I don't understand why internet access isn't opt-in for apps. Preventing exfiltration would prevent much of this harm, and most apps don't have any need to access the internet in the first place. Why am I creating a GE account to read my blood pressure? At least I know it's taking advantage of me. But this is clearly abusive behavior
>most apps don't have any need to access the internet in the first place.
It would severely depend on how you categorize "most apps" because I would say I pretty much only use apps that need the Internet, barring Calculator, Camera, and a PDF reader (only because I prefer how it zooms books vs browser. Everything else implicitly needs the Internet as that app is just a better UI to using their mobile web site, if they even offer one.
Because 99% of apps would request it & not function without it, desensitising users into blindly accepting it. Most apps do have a legitimate reason for accessing the internet, so a binary yes/no wouldn’t achieve much anyway.
I just don’t think it’s an effective way of solving the problem.
100% of users have legitimate reasons to block internet access for some apps.
If internet access wasn't granted by default, a lot more apps would function without it.
Many other apps wouldn't exist at all, because their only reason to exist is to spy on users.
Not going to lie, it would be an absolute hell to develop an app that's actually used without getting crash/analytics.
The internet access permission should be implemented. Users of macOS are already accustomed to the local network access permission.
Even if it's not the most effective way to raise awareness, it does put pressure on developers to be explicit about the connectivity requirements with users. It would also be a great way to audit an app's local-first / offline-first claim without having to do a network packet capture.
Want telemetry? Send it through Apple and Google. Given Apple's late history and latest trends in Android development, I see them both favoring this approach.
"99% of apps would request it & not function without it"
Apple could refuse to publish them, then. Isn't that why we are forced to go through the App Store? Because Apple ensures every app there works in the best interest of the user?
Permission should be in the form of a capability, which need not end up on the built-in OS network capability. If an app insists on your car's steering wheel, you can be like "sure, kid, here's your Help Daddy Drive(TM)".
> Most apps do have a legitimate reason for accessing the internet
I just flat out think this is bullshit
You are right, it is BS.
Non-multiplayer games, clock, camera, contacts, phone, text message, file explorer, keyboard, launcher, notes, document viewer/editor, image viewer, audio recorder...
Most of the apps on my phone do not need internet access.
Every single one of those, except for the games, is a pre-installed built in app. It seems like you just don't use apps.
Almost all of the apps you mentioned sync data to, or access data from iCloud in the vast majority of use cases. I mention iCloud here because this submission is about iOS.
That said, I'd love to have a new "Internet access" permission for apps, so users had the choice. Perhaps even separate "Allow iCloud" and "Allow Internet" but that's probably too granular for Apple's taste.
For that case, iOS could just run a system daemon to shuttle the app data to/from iCloud. The app itself should not need internet access for this.
I have no idea if this is what already happens, but I feel like it might be. (Why would each app have all these network connections when the system could just manage it instead?)
Better yet, a tool like Little Snitch should be built into the OS. Give me a detailed log of every network requests, to which domains, with what data.
This isn't effective because Little Snitch only sees the domains so apps can just serve the trackers on the same domain as essential services making blocking impossible.
The only way to prevent malicious apps from affecting your privacy is to not install them or not give them network access.
I derive lots of value from Little Snitch on my Mac, so this approach is more effective than not having anything.
And yes, having the ability to deny any app network access on iOS would be great.
Yeah but it might be because you are part of a minority. Once/if this is built into the OS, the app builders will have a strong incentive to do things differently.
Can, but they don't, because app developers are just as lazy and don't waste time to hide their trackers
They don’t because there is no reason to currently. If this was added then they would have a reason to and do it.
YouTube used to be separate domains for ads and then it got merged together so that you can’t block the ads network wide without blocking YouTube videos.
That's YouTube. One of the unlaziest dev teams. Spiderman Solitaire isn't going to bother.
Yet.
This exists already! You can see it by going to Settings > Privacy & Security and turning on the App Privacy Report at the bottom.
