Apple witness says company would need to modify software, hardware to support third-party ...

Posted:
in General Discussion edited April 2021
A witness in the Apple v. Epic Games case says that the Cupertino tech giant would need to redesign its software and hardware to allow alternative app stores, though some are doubtful about the claim.

Credit: Epic Games
Credit: Epic Games


On Wednesday, Apple filed summaries of its expert witness reports, including a rebuttal from Dr. Daniel L. Rubinfeld that claims that Apple would need to "redesign its hardware and software ... to make the iPhone interoperable with alternative app stores and with apps that would not qualify under Apple's app-review guidelines."

That statement, shared on Twitter by FOSS Patents founder Florian Mueller, elicited a strong reaction from Epic Games founder Tim Sweeney.

That's baloney! iOS already has a mechanism for users to install apps from the web - the Apple Enterprise Program. Only contractual limitations prevent it from being used for consumer software distribution.https://t.co/TfUN3rqHTm

-- Tim Sweeney (@TimSweeneyEpic)


Mueller, for his part, added that he has previously used methods to install apps on iOS devices outside of the App Store. While the method works without requiring new hardware, he says that it is "made unnecessarily cumbersome by Apple," noting the company requires developers working with alternative app stores to store a list of unique device IDs (UDIDs) in an app itself.

"In order to find out one's UDID, one has to connect an iPhone or iPad to a MacBook with a USB cable and open the iTunes app; copy the UDID; paste it into a message to the developer; and the developer then has to actually integrate it into the app package. That's obviously not an option for large-scale distribution," Mueller wrote in a blog post.

The requirement to store UDIDs within an app is a policy guideline, which Apple could conceivably lift at any time. Apple also requires developers to build a store app and distribute it via TestFlight, which comes with other limitations.

Mueller also cast doubt on another statement in an Apple witness report provided by James Malackowski that claims the App Store itself is referenced in more than 250 U.S. patents and patent applications.

According to Mueller, that's "meaningless," since references to the App Store don't necessarily indicate that the marketplace is protected by patents.

The Epic Games v. Apple case is set to go to trial on May 3.

Comments

  • Reply 1 of 17
    "In order to find out one's UDID, one has to connect an iPhone or iPad to a MacBook with a USB cable and open the iTunes app; copy the UDID; paste it into a message to the developer; and the developer then has to actually integrate it into the app package. That's obviously not an option for large-scale distribution," Mueller wrote in a blog post.

    Yup. And Mueller is being completely disingenuous by pretending that that limitation doesn’t help prevent the distribution of untracked stealth software. Think malware, scam ware, software used to coordinate extremist activities, human trafficking, bullying, money laundering, and hostile state actors (including your own). You know … what the internet already provides. If it’s so cumbersome, where is Mueller’s proposed alternative? 

    And yes, it prevents developers from directly distributing software, or opening up ‘alternate’ stores. And here again is the disingenuousness —not recognizing that established entities will reproduce their existing store dynamics. That means more malware, more copy-cat apps, more crap-ware, more marketing of questionable content to kids, and a race-to-the-bottom mentality that’s meant to undercut any (especially smaller) competitors until a stranglehold can be established. Game stores in particular are yet another cash grab by these companies — you’ve seen them do it over and over again, so it boggles the mind how these corporate parasites are now re-born as freedom fighters for the common person.

    Oh, and one more thing, since Sweeney mentioned MDM distribution without naming it by name … ask him if it’s company policy to allow rank and file members to side-load apps or if it’s closed in order to protect against a corporate data breach. That will tell you all you need to know about how much of a liar he really is. 
    edited April 2021 docbburkleavingthebiggn2itivguykingofsomewherehotFileMakerFellerbaconstangspock1234applguyosmartormenajrcornchip
  • Reply 2 of 17
    docbburkdocbburk Posts: 109member
    Well started.  Sweeney is so full of himself and BS.  I guess he thinks we aren’t smart enough to see through his giant stream of BS.  Allowing him to get his way will actually make our phones less secure.  No thanks.  If I wanted that, I’d get an Android.  I hope the judge sees through his crap screen too. 
    Beatsbaconstangwatto_cobra
  • Reply 3 of 17
    The sooner Epic gets this swindle thrown in their face the better. They simply want everyone workforce them To do what's best for them. I mean, if they just admit that it would be a good start. But pretending they are looking out for any greater value is what makes me most angry. 
    Beatsspock1234watto_cobra
  • Reply 4 of 17
    BeatsBeats Posts: 3,073member
    Imagine spending years of hard work inventing a hardware and software platform that changes and builds the world only to have a person who benefits from your blood, sweat and tears demand you engineer and change your products to fit his selfish narrative and profit off your hard work without giving a penny...
    baconstangspock1234genovelleqwerty52watto_cobraDetnator
  • Reply 5 of 17
    BeatsBeats Posts: 3,073member
    The sooner Epic gets this swindle thrown in their face the better. They simply want everyone workforce them To do what's best for them. I mean, if they just admit that it would be a good start. But pretending they are looking out for any greater value is what makes me most angry. 

