Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most of the OS is proprietary, you can't say it isn't uploaded.


I'm generally inclined to believe that companies--and people--aren't lying outright, unless there's evidence to the contrary. Apple seems to be making a real, concerted, and good faith effort in the realm of data privacy. This effort ought to be recognized.

Would it be _better_ if all Apple software was fully open source and could be independently audited by anyone? Yes. Does that invalidate everything else? No.

Also, Wireshark is a good way to monitor what data your phone is sending to what servers, even if it's incredibly imperfect.


With ubiquitous use of TLS and the advent of certificate pinning Wireshark is becoming less and less useful. Even if you convince the phone to accept your man-in-the-middle certificate with a provisioning profile, there's no way to proof that it sends the same data as if it got the real certificate.


If iOS was changing the data it sent out depending on which root certificates were installed, that would be a huge scandal, as I cannot imagine _any_ non-malicious reason to do that.

That's not proof of anything, but again, at some point I feel you have to assume good faith. Apple does not have a history of doing stuff like this.


Exactly, you're assuming good faith. Instead it should be proven good faith.


So to be clear, you are arguing that we cannot blackbox anything and see what network connections it's making or amounts of data being sent to whom or timing of it because proprietary? Nor for that matter find security vulnerabilities that lead to jailbreaks and then further deep dives right? Since it's proprietary that means nobody can possibly find any issues? You might want to think about this one just a little bit longer.

Seriously, the fundamental issue with proprietary is maintenance, ie., not finding but fixing (in a good way) problems and then making those fixes available to other users. Adding features to scratch niche itches is another, though arguably not as critical a matter. But for merely reverse engineering, decompiling, probing memory, fuzzing and all that lack of source code is effectively zero barrier. If it wasn't then source/algorithm obscurity really would be effective for security rather then a bad joke.


You can’t say something isn’t collected either.


I can say that on free (as in freedom) systems.


You can sniff the network traffic.


And all you'll see is a lot of encrypted streams to lots of servers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: