undefined | Better HN

0 pointsaboodman13y ago0 comments

But it's OK to write web pages that do?

0 comments

5 comments · 1 top-level

guan13y ago· 4 in thread

No, but web pages (including apps that are installed to the home screen and run full screen) run inside the MobileSafari process, which is much more carefully audited than your typical iOS app.

aboodmanOP13y ago

Audited how? Unless MobileSafari is itself tightly sandboxed, I don't see how auditing the code inside it is useful. Once you get malicious executable code inside MobileSafari, it can do whatever MobileSafari can do.

Edit: I think a better hypothesis is that Apple wants to be able to analyze app code, and thus disallows executable memory, which also rules out JITs. See: http://apple.slashdot.org/comments.pl?sid=2044470&cid=35...

raganwald13y ago

I doubt they're trying to audit behaviour, you can always write an app in Lua with an interpreter and they would have a hard time "auditing" the app statically.

The propblem is that if you allow executable memory you open aup a lot of exploit vectors. Now, that's true of Mobile Safari as well, but they trust their own team more than they trust you, and they have one app to watch instead of 100,000, and if an exploit os found they can push out a fix immediately, whereas 3rd party apps have a tortuous process for pushing out bug fixes.

Remember, it's part of their value proposition that apps from the app store appear to be relatively safe in comparison to the clusterfuck that is downloading random desktop apps, especially on Windows.

MatthewPhillips13y ago

Can you give an example of an exploit that would do harm from within a UIWebView but would not do harm from within Mobile Safari? Not questioning you, I'm genuinely interested.

raganwald13y ago

Given the current architecture, if UIWebkitView within an application can execute data, then the entire application can execute data.

So you could have a buffer overrun anywhere in the app. For example, if they are silly, you could go to the preferences for Facebook and enter a very, very, very long user name, overrun the name buffer, and have executable code.

That's not an exploit of UIWebkitView, it's an exploit of giving the application the permission it needs to have UIWebkitView use a JIT compiler for JS.

j / k navigate · click thread line to collapse

0 comments

5 comments · 1 top-level

guan13y ago· 4 in thread

No, but web pages (including apps that are installed to the home screen and run full screen) run inside the MobileSafari process, which is much more carefully audited than your typical iOS app.

aboodmanOP13y ago

raganwald13y ago

I doubt they're trying to audit behaviour, you can always write an app in Lua with an interpreter and they would have a hard time "auditing" the app statically.

MatthewPhillips13y ago

Can you give an example of an exploit that would do harm from within a UIWebView but would not do harm from within Mobile Safari? Not questioning you, I'm genuinely interested.

raganwald13y ago

Given the current architecture, if UIWebkitView within an application can execute data, then the entire application can execute data.

That's not an exploit of UIWebkitView, it's an exploit of giving the application the permission it needs to have UIWebkitView use a JIT compiler for JS.

j / k navigate · click thread line to collapse