    It’s like inviting someone to dinner and then the next day he demands you fix your yard so he can set up a yard sale for himself. Without paying you a penny, forever.
    genovellecornchipqwerty52watto_cobra
  • Reply 6 of 17
    ppietrappietra Posts: 288member
    Being able to install apps outside of the AppStore  doesn’t mean that the System supports another store from another company, it only means that Apple supports some of its signed developers doing distribution, with Apple keys.
    Another store would have its own security mechanisms and its own keys, which means that Apple would have to make sure that the system supports different app management, keys from different stores, etc! Probably Apple would want to change hardware to make sure that its own keys aren’t compromised.
    cornchipwatto_cobra
  • Reply 7 of 17
    Mueller is at least knowledgable about this sort of thing, but he comes from an open source background. He has declared his intentions to only publish Android apps because he disagrees with the Apple approach. He's right that the MDM approach isn't suitable for widely-distributed software (this is by design!), but I would have expected him to recall the Facebook brouhaha involving their "Enterprise" software certificate being used to bypass App Store restrictions (e.g. https://www.cnbc.com/2019/01/29/facebook-paying-users-to-install-app-to-collect-data-techcrunch.html) - so it's definitely possible if the end result is valuable enough to you.

    And, oddly enough, I agree with Tim Sweeney on this single point - it is technically feasible for Apple to allow Third Party App Stores by using the Enterprise Developer Program. But I wouldn't want Apple to be forced to change that Program because of the safeguards it provides - the user must explicitly accept that they do not have full control over their device with respect to the apps that can be installed on it. Ironically, users need to implicitly accept that they don't have full control over their device anyway when they buy it. But the key point is that users make an informed choice, both at point of purchase and at the point of profile installation (although, frankly, for corporate use it's far better to have the corporation own the device and simply make parts of its functionality available to its employees).
    baconstangaderutterwatto_cobra
  • Reply 8 of 17
    ppietrappietra Posts: 288member
    Mueller is at least knowledgable about this sort of thing, but he comes from an open source background. He has declared his intentions to only publish Android apps because he disagrees with the Apple approach. He's right that the MDM approach isn't suitable for widely-distributed software (this is by design!), but I would have expected him to recall the Facebook brouhaha involving their "Enterprise" software certificate being used to bypass App Store restrictions (e.g. https://www.cnbc.com/2019/01/29/facebook-paying-users-to-install-app-to-collect-data-techcrunch.html) - so it's definitely possible if the end result is valuable enough to you.

    And, oddly enough, I agree with Tim Sweeney on this single point - it is technically feasible for Apple to allow Third Party App Stores by using the Enterprise Developer Program. But I wouldn't want Apple to be forced to change that Program because of the safeguards it provides - the user must explicitly accept that they do not have full control over their device with respect to the apps that can be installed on it. Ironically, users need to implicitly accept that they don't have full control over their device anyway when they buy it. But the key point is that users make an informed choice, both at point of purchase and at the point of profile installation (although, frankly, for corporate use it's far better to have the corporation own the device and simply make parts of its functionality available to its employees).
    Sorry but what you are describing uses only Apple’s cryptographic keys and certificates that Apple distributes to each developer in its developer program. A new store cannot operate using only one app developer certificate, it would have to have its own set of keys and different certificates for each app on their store, different from what Apple uses; which means that the system would need to be redesigned in order to recognise and trust apps from different stores, and each store app management implementation, if we want to maintain an identical level of security. We can argue wether it’s a lot of work or not, but the fact is it isn’t like what these guys are describing, just remember that the system was designed with only one entity that could be trusted - Apple. MDMs and everything else rely on that!
    Apple would have to completely review the system security to account for these kind of changes, since a lot was done without accounting for this level of flexibility!
    edited April 2021 applguyroundaboutnowwatto_cobra
  • Reply 9 of 17
    qwerty52qwerty52 Posts: 367member
    Beats said:
    Imagine spending years of hard work inventing a hardware and software platform that changes and builds the world only to have a person who benefits from your blood, sweat and tears demand you engineer and change your products to fit his selfish narrative and profit off your hard work without giving a penny...

