.
Porfolio licenses are useful because companies are getting new IP all the time. It gives a broader right of access, he says.
The majority of ongoing, cooperative agreements are portfolio licenses, Malackowski says. Apple requires the app review and distribution through the App Store as conditions of the DPLA, he says.
Malackowski defends including that sleep patent in his analysis. "It is describing an invention they may use," he says of app developers.
In patent cases, motions to disqualify experts are always filed, Malackowski says. He has provided trial testimony more than 50 times and been deposed more than 200 times, he says.
Apparently we're going to discuss why he was disqualified in each of the six case. 💤
Only a portion of his testimony was excluded in Oracle v Google, he clarifies. He's been involved in 8 trial in Northern District of California.
Fair use is case specific, Malackowski says. He has also been retained by Cravath, the law firm that is representing Epic. He has spoken at their law firm summit on IP issues.
"I may not be invited back again since you're asking about it," Malackowski says.
No questions from YGR. Malackowski steps down.
Apple's next witness is Aviel Rubin of the Johns Hopkins University Information Security Institute.
Not sure who is questioning. Best guess Jason Lo. @Siliconlaw or @mslopatto do you know?
Rubin is a computer and network security expert and has founded two companies.
Rubin says he was asked to look at the app review process and the App Store distribution model and determine if they have an impact on security, privacy, reliability and trustworthiness.
Apple's app store review and centralized distribution model offers "significant benefits," Rubin says. There are lower infection rates of malware and a lower volume of infectious apps in the App Store, he says.
And with that we are breaking for lunch. Back at 1:15/4:15 pm.
We are back. Apple's Richard Doren is back up. Epic wants to call an Apple employee as a rebuttal witness. Epic was "intentionally and provocatively" late in telling Apple about it.
Epic's Katherine Forrest says they were thinking of calling Wenke Lee and Nancy Mathiowetz as rebuttal witnesses tomorrow in response to Apple's experts Rubin and Hanssens.
There was some discussion with Phillip Schiller about in-app commerce before IAP was introduced, Forrest says. If developers could have done commerce before IAP, it would have increased the cost, she says.
Epic offered some documents to try to refresh his recollection that a number of companies had used in-app commerce before. And Schiller also said he disagreed with Steve Forstall.
"This sandbagging pure and simple," Doren responds. He's actually starting to sound angry, with is unlike him. "Now is not the time to kick this door open."
"This is what we're going to do. You are going to give me the documents and I'm going to look at the proposed findings of fact. Tell me which findings of fact you think is misleading," YGR says.
Epic's Katherine Forrest says they thought they were going to have to call a third-party developer to testify about this tomorrow. And realized they could do it through business records instead, she says.
"If it was so critical, you would have been prepared for it," YGR says. "You knew it was an issue on the 14th and the 17th. It is an issue I highlighted I have to figure out. I don't if Apple is trying to hide anything. Or if you are so shocked at their response."
"At most I will allow the documents in. No rebuttal witnesses," she says. "Let me see the documents and I will evaluate them."
Forrest says she wants to make clear that she was surprised Schiller denied this and so she had to cross examine him on the fly. Doren says he said that in his deposition.
And now back to Rubin. Apple's Jason Lo is up for questions.
Multiple app stores is a situation where the developer has options of where to publish their app and consumers can choose where they want to get it from, Rubin says.
Android uses multiple app stores and direct distribution, Rubin says.
The central model is where there is only one app store and users have to use it if they want to get apps. Apple uses the central model, Rubin says.
For the centralized model, phones need to be set up so they only receive apps from the central app store, he says. If you have direct distribution model, a phone has to be configured differently.
Direct distribution doesn't involve an app store and developers can send directly to users. A malicious developer can directly send a bad app to users, Rubin says. Because these phones are enabled this way, they can infect other phones and other users.
With multiple app store distribution, a malicious developer sends its app to 4 different app stores, Rubin says. App store #2 and #5 might send it out; app store #3 and #6 catch and blocks it.
Rubin runs through some malware techniques: Malicious developers often send out an app to multiple stores to increase the chances it gets out (multiple listings). They can also create more than one version, where the first is benign but subsequent ones are malicious.
Another technique: the first version is fine but then when it's updated it becomes malicious. Imposter apps: a developer creates a malicious app and makes it look like a well-known legit app. Imposter store: malicious actors create a whole new store to distribute imposters
User infection refers to when a user infects others with a malicious apps, Rubin says. If app store distribution there might be competition and stores could increase security, Lo says. That's not what we observe when we look at the data, Rubin says.
A centralized app distribution model has advantages because the same security policy is applied to all apps that come in, Rubin says. It prevents a lot of malware.
Nothing is going to be perfect when you talk about software security, Rubin says. The goal is not perfection but to do as good a job as possible.
With a centralized model, if a malicious app gets through, the app store can change its app review to block those apps or developers. It allows for dynamic changes to security, Rubin says.
In centralized distribution, you always get the information. In a multi-store model, the information might not be shared to ensure adjustments are made, he says.
Rubin is going to run through some reports that offer data on malware and security. (That Nokia study that got mentioned a few times by Federighi is one of them)
The first is the 2020 Nokia Threat Intelligence study. nokia.com/networks/portf…
Rubin says Nokia makes devices/software to block malware. He's explaining the concept of a "honey pot," a server with an undisclosed IP address. Nokia uses them to check out new malware.
Rubin is reading the numbers from 2020.
YGR asks: couldn't that be because there are more Android devices. Rubin says there are 3x as many Androids as iPhones. You'd expect there to be about 5 percent of devices infected then not 26 percent.
YGR: IoT, the internet of things. What do you understand that to be. Rubin says this is where most of his research focuses. It's things like smart appliances. It's not very well controlled for updates.
