Not just the NFC chip. Almost every I/O system requires explicit permission.

That’s where a “social engineering” approach can be helpful. The permission request can be quite bland, to a non-technical person.

And yes, a native app with the program counter can definitely do stuff a Web site can’t. Run machine code, for instance.

We would hope the app sandbox is good enough to catch it.

Which permission is bland on iOS?

“Running machine code” is not a security vulnerability. If your browser isn’t secure all sorts of exploits can happen from a web browser. That’s how a lot of the early iOS jailbreaks worked.

I think we’re probably not getting anywhere here.

No problem, but we can each do our own thing.

If you are in the US, have a great Thanksgiving holiday. I sincerely hope it’s a warm, loving event.

It was a very simple request - show an example?

Everyone commenting here is being hand wavy

I stated an example. It was not enough.

I used to write machine code, but I don’t, anymore. I am quite aware of how powerful it is, so I have to assume that the very smart people at Apple -who deal with current-day machine code- have a handle on dealing with it.

I guarantee that hackers do.

You didn’t state one example where it bypassed the sandbox. All apps on iOS are compiled to assembly. If writing in assembly magically bypasses a well designed OS’s security model, we are in trouble

Some things are worth arguing about.

This isn't one of them.

Have a great Thanksgiving!