I would ask them to prove that claim in court for starters.

I would ask them why they feel they’d be liable for users who installed and gave permission to an app that would use NFC readers for payments.

I would ask them why access to the NFC reader by a 3rd party app in any way allows access to Apple Pay’s stored, encrypted data (which it doesn’t need)

I would ask why permission settings and security validations couldn’t be made on API calls with the potential to be harmful. Even for third-party app stores, Apple could still require app reviews and code signing for any apps that want to conduct financial transactions; they just don’t want to because they’ll make less money from Apple Pay.

Apple often handholds user flows and restricts access to features because non-technical folks might be tricked into installing a malicious or insecure service, and Apple stuff is built for non/technical people. But, on the flipside, they often leverage this position to wall you into their garden. This is the problematic practice that needs to be addressed.

Perhaps they aren’t lying, but claims about security often involve theoretical weaknesses that aren’t practical to exploit in the real world. Apple is very skilled at making sure those claims align with their business interests.

It would not. It’s really as simple as that, saying as someone with two degrees in cyber security and 7 years of experience as a security consultant for various companies from small shops to multinational businesses, banks, and insurance companies.

I would love to see their threat modelling to justify what they’re saying to brainwash their acolytes… It’s a pure strawman to justify their bullshit.