Allowing code injection is simply madness.
What is the point of the vetting process if can run arbitrary code?
Apple has begun informing a limited number of developers using hot patching frameworks that doing so violates its rules. The developers put on notice appear to be using either Rollout.io or JSPatch, because each is capable of changing the behavior or functionality of apps after Apple's approval review. Apple did not …
Do you think the vetting process tests every possible code path? Do you think it even can?
Do you think you hand over your source code to Apple for testing, or a pre-compiled binary?
Do you think you can't just put "Test this website DNS entry, is it X.X.X.X? If so, be a virus" into the code and have it slip past ANY app review process?
Even if you have to obscure it, have you seen how easy such obfuscation is?
Even pretending that you're auditing such code is just smoke and mirrors, I'm afraid. There are no guarantees whatsoever even with the most skilled reverse engineer on the other end. Modern apps are tens of megabytes of compiled binary.
Stop relying on some guy at Apple who has seven millions apps to approve before Monday to spot things.
Just make sure that your permission model means they CAN'T ACCESS those hidden internal APIs, that they can't gain permissions they weren't given, that they can't interfere with other apps or data not explicitly given to them (e.g. via "Share" or other IPC) and that they can do no worse than run up your CPU time.
But, of course, that requires a proper security model rather than smoke-and-mirrors.
P.S. There is still an app - for the last three years - on the Apple iTunes store which is a full VPN, advertised as "break through your school filters", which is rated suitable for ages 3+, and Apple refuse to change it because "it's up to the app developer" (I have the emails if you'd like to see!). But Google Chrome, official app, is rated 18+ because it "lets users access the Internet).
Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.
>>Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.<<
That is nonsense. Apple very much cares about end users. Security is paramount. End users need security provided for them. Even as a security 'expert' I value being protected. It is just impossible to keep up with everything that is happening, or even to understand it all (in that stack of security books I have on my floor).
Should we rely on Apple's review process? No - nothing can be 100% secure. We don't know how Apple tests the apps. I suspect some automated tool to look for funny calls, i.e. a virus scanner that scans for odd bits of code, long before it gets onto any end users machine. No virus scanner can be relied on 100% either.
No company wants its systems that it sells violated. But Apple have the strongest ecosystem to do that - to protects its own systems and its end users.
While you made some good points about not relying on that, since security cannot be 100%, your concluding paragraph is complete rubbish.
Apple cares about end users because they've built their business on getting "sticky" customers. People who buy an iPhone, and want to buy another two years later, and another two more years later. People who buy an iPhone and decide to get a Macbook rather than a Dell for their next laptop, or an Apple TV rather than a Roku. Subscribe to Apple Music rather than Pandora.
You don't get those loyal customers by screwing them over, intentionally leaving them vulnerable to hacking or selling off their personal information. Of the Android OEMs, Samsung is the only one who is trying to build a similar loyalty amongst its customers, because they have a lot of other products to sell. i.e. if you like your GS8, maybe you will buy Samsung for your next TV or washing machine.
The rest of the crowd like HTC or whoever only care about selling you a phone today, and don't really give a damn about you after that. They aren't making any money selling phones as it is, so they will do the minimum possible after sale, i.e. a token Android update or two, and then you're left on your own. Google only cares about you so long as they can keep sucking up a constant stream of your personal information to feed their advertising juggernaut that is their only real source of income.
I mainly agree with DougS. I can think of lots of things that Apple has done, that includes original ideas, or ideas taken from others and popularised (including Wifi that was invented in the building where I work at Macquarie University). I can put names and faces to people who have worked at Apple. The others are just electronics companies. I can't think of what Dell or Samsung have contributed to computing, nor of any names that are know or revered in the industry. Yes, Google (where I can think of things they have done and names) also has just become an advertising company, making their money out of anything else but computing.
So the need for hotpatching comes from ........... indecent code that was released before it was decent code?
The IT community should think about giving out a house for rent before fixing the leaking roof. Or selling, or better, giving out to hire for other people a car with bad wheel bearings.
IT should roll out code that has no flaws, but I bet this will be impossible, according to the people who work in IT in general, but that says everything about the used people and software, imo incompetent for the most, or at least for an important part.
Biting the hand that feeds IT.
Start the downvoting.....................
Have an upvote.
Yes there will be many who say, Apple has just made that wall around their garden even taller.
Allowing patching this way was probably a mistake and the NSA/CIA docs released this week may well have given Apple the hint that it could be used for bad things. So for the protection of the many, a feature for the few is removed.
Any software developer worth it knows that releases have to follow a process. Yes I have gnashed my teeth at times like when it took 3 weeks to get a 2 line code change put into production but that's life.
Live with it or move to another profession like Grave Digging perhaps?
Perhaps I'll get the downvotes instead of you?
Rolling out flawless code is not technically impossible, but there are strong diminishing returns. In the time it takes to create a flawless application, your competitors will have released a crashing piece of crap software, that people have bought en masse, because your application was not released yet and even crap software is better than no software.
Flawless is one thing, but I see two things here.
Yes, code should not be self-updating, but also, why aren't there technical barriers surrounding allowed and restricted behaviour?
If premium rate dialling is a thing which is blocked on Apple's say-so during a code review, it should also be blocked at a technical level at execution time.
>>Rolling out flawless code is not technically impossible...your application was not released yet and even crap software is better than no software<<
There is some truth to that. But we should also not give up. Precedent says that Apple spent years developing the Macintosh. Microsoft ripped some code off them (Raskin's Quickdraw), quickly released Windows 1 before Macintosh. Windows 1 was compete 'crap', but Windows ended up winning. But it won because IBM backed MS got that horrible QDOS installed everywhere, and all the IBMers were happy because IBM almost crushed another good company - Apple.
After that experience did Apple 'learn its lesson'? No, they stuck to producing better systems, spending the time, effort, money, risk to do it. Eventually, that model has proven a success.
People talk about the software crisis - that is rubbish software getting out there without sufficient testing, leading to bugs and security flaws. If we are to get around this problem, we need to become much more professional and follow Apple's lead in this. We must keep going and put the cowboys with their 'crap' software out of business. Under the cowboy model, the consumer loses and will continue to lose.
Biting the hand that feeds IT © 1998–2020