Thanks, I did not know about this setting. Curious to see what will show up now that it’s on.
If I remember correctly iPhone apps used to use the devices SSL certificates so you as a user could install your own and man-in-the-middle the traffic to see what was being sent. AFAIK now the apps use certificate pinning.
Certificate pinning is actually rarer today than it was a few years ago. You see it mostly in bank apps, and some system services. It’s not a best practice.
Apps can choose to do what they want.
Yes and it should work properly instead of making unwanted initial outbound connections (macOS firewalls are broken).
It’s not quite that detailed but iOS’s builtin “app privacy report” does give a fair amount of info, including a list of domains accessed.
iPhones purchased in mainland China (with model number ending in CH/A) do provide options for setting per-app Internet access permissions. There are three options [0]: Off, WLAN only, WLAN and Cellular.
[0] https://old.reddit.com/r/ios/comments/aib10i/in_china_ios_al...
Crazy. So they're explicitly selling crippled devices to most of the world.
What? Why is this Chinese market only? This is exactly what I wanted. There are Apps I simply don't want them to touch internet.
Its Chinese market only because of regulation. China mandates it. Don't implement it = you don't get to sell in China.
If Apple wanted to provide this willingly they would. That its only available in China due to government regulation tells you all you need to know.
i got an old EU market redmi (yes im broke) and you can turn off either wifi or cellular or both for any non system app. remember apple had to put in work to actively block the feature outside of china.
Because exposed, non-private, abused by-default is a business model. The company is incentivised to not provide restricted access - otherwise you can't have a cut from apps revenue. It's defective by design.
Shocked to see iPhones sold in China are less defective by design on this one point, from another comment. It has surely reduced Genius Bar visits but it’s also harmed my privacy.
AOSP has network as a regular permission for apps, so on Lineage at least (idk about Graphene as I haven't used it) you can disable network for any app including google play services etc. I have no idea why most phone companies remove this permission from their roms but android itself supports it perfectly fine.
It's nice to be able to toggle it (it's also possible to revoke this permission on GrapheneOS). However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved. I would guess that Play Services is one of the larger offenders, since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps.
You could of course disable network access to Play Services, but at least for me that broke a bunch of apps or made them unreliable.
What AOSP ROMs need besides the network permission toggle is IPC scopes functionality, akin to storage scopes.
GrapheneOS has user profiles, but they're too heavyweight for most uses.
Profiles are a thing in "stock" Android too, they just don't have the toggle to disallow them working in the background, the "Install available apps" option and Google services also keep working across profiles.
If you want something less disruptive for isolation, there's Private Space. What I like is that this can stop apps there from working in the background on stock Android as well.
> However, it is imperfect, since apps within the same profile can still communicate through IPC, so if apps cooperate, network access can still be achieved.
Folks brings up 'IPC' as if this is some chink in the armour in AOSP. It isn't. 'Apps' pretty much on most consumer OSes can 'IPC' their way with other co-operating apps to 'achieve' network access from behind a firewall, just the same.
> since many apps communicate with Play Services and as far as I understand (but I may be mistaken) Play Services does work that involves internet access on behalf of other apps
If the OS or its privileged component will fchown the socket to the origin app, think the INTERNET permission will be enforced as expected.
There is very little IPC that is allowed for apps that do not share a development team on iOS.
> There is very little IPC
I am not familiar with iOS internals, but does "very little IPC" mean "zero IPC"? Because if we are talking IPC in the context of bypassing permission checks, I imagine, 'very little' doesn't cut it?
What stops the app from opening a link in Safari to trackmyshit.com/uuid-uuid-uuid-uuid that closes itself.
GrapheneOS not only has this permission, but it asks you every time you install an app.
Can confirm Graphene also has it
GrapheneOS lets you restrict the internet access of any app on install.
But yes, agreed it should be everywhere.