    Absolutely, and still making money on top of it.

    watto_cobra
  • Reply 10 of 17
    aderutteraderutter Posts: 604member
    You are both right.

    A new store for multiple apps would require a new key/certification mechanism. Apple’s key/certification priocess could be used for the new app-store app that provides access to other apps, but a new key/certification process would be required for apps within that new store.

    However, at present the Enterprise route does allow developers to create apps that can be distributed via the web to any user in the world - a list of UDIDs is not required - Meuller is wrong. This does of course contravene/break the agreement with Apple - as Enterprise apps are for use within an organisation and not for public distribution.

    It does require the person who has downloaded the app to go into settings and “trust” the certification/profile though. Oh, and TestFlight is one option, not the only one, so is actually unnecessary. How do you think people did enterprise development before Apple bought TestFlight? So Sweeney is kind of correct technically but I still think Epic are totally in the wrong morally, hope they lose big-time.

    As said above, a totally new key/certification mechanism would be required for a new additional app-store : I guess Epic would be happy to develop and provide that if they are the new owners of the new additional app-store.
    watto_cobra
  • Reply 11 of 17
    ppietrappietra Posts: 288member
    aderutter said:
    You are both right.

    A new store for multiple apps would require a new key/certification mechanism. Apple’s key/certification priocess could be used for the new app-store app that provides access to other apps, but a new key/certification process would be required for apps within that new store.

    However, at present the Enterprise route does allow developers to create apps that can be distributed via the web to any user in the world - a list of UDIDs is not required - Meuller is wrong. This does of course contravene/break the agreement with Apple - as Enterprise apps are for use within an organisation and not for public distribution.

    It does require the person who has downloaded the app to go into settings and “trust” the certification/profile though. Oh, and TestFlight is one option, not the only one, so is actually unnecessary. How do you think people did enterprise development before Apple bought TestFlight? So Sweeney is kind of correct technically but I still think Epic are totally in the wrong morally, hope they lose big-time.

    As said above, a totally new key/certification mechanism would be required for a new additional app-store : I guess Epic would be happy to develop and provide that if they are the new owners of the new additional app-store.
    "Apple’s key/certification priocess could be used for the new app-store app"
    No, it couldn’t, because the system only recognises Apple certificates and keys, it would be unable to recognise any new certification process, and with what you are saying all apps from that kind of store "arrangement" would all be using certificates issued to the same developer, and continue to use Apple’s key.
    The enterprise developers can deploy their own apps but those apps also get Apple certificates, they are not able to implement an independent certification, nor manage an independent pool of developers that would be created with a new store, nor independently manage whatever security issues might arise with one developer or app.
    For any of this to work the app management security would have to be overhauled.
  • Reply 12 of 17
    EsquireCatsEsquireCats Posts: 1,268member
    Side loading an app designed to run with the current generation APIs is not the same as offering an alternative app store that needs to support legacy code and hardware into perpetuity.

    At the moment when Apple makes changes to the system, developers are given a countdown to update their apps, however this is not seen as harmful as it affects Apple’s own app store. Now should Apple levy this kind of change to a 3rd party app store it would be seen as deliberately harming competition. Just look at Steam on macOS, it’s a mess of incompatible mac software and that has absolutely nothing to do with macOS’s ability to run software from any vendor. 