Rubin then points to this graph in the Nokia report: Android's higher infection rate is on account of the fact that there are many app stores while iPhones are limited to the App Store.
Next moving on to RiskIQ Mobile Threat Landscape report. riskiq.com/press-release/…
RiskIQ monitors "black-listed apps" -- ones that are known to be malicious.
Now showing this graph from the RiskIQ report
Apple did not make the list because it didn't have enough black-listed apps to register, Rubin says.
The report refers to Apple as "Fort Knox," Rubin notes.
RiskIQ report also has a list of the app stores with the most blacklisted apps, Rubin notes. The higher the concentration of malicious apps, the more likely you are to get a malicious app, he says. These are all Android app stores.
YGR: can you tell me anything about this company, RiskIQ? How can I be sure it's not biased. Rubin: it's well-known and other sources cite it. YGR: Do you know its funding? Rubin: I think they are an independent company.
Now a study by PurpleSec. Rubin says that PurpleSec found that 98% of attacks happen because of social engineering, ie malicious attackers get users to participate in the attack.
Social engineering are the kind of attacks that cannot be stopped on a device because they are tricking the user, Rubin says. That's why human review is important.
The studies I looked at reinforced the conclusions that the app review process and central distribution will result in lower infection on iOS devices, Rubin said. I chose these reports because they had solid methodologies. He said no reports showed the opposite conclusions.
Some stores are ad-based, meaning they make money based on getting traffic, Rubin says. An app store that is based on getting eyeballs to see ads is not likely to devote as much time to security, he says.
A lot of these stores have malware and adult content on them, Rubin says. A study he cited found a correlation between the type of content in an app store and malware. It's more prevalent where there's adult or "other inappropriate" content, he says.
Rubin says he spoke several times to Kosmynka and looked at Apple documents. He also looked at Google's process in the Google Play Store. (Some of that info is confidential)
Rubin said he saw statistics on human app review and internal evaluation by Google. Apple's app review looked at more apps with human review and he found their process was more effective.
Lo is done. Epic's Brent Byars is now cross examining.
Rubin is a chief scientist at Harbor Labs, he confirms. Most of the cases he has testified in before relate to patent cases, and he has worked on cases for Apple. harborlabs.com
Rubin says he agrees that James Mickens is an expert in computer security and that he is qualified to offer an opinion on this subject.
(I did notice that Rubin is one of the few experts who hasn't trashed the other side's expert)
Rubin agrees that non-iOS systems have less secure protections. If the sandboxing is weaker in Android, that could contribute to that, Rubin agrees.
Rubin talks about a Man-in-The Disk (MiTD) vulnerability, which has to do with the Android's external storage in his report. Rubin acknowledges that iOS devices don't have external storage, and so would likely not be vulnerable to that.
Android is more fragmented than iOS and that fragmentation makes it more attractive for malware, Rubin agrees. Byars says Epic isn't asking for iOS to be licensed. "I have been very confused about what Epic is asking for," Rubin says.
Several things could be contributing to more malware on Android, Rubin agrees. Google Play is banned in China and so there are many other Android marketplaces in China, Byars says. Epic is not asking for the App Store to be banned, he says. Rubin agrees.
Back to the Nokia report. Byars is asking about this.
Byars says its not possible to use this to compare iOS to Mac. Rubin says he assumed Mac would be in PC/Computer but he doesn't know.
Byars points out that this graph on the previous page says "Monthly mobile infection rates since January 2019" but it gives information starting with 2017
Rubin says he didn't notice this inconsistency till just now, so he didn't discuss it with Nokia.
Byars says the percentage is around 0.20%. Rubin agrees. He also reads from this paragraph
Byars asks him about this Top 20 chart in the same report that reported malware associated with Mac. Rubin said he's unfamiliar with it.
Byars asks Rubin to look at an email between Apple employees including Phil Schiller and Craig Federighi. The email mentions Shlayer
Byars reads a paragraph from this Wired article wired.com/story/apple-ap…
Rubin's report didn't address notarization, he confirms.
Rubin spoke with several Apple engineers to inform his report. Rubin said he did not discuss whether Apple had performed a formal security analysis before the iPhone was brought to market or whether it developed a threat model.
Rubin acknowledges that Macs have built-in cameras and microphones, but says "I think its pretty clear your phone is with you in more sensitive times than your Mac." He agrees that people use it for confidential work and have them in their living rooms, though.
People can sync information between their iPhone and Mac like photos, contacts, messages. And people store passwords and credit card information in iCloud, Rubin agrees.
Rubin agrees the most sensitive information like biometric data is kept in a "secure enclave" on the iPhone. Mac computers also have a "secure enclave" that have TouchID, Byars says.
Rubin said he didn't do a review of the privacy or security of apps that have passed app review. He didn't address comments by the lead of Apple's FEAR team that app review is like bringing a butter knife to a gun fight or little more than TSA at the airport.
Other app stores could implement human review, Rubin agrees though they wouldn't have Apple's knowledge base and familiarity with its own systems
Rubin says he doesn't think there are too many companies that would be willing to put in the resources, but he hasn't done a study of what it would require
He said he did compare the resources that Apple puts into its human app review to how Google does app review. Byars reads from his deposition where he said he didn't compare those. Rubin said he would revise that answer now
Rubin says he doesn't know the financials behind how much Apple puts into human app review.
Rubin says some people will blame the devicemaker for a bad app on the phone. He used the shaking baby app as his example in the report.
Byars says he has 20 minutes or so left. So YGR excuses Rubin for the day. He will resume after Apple CEO Tim Cook testifies tomorrow.
We are done for today.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
