> False. If I claimed that, you’d be able to quote me.

Here you go:

>> People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo.

>This is complete bullshit. Apps are signed by developed and by Apple. Were you not aware of that?

If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context. I interpreted your response as charitably as possible.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

I explained how app distribution works and assumed you could work it out. It looks like my assumption was mistaken, so here it is step by step: 1. The package sent to the device is not signed by the developer but by Apple or China. https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

> There is no indication of an MITM vulnerability between the developers and Apple, nor is there one between Apple and users.

Once again, the biggest MITM is between the developer and users, which F-Droid's reproducible builds prevent.

> Your claim about aggregate Android malware numbers being lower than iOS was false:

My claim was about malware from the Play Store and the Amazon App Store.

Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You read something into it that simply isn’t there.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

> 3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

If you have a link that does, I would be interested to see one, otherwise I think we can safely assume for now that this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic

I have followed the logic. It relies on unsupported claims, some of which appear may be outright lies. I think that is bullshit.

> It makes perfect sense.

To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

I provided link from an Apple employee saying as much.

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

The quora link says iOS devices trust a key from the Chinese government. Where that key exists is irrelevant. What I showed is that your claim that China cannot MITM iOS packages is false.

> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

I showed how they can, and you have not disputed it. You only said that I haven't given evidence that they are, which I never claimed.

> I’m not unconcerned about that

Then your statement about app signing makes even less sense in the context of the user not knowing if they are installing the secure app they wanted to install. It can only make sense if you trust Apple completely (which I found unlikely for anybody to trust any intermediary completely) or if you erroneously thought that the package sent the device was signed by the developer (which seemed to me comparatively more likely). Now you've admitted that the first case isn't true, which only leaves the second case (that I had assumed) or opens a third case, which is that you are arguing in bad faith, knowing that what I said is true but calling it bullshit anyway.

> Yes and it is false.

You say this on the basis of zero evidence. I gave you over a hundred million infections on the App Store from xcodeghost alone that Apple did not have the ability to scan for.

> It relies on unsupported claims, some of which appear may be outright lies.

If that is what you believe, then point them out. You have repeatedly failed to do so, so perhaps you should reconsider whether I am bullshitting.

>> It makes perfect sense.

> To repeat myself, not in the context of what you replied to. If you understood that it works the way you now clearly understand it to, you would immediately see that it does not solve the problem you claimed it did.

It solves the problem of China MITMimg iOS packages. That is the context.

>> This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

> I provided link from an Apple employee saying as much.

That’s a lie. They don’t say anything of the kind. If they did you’d be able to quote them

> None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall.

> The quora link says iOS devices trust a key from the Chinese government.

A browser certificate. This has nothing to do with packages from the iOS App Store. I believe you understand the difference.

> Where that key exists is irrelevant.

It is relevant. The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> What I showed is that your claim that China cannot MITM iOS packages is false.

You haven’t shown this. It’s seems like just a lie.

You have pointed to a key which can’t sign packages, and a conversation where nobody says anything indicating that China can MITM packages.

Neither of these are evidence they can do this. If you have real evidence feel free to present it.

>> your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

> I showed how they can, and you have not disputed it.

You have claimed China can MITM iOS packages but you have provided no evidence to support this claim. The links you provided don’t support the claim. It looks like you’re just lying.

> You only said that I haven't given evidence that they are, which I never claimed.

Also false. You said the link to the Apple employee’s statements supported this claim.

Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

> It solves the problem of China MITMimg iOS packages. That is the context.

Lie. Here is the context to which you replied that packages are signed by Apple and the developer: "People using an iOS device can never be sure they are installing the secure app they wanted to install or some switcheroo."

As you've admitted, Apple can do the switcheroo.

> They don’t say anything of the kind.

Lie. Here's what they said:

"All of the major iPhone vendors in China do this by using an enterprise enrollment certificate to adda new certificate to the code signing certificate chain of trust.

"And then when they repackage the government malware, they do so by signing it with the enterprise signing certificate, which allows them to bypass the Apple signing certificate for code execution on the device."

> A browser certificate

Lie. See above.

>> Where that key exists is irrelevant.

> It is relevant.

Then why don't you explain why where the keys are is relevant to whether something is possible instead of ignoring where the keys are and saying the following?

> The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

Lie. See above.

> You have pointed to a key which can’t sign packages

Lie. See above.

> You have claimed China can MITM iOS packages but you have provided no evidence to support this claim.

Lie. See above together with my description of how to use that key together with the Great Firewall and a proxy.

> Also false. You said the link to the Apple employee’s statements supported this claim.

Lie. I used the Apple employee's statements to say that they can, not that they do. Quote: "they can [emphasis added] replace the Signal package with a compromised one."

> Me: “There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.” You: “I provided link from an Apple employee saying as much.”