And you can limit which contacts you share with nosy app like WhatsApp, and give access to only specific scope of file folders. Horrifying to think all the years every app got everything it wanted and did not have to ask and couldn't be stopped (I had a rooted phone for firewall capability for a while )
See my comment upthread, it helps a bit, but does not close this hole since apps within the same profile can communicate through IPC, so other apps could provide network access on their behalf. I think the best example is probably Play Services, which provides functionality for a lot of apps and will communicate with Google, etc.
(Yes, you can disable network access to Play Services, but it sometimes breaks things and the general point of IPC as a hole still stands.)
I'm not an Android user. What's a profile? Is that a user thing or a developer thing?
You can make different profiles. They can have different unlock methods and can have different apps installed. If you have one app installed in both it's shared.
They were designed so multiple people could use one device.
Some people use them to separate identities or contain apps they view as bad. I'm not sure if the efficacy of this.
Grapheneos improves them significantly https://grapheneos.org/features#improved-user-profiles
On GrapheneOS, it's like a container, or a virtual phone. Apps in different profiles (and you can install the same app in more than one profile) can't see each other and theoretically can't even tell they're running on the same phone (although I'm sure there are leaks like IP address)
It is a user thing, you can set up multiple profiles and install apps into each of them. These profiles are isolated from each other. I think they started out as a way of separating private and work apps/data, but you can have many of them. See e.g.:
https://grapheneos.org/features#improved-user-profiles
Yeah it asks on app install if you want to grant network permissions. It's just a little checkbox. You can of course manage it afterwards in app settings or permissions manager.
They also added the sensors permission.
You don't need graphene for this, I've been able to do this on plain android for ages.
iOS lets you turn off data access (so outside of wifi) for apps as well, it's just not asked at install, which honestly makes sense given the demographics of iPhone users.
Which is useless for 99% of users since they use Wi-Fi at some point in the entire phones lifetime….
iPhones sold in China have that in settings, you can block both WLAN(Wi-Fi) and Cellular data per app. Why that turned out to be a nightmare is a different story
What's the story?
This resonates from the dev side. I made an offline photo search app a while back — you search your library in plain language ("a boy and a girl by the river"), CLIP embeddings all computed on device. It needs full photo access but I deliberately requested zero network permission. Was kind of proud of that.
Problem is there's no way for users to actually know that. iOS has no "this app can't reach the internet" indicator, so the whole guarantee is invisible. I even had people assume the opposite — app reads your whole library, therefore it must be uploading it somewhere. Exactly backwards.
Fantastic work. I regret I can't use it, because this is exactly what I'm looking for for quite a while, but it seems to be an impossible task (I need it on android).
The evolution of development was to make things easy and simple for the consumer. If internet was an opt-in (and it cannot be opt-out), then app function would be ostensibly limited. And the user would be given a harder time setting things up.
This is the Apple mindset. Make things easy. Do not make things complicated.
The attitude was never "don't give the user control", though. Until ios.
> most apps don't have any need to access the internet in the first place
Citation needed.
Looking through my phone the vast majority of third party apps I have installed obviously require internet access:
- Social media
- Travel (rideshare/airlines/hotels)
- Streaming
- Finance (credit cards/banks)
- Shopping
Not counting built-in apps like the calculator I'd estimate 80-90% of the apps I have installed require internet access.
It's a selection bias issue. The categories you have listed are essentially web services wrapped in an app shell. Of course they need the internet. Consider these examples:
- Photo/Video editors - Snapsheed, Lightroom, Video trimmers etc.
- Document readers & scanners - PDF viewers, e-readers, OCR scanners
- Note taking - Obsidian
- File/Password managers - Authenticators etc.
- Single player games - Chess, puzzles etc.
- Audio/Video players - VLC players
We've just become conditioned to accept that every app needs to phone home for tracking and ad-delivery.
Curiously, the Mac App Store sandbox has a com.apple.security.network.client entitlement that a developer must justify to Apple, whereas the iOS App Store does not, allowing unrestricted access to the internet.