Erinn Clark:
- Ralf-Philipp Weinmann ralf@coderpunks.org [2013:11:17 10:25 +0100]:
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
IMO this is a very persuasive reason not to put it there.
Even more concerning is that list of users is vulnerable to other attacks via app stores. App stores are central points of control over the software that runs on your computer. The second an entity provides a way to tie software delivery (especially updates) to a specific user ID, it creates the ability to be coerced or compromised such that it can be used to serve targeted malware to specific user IDs.
I don't think we'll have to wait long before we hear stories of this happening through the major app stores, if it hasn't happened already. This attack vector seems like it would be consistent with the M.O. of the intelligence agencies and other TLAs.
Worse, while our Gitian builds may serve as enough of a deterrent to prevent such malware from targeting Tor directly (because it would be easier to identify and extract the malware bits with confidence), they do not stop the adversary from infecting updates to other apps.
What this means is that as soon as a user ID is identified as a Tor user, they can be targeted to receive malware designed to monitor their Tor usage through an update to *any* app that they already have installed. This also applies to people who are interesting, but who have never installed Tor directly from the app store at all.
Despite this (or perhaps because of that last property), I could be convinced that it is acceptable to provide TBB through the app store to raise awareness of the software, but have the app description warn users that if they need strong anonymity and privacy, they should not use the app store version, and instead use a more private and safe way to obtain a copy.
Something tells me this will make it even harder to get approval by Apple, though. :/
I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540.
Thank you!
Have you spoken to Mozilla how they have obtained their code signing cert?
I believe this is on Mike's TODO list since he talks to Mozilla people fairly frequently, but it may not be a high priority for him. Mike, let me know if you would prefer for me to take this on?
I will try to remember to ask the next time I'm there, but it probably is better if you could handle most of the investigation into Mac and Windows code signing support independently.