> You trust hardware and software by establishing boundaries. We figured this out long ago with the kernel mode/user mode privilege check and other things. You want apps to be heavily locked down/sandboxed, and you want the OS to enforce it, but every time you do you go up against the principles of open source absolutists like the FSF. "What do you mean my app can't dig into the storage layer and read the raw image files? So what if apps could use that to leak user location data, I need that ability so I can tell if it's a picture of a bird"
Well, no. The objection isn't to sandboxing apps, but to sandboxing the user, as it were. On my laptop, I run my browser in a sandbox (eg. bubblewrap, though the implementation of choice shifts with time), but as the user I control that sandbox. Likewise, on my phone, I'm still quite happy that my apps have to ask for assorted permissions; it's just that I should be able to give permission to read my photos if I choose.
Users can't be trusted. They don't read. You can put a popup that flashes in all caps saying "THIS WILL GIVE ACCESS TO YOUR BANK ACCOUNT" and users will blindly click OK to get to whatever they think they want, be that an Instagram feed, a game, or whatever.
That's not a good example. My bank issued a token device which scans their code, asks me my pin, prompts me what's going to happen and asks for confirmation. Then I can enter the digits to proceed.
This is reasonably secure. If you hijack my account, you still don't have the hardware device and the random secret that was set up between the device and the bank.
You need to actually hack into the bank itself to transfer my money elsewhere.
Meanwhile, I only access the bank with my own computers. That means I installed them and have root. Not a problem at all.
Well, no. The objection isn't to sandboxing apps, but to sandboxing the user, as it were. On my laptop, I run my browser in a sandbox (eg. bubblewrap, though the implementation of choice shifts with time), but as the user I control that sandbox. Likewise, on my phone, I'm still quite happy that my apps have to ask for assorted permissions; it's just that I should be able to give permission to read my photos if I choose.