How Apple distributes their core apps (Safari, Mail, etc) is orthogonal to how they are implemented, secured, ring levels, sandboxing, etc. These are separate considerations.
Apple's core philosophy is that upgrading the system is the fundamental way to get new things. With iOS 15 we've seen the first real fracture in this model (where they are promoting a "stay on iOS 14 for now" option), and maybe eventually they'll separately distribute some of the tied applications.
Google started Android with a very similar model to iOS but quickly recognized it was turning into a disaster given the slow uptake of new Android versions. Turning what were system level components (e.g. play services) into "apps" was a necessity.
> How Apple distributes their core apps (Safari, Mail, etc) is orthogonal to how they are implemented, secured, ring levels, sandboxing, etc. These are separate considerations.
Strongly disagree. If Apple distributed their apps as normal apps, they'd have normal privileges and when exploits are found the scope would be limited to that app domain.
Instead, what we have seen is that Apple's apps act like system services, and when escapes occur it can cause a wide-ranging impact (inc. root).
iMessage just in the last two weeks had to be emergency patched (14.8) because of a root breakout used by an Israeli's company (NSO Group) surveillance software that they were selling to unsavory governments. If iMessage was a normal app distributed by the app store the scope would have been iMessage, instead of root.
I understand that you disagree, however your disagreement seems to be based upon a pretty significant misunderstanding/lack of knowledge both about these apps and their privileges.
> misunderstanding/lack of knowledge both about these apps and their privileges.
Yet you've been able to present none. According to your claims the zero-click escape that caussed the critical 4.8 security update to be released in the last two weeks isn't possible, and yet it happened.
So please, by all means, explain why Apple's apps should be structured like this:
What am I supposed to present? A complete history of computer science and system design?
"isn't possible"
Any app on any system, if exploitable, can be used for a chain attack to exploit further vulnerabilities (and 14.8 was a bandaid for just such an attack). That's ignoring that iMessages is also such a high value target for its own data, in the same way that Signal and other messaging apps are high value targets, and not just as a path to chaining 0 days.
This is a not useful conversation that I hesitated engaging in at first glance (when someone does the "if only they just waved hand everything would be great" it's founded in dubious logic 100% of the time), so feel free to reply into the ether.
Facts that support your position, like I did. I provided a couple of in-depth articles about the inner workings of iMessage, with specific emphasis on security. You've yet to even explain in technical terms what is erroneous about my critique.
> Any app on any system, if exploitable, can be used for a chain attack to exploit further vulnerabilities.
That isn't how iOS is structured. If it were normal app developers could design their own apps to gain root, but the system is specifically engineered to combat that and has been quite successful. Whereas Apple's own apps have a set of components that run with elevated privileges that allow sideways exploitation to bypass the normal UID sandboxes, and ultimate cause significant escalation including root.
The two articles I linked explain how this occurs. There's nothing akin to the SYSTEM services within normal (non-Apple) apps, therefore your comparison is technically unfounded.
> This is a not useful conversation that I hesitated engaging in at first glance (when someone does the "if only they just waved hand everything would be great" it's founded in dubious logic 100% of the time), so feel free to reply into the ether.
You're backing out of the conversation because you've shown you lack the technical foundation to participate. You assumed at the start that I knew as little as you and therefore we could both make baseless claims without anyone checking either one. The reality is that I understand iOS's internal structure and can provide founded critiques whereas, you lack the technical foundation to mount a defense of the design (and that your original defense is between confusing and just wrong).
> Google started Android with a very similar model to iOS but quickly recognized it was turning into a disaster given the slow uptake of new Android versions. Turning what were system level components (e.g. play services) into "apps" was a necessity.
Apple hasn't had that same "pain" yet, iOS update rates are pretty high. If major OS update rates drop, then they'd be better motivated to cleanly separate their app updates from their OS updates. It just hasn't happened yet.
Apple's core philosophy is that upgrading the system is the fundamental way to get new things. With iOS 15 we've seen the first real fracture in this model (where they are promoting a "stay on iOS 14 for now" option), and maybe eventually they'll separately distribute some of the tied applications.
Google started Android with a very similar model to iOS but quickly recognized it was turning into a disaster given the slow uptake of new Android versions. Turning what were system level components (e.g. play services) into "apps" was a necessity.