Apple has published a fairly <a href=https://www.apple.com/business/docs/iOS_Security_Guide.pdf>detailed document</a> on which I comment <a href=AD.html>here</a>.
<h3>My Hot Buttons</h3>
There seems to be an implicit assumption that “apps have authority” and not instances of apps.
I would very much like two instances of Apple’s mail app.
They hold POP passwords to two different mail servers and do not have access to each other’s mail archives.
I would not need to worry about bugs in the Mail app mixing data from my two contractees.
This is a common pattern in capability systems.
<p>Capabilities provide ample mechanism for institutions to carve out their own space and install their own function while leaving a whole iPhone (less some space) to the user.
<p>The user need not trust Apple to skim code for suspicious system calls.
Relevant bad actions are caught at run time in concrete situations rather than hypothetical situations that the Apple engineers may not have thought of.
If I want to run a new instance of tetris it does not require much savvy for the user say no when tetris asks for a contact list.
Unlike the usual Apple dialog box asking for sweeping authority by some poorly defined entity, such a request would be manifestly from tetris.
We have several hundred thousand years of evolution behind us that responds well to these situations.