It's not one additional prompt, it's a class of prompts that could be exploited over and over again. A single site could trigger hundreds by sites popping up in the background each which trigger it, and then the user's home screen is full of fake PWAs with names like 'save money' 'in debt?' 'casino cash bucks' etc. Next you're developing mitigations, spam cleanup, etc. We've gone through this kind of thing before.
If that's a real potential problem, why doesn't this already happen on Android?
Why would this be exploited on the relatively small marketshare platform that is iOS, when in all those years this year not been a problem on the dominant platform?
i don't think that's right, i think apple dominates the US because they're genius at marketing and design. you don't have to build something more secure, you just have to convince people you did
I'm not especially aware of this particular thing, but sending an SMS with a link to a web page that asks to install a PWA seems to me like it would work on any platform that allows PWAs, irrespective of whether PWAs are restricted to one rendering engine or not, and totally unrelated to the exploit outlined in the post I was responding to (about a somewhat unclear process to me, that would open sites in the background, sending prompts to the user and somehow automatically installing many different PWAs this way).
What we are talking about is specifically targeted at the EU where iOS represents about 30% of users, and doesn't apply to the US. So it's unlikely that scammers would just hold off from exploiting Android and wait for the EU to force iOS to allow different browsers, and only then exploit this class of vulnerability.
That was in response to your statement that “in all those years this year not been a problem on the dominant platform”. It has. The exploit in the news article is only possible because of the way Android lets websites initiate a PWA install, with a prompt that looks like a normal app install, lacking any warning about unsecure sources.
Android was also infamous for causing users to develop permission-blindness and just accept everything, later replaced by every app havinf an extensive permission list that everyone just shrugs and accepts as normal.
The user would get rid of the app/browser that is doing this, no? The same way they would have to for any malicious app that persistently requests a special permission?
Yeah ideally. Given there are nearly 1.5 billion active iPhones tho, a lot (100s of millions) of users aren't going to understand the relationship between the prompts and the browser and/or know (/know how) to uninstall the browser and/or have desire to do it at the moment they experience the problem, especially if the browser has other qualities they like. Many more would just blame it on themselves, ignore the problem, etc. These users may make up a plurality or majority of iOS users, and have a totally different experience from a technical user working on a desktop OS (HN crowd).
Are you sure we can't have additional plugin toolbars for Safari? Maybe have one or two that tell us that we can get paid to surf the Web, and a couple of others that definitely don't show popups?