    For similar reasons the App Store can’t be separated and run by a separate company, the hardware and system are tied together. iOS is not Windows nor macOS, the two work in lockstep. 
    watto_cobra
  • Reply 13 of 17
    croprcropr Posts: 1,122member
    ppietra said:
    Being able to install apps outside of the AppStore  doesn’t mean that the System supports another store from another company, it only means that Apple supports some of its signed developers doing distribution, with Apple keys.
    Another store would have its own security mechanisms and its own keys, which means that Apple would have to make sure that the system supports different app management, keys from different stores, etc! Probably Apple would want to change hardware to make sure that its own keys aren’t compromised.
    The last sentence proves that your knowledge about digital signatures is limited to the marketing messages    Nobody needs access to the private key of Apple to verify that  that Apple genuinely signed an app.
  • Reply 14 of 17
    cropr said:
    ppietra said:
    Being able to install apps outside of the AppStore  doesn’t mean that the System supports another store from another company, it only means that Apple supports some of its signed developers doing distribution, with Apple keys.
    Another store would have its own security mechanisms and its own keys, which means that Apple would have to make sure that the system supports different app management, keys from different stores, etc! Probably Apple would want to change hardware to make sure that its own keys aren’t compromised.
    The last sentence proves that your knowledge about digital signatures is limited to the marketing messages    Nobody needs access to the private key of Apple to verify that  that Apple genuinely signed an app.
    I think the more viable approach is to simply insert another link in the chain of trust - Apple would sign a certificate for each of the app stores that it approves, then developers would sign their code with the certificate issued them by the relevant app store. Extra work for the developer to submit to each store, but not particularly onerous.

    The difficulty comes when trying to block malware - Apple can only revoke the certificate for the developer that pertains to Apple's App Store; it would then need to rely on the other app stores to revoke the relevant certificate(s) they hold. Certainly achievable, and automation possible, but it would mean Apple surrendering some control and that seems unlikely.

    However, based on the reporting from Herr Mueller, it looks like Apple will be forced to comply since an injunction has been awarded by the Court: Full text of the injunction Epic Games is seeking against Apple's App Store terms and policies

    So our arguing about the technical details here seems a little pointless.
  • Reply 15 of 17
    mattinozmattinoz Posts: 2,299member
    By the same argument aren't web apps the alternative app channel they want Apple to provide?
    watto_cobra
  • Reply 16 of 17
    ppietrappietra Posts: 288member
    cropr said:
    ppietra said:
    Being able to install apps outside of the AppStore  doesn’t mean that the System supports another store from another company, it only means that Apple supports some of its signed developers doing distribution, with Apple keys.
    Another store would have its own security mechanisms and its own keys, which means that Apple would have to make sure that the system supports different app management, keys from different stores, etc! Probably Apple would want to change hardware to make sure that its own keys aren’t compromised.
    The last sentence proves that your knowledge about digital signatures is limited to the marketing messages    Nobody needs access to the private key of Apple to verify that  that Apple genuinely signed an app.
    Who said you need access to Apple private key to verify an app? You need access to Apple’s keys to generate certificates that the system can recognise.
  • Reply 17 of 17
    However, based on the reporting from Herr Mueller, it looks like Apple will be forced to comply since an injunction has been awarded by the Court: Full text of the injunction Epic Games is seeking against Apple's App Store terms and policies

    So our arguing about the technical details here seems a little pointless.
    Mueller's article is a little bit misleading unless you read it very carefully. The part that reads as if an injunction has been awarded by the court is actually citing what Epic is requesting in its filing — it's basically written out what it hopes the court will simply rubber-stamp. 

    You can find it on page 361 of Epic Games' Proposed Findings of Fact and Conclusions of Law, basically Appendix 1, which opens with:
    For the reasons provided in Epic's [Proposed] Conclusions of Law, Epic respectfully requests that the Court enter the permanent injunction set forth below.
    It seems rather cheeky of Epic to try and write the court's opinion for it, but IANAL, so I guess that's probably not totally abnormal in cases like these. It's worth noting that Apple's corresponding filing doesn't include such "direct" language in outlining the remedies it's requesting, however. 

    Then again, maybe we shouldn't be all that surprised at the brass that Epic is showing here, considering that its lobbyists have already been handing pre-drafted legislation to politicians in several states. 
    edited April 2021
Sign In or Register to comment.