I sort of understand how you would be confused. The statement I was responding to here was not about China MITMing the App Store but about China signing iOS packages delivered to devices. The quote above shows that they do.

> It can only make sense if you trust Apple completely (which I found unlikely for anybody to trust any intermediary completely)

All consumers of computing devices place trust the manufacturer. Even if you use reproducible builds, they can be patched at execution time by an attacker who had access to the device.

So yes, I assume the customer trusts the manufacturer - not completely, but sufficiently.

>> The Chinese key iOS devices trust doesn’t enable them to MITM App Store packages..

> Lie. See above.

> China MITMing the App Store but about China signing iOS packages delivered to devices. The quote above shows that they do.

So you have been lying all along about China MITMing the App Store.

That was never true, and your links didn’t substantiate it.

Delivering government software via enterprise distribution has literally nothing to do with any kind of MITM attack at.

You repeatedly claimed that China can MITM the App Store, which has always been a lie.

You claimed that users cannot tell whether China has performed a ‘switcheroo’. That is also a lie.

We know Apple can deliver whatever they like from the store. We also know that China can install software using an enterprise certificate.

Neither of these are surprises, and neither constitute an MITM or a switcheroo.

Your entire goal here has been to lie or mislead.

Here’s the obvious example:

> b) outside China? Yes. Because the App Store has this MITM vulnerability and China gets to MITM all US services (with blessed MITM status for iCloud that even defeats Apple's "E2E" encryption for their other services), they can replace the Signal package with a compromised one.

You outright lied here that China can replace signal on US devices, and nothing you have said so far changes this.

> Even if you use reproducible builds, they can be patched at execution time by an attacker who had access to the device.

Finally, a reasonable argument after repeated intentional strawmanning and name-calling. The difference is that an iPhone is only allowed to get apps from the App Store, which is impossible to reach except MITMed via the great firewall. Android devices can get apps from F-Droid and its mirrors, so you can get an Android device not compromised by China and still use it in China with verifiable builds.

Additionally, without the app store MITM, you only have to trust the vendor at the time of purchase. With the MITM, you must also trust that the vendor won't become malicious in the future.

> So you have been lying all along about China MITMing the App Store.

No, I never said they are, which I don't have any evidence for. I said they can, and I have repeatedly made this distinction clear, so you are deliberately lying that I said otherwise.

> You repeatedly claimed that China can MITM the App Store, which has always been a lie.

I showed you how they can, and you have not shown why they can't.

> You outright lied here that China can replace signal on US devices, and nothing you have said so far changes this.

Lie. I never said they can do this on US devices, only that Apple can.

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall. If you have a link that does, I would be interested to see one, otherwise I think we can safely call this a lie. You know there is no evidence for it, but you are claiming it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.

I will continue to call out lies and bullshit when it’s clear that is what is being presented. You have so far not substantiated the facts you have been challenged on, and your arguments rely on claims which you can’t support.

>> If you are now going to claim that when you said apps were signed by the developer, you didn't mean the apps sent to the device, that quoted response makes no sense in that context.

It makes perfect sense. The apps are signed by the developer and uploaded to Apple. Apple signs them for delivery to the device. Importantly. Both paths are protected.

Nothing I said before or after contradicts that.

> I interpreted your response as charitably as possible.

No. You misrepresented my response.

> Seems like this is total bullshit. Do you have any evidence that China can modify the packages?

> 1. The package sent to the device is not signed by the developer but by Apple or China.

This is a false statement. There is literally no evidence anywhere to support the idea that China is signing iOS packages delivered to devices.

https://www.quora.com/Is-iMessage-encrypted-in-China 2. China's firewall sits between users and servers outside of China. https://en.wikipedia.org/wiki/Great_Firewall

3. The Great Firewall routes the app store download request to a proxy that injects malware and resigns the package with their own key, which is trusted by the device.

None of the links you have supplied substantiate the claim that iOS devices trust a key from the great firewall. If you have a link that does, I would be interested to see one, otherwise I think we can safely call this a lie. You know it’s not true, but you are saying it anyway.

> Interesting that you seem unworried that Apple's own privileged MITM position allows it to insert malware, which governments can request.

I’m not unconcerned about that, but your claim is that China can sign iOS packages without Apple’s knowledge, which is a very different issue.

>> Your claim about aggregate Android malware numbers being lower than iOS was false:

> My claim was about malware from the Play Store and the Amazon App Store.

Yes and it is false.

> Please stop calling claims bullshit (you've done this five times now) just because you are unwilling to follow the logic and want me to spell it out. If you need help understanding an argument, just ask for it.

I will continue to call out lies and bullshit when it’s clear that is what is being presented. You have so far not substantiated the facts you have been challenged on, and your arguments rely on claims which you can’t support.