back to article Greater dev access to iOS 8 will put us AT RISK from HACKERS

Increased developer access to iOS 8 could result in decreased security, a mobile security expert warns. Apple's expected iPhone 6 / iOS 8 announcement later on Tuesday is expected to include adding a number of new features to iOS 8 for developers. This will involve opening up more of the underlying architecture – increasing …

  1. SuccessCase

    Oh dear, a security company "expert," selling secure messaging software and who has incentives to see security flaws everywhere, mischaracterises the nature of the iOS co-operative model.

    The whole point is an extension is just like any existing app running in a sandbox, except it can be run "apparently" in view context of another app (so not necessarily occupying all of the screen). There isn't any direct inter-app data exchange. When an app extension is run, iOS just provides a view into another extension app sitting in it's own sandbox. This is logically no different from any other app running.

    Data exchange is always mediated by iOS, and is done pretty much one of two ways, saving a file at a mutually accessible file container location that is external to both Apps and messaging iOS with a URL that can be provided to the host app (this is in no way essentially different to existing apps being able to grab data from dropbox using the dropbox API).

    The one additional risk, if it can be called that, is if the messaged app fails to securely process the contents of a URL, but since the URL's are provided by approved apps and no code is installed into a host app, if any extension providers misbehave, they can be killed, expunged by Apple. And indeed the same risk *already exists when any App processes URL's provided via email links or acquired from anywhere else* So this doesn't add any new category of attack vector either and is in fact safer than the existing ability for a user to open URL's from emails within an app.

    So in reality, the fact there are app extensions ads no more risk than any OS enhancement. There's always the possibility of a latent security hole somewhere with any new added functionality, but really, the design Apple have implemented is very very secure and offers no more risk just because the words "app extension" are used. In important ways the words are simply a misnomer.

    1. a53

      The design Apple have implemented is very very secure .....

      Thanks for your pearls of wisdom. That 'expert's stuff was way too complicated for my simple mind to deal with, so at least I know now that I don't need to worry unduly.

    2. JeffyPoooh

      The other point...

      iPhone Apps have to go through Apple review before they show up on the Apple App Store.

      Android allows found-in-the-wild apps to be installed. Easily.

      1. JeffyPoooh
        Pint

        Re: The other point...

        Two factually correct statements, five thumbs down.

        Ijits.

  2. Silviu C.

    If the OS is so secure that simply peeking behind the green curtain is enough to break the security model then it wasn't that secure in the first place, was it? But I digress, some corporate shill says something => becomes news story.

    We've certainly never seen that before.

  3. Stretch

    "One reason iOS is erroneously perceived to be more secure than Android"

    FTFY

    1. RyokuMas Silver badge
      Boffin

      "One reason iOS is erroneously perceived to be more secure than Android"

      It's this kind of denial that only increases the average Android user's vulnerability.

      Almost All Mobile Malware Targets Android Says F-Secure

      You can't have your cake and eat it. It's great that Android is as open as it is (although it would be better still if we saw more viable competing forks of the AOSP), but it's that very openness that makes it an easy target for malware authors.

      Rather than get all defensive and tribal, wouldn't it be better for those who are that supportive of Android to accept that it is vulnerable and work to better educate the general users in order to minimise their chances of succumbing to the kind of social engineering attacks that make malware so prevalent on this platform?

      1. lurker

        Pretty much that. Freedom, or security: pick one. Kidding yourself that Android is more secure is just delusional. And that's speaking as someone who'd choose android over the apple alternatives any day of the week.

      2. Anonymous Coward
        Anonymous Coward

        @RyokuMas

        "Better educate the general users"?

        Why would this be any more successful than it was with Windows? It is the same user base of clueless people, after all. They still haven't learned not to open emails promising naked pics of celebrities or offers of marriage from Russia.

        The only reason there hasn't been a massive malware attack on Android is because the clueless masses mostly only know how to download apps from Google Play. If someone successfully gets them to use an alternate app store by promising a very "special" app because "Google doesn't want you have to have this!", look out!

      3. Tom 35

        Almost all of it is going after the low hanging fruit of non-google app sources full of apps of dubious origin that have to be side loaded.

        The biggest problem with the google app store is most of the apps are just crappy or don't even work.

  4. Frankee Llonnygog

    Re: Rather than get all defensive and tribal

    If we didn't, the forums would be pretty sparse

  5. Raumkraut

    Wailed Gordon

    > One reason iOS is more secure than Android has been Apple’s Walled Garden approach – quite simply, the less access developers have to the inner workings of the technology, the less opportunity there is for potential attackers to discover vulnerabilities.

    What? Unless I'm mistaken, this guy appears to have no idea what "walled garden" means.

    Apple has a "walled garden" because the end user can only install things ("apps") from a single, Apple-approved, location (the Apple app-store). This likely does indeed reduce the malware prevalence on iOS as compared to Android (AFAIK practically all of the Android malware comes from installing apps from non-Google-approved sources; because Android makes it relatively easy to do so).

    Giving developers "less access ... to the inner workings of the technology" isn't called a "walled garden", it's called "intentionally limiting functionality". (And yes, that will also probably reduce the prevalence, or at least the potency, of most malware)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021