back to article Apple empties gas can, strikes match, burns bridge to hot-patch apps

Apple has begun informing a limited number of developers using hot patching frameworks that doing so violates its rules. The developers put on notice appear to be using either Rollout.io or JSPatch, because each is capable of changing the behavior or functionality of apps after Apple's approval review. Apple did not …

  1. Aitor 1 Silver badge

    Code injection.

    Allowing code injection is simply madness.

    What is the point of the vetting process if can run arbitrary code?

    1. Lee D Silver badge

      Re: Code injection.

      Do you think the vetting process tests every possible code path? Do you think it even can?

      Do you think you hand over your source code to Apple for testing, or a pre-compiled binary?

      Do you think you can't just put "Test this website DNS entry, is it X.X.X.X? If so, be a virus" into the code and have it slip past ANY app review process?

      Even if you have to obscure it, have you seen how easy such obfuscation is?

      Even pretending that you're auditing such code is just smoke and mirrors, I'm afraid. There are no guarantees whatsoever even with the most skilled reverse engineer on the other end. Modern apps are tens of megabytes of compiled binary.

      Stop relying on some guy at Apple who has seven millions apps to approve before Monday to spot things.

      Just make sure that your permission model means they CAN'T ACCESS those hidden internal APIs, that they can't gain permissions they weren't given, that they can't interfere with other apps or data not explicitly given to them (e.g. via "Share" or other IPC) and that they can do no worse than run up your CPU time.

      But, of course, that requires a proper security model rather than smoke-and-mirrors.

      P.S. There is still an app - for the last three years - on the Apple iTunes store which is a full VPN, advertised as "break through your school filters", which is rated suitable for ages 3+, and Apple refuse to change it because "it's up to the app developer" (I have the emails if you'd like to see!). But Google Chrome, official app, is rated 18+ because it "lets users access the Internet).

      Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.

      1. Ian Joyner

        Re: Code injection.

        >>Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.<<

        That is nonsense. Apple very much cares about end users. Security is paramount. End users need security provided for them. Even as a security 'expert' I value being protected. It is just impossible to keep up with everything that is happening, or even to understand it all (in that stack of security books I have on my floor).

        Should we rely on Apple's review process? No - nothing can be 100% secure. We don't know how Apple tests the apps. I suspect some automated tool to look for funny calls, i.e. a virus scanner that scans for odd bits of code, long before it gets onto any end users machine. No virus scanner can be relied on 100% either.

        No company wants its systems that it sells violated. But Apple have the strongest ecosystem to do that - to protects its own systems and its end users.

        While you made some good points about not relying on that, since security cannot be 100%, your concluding paragraph is complete rubbish.

        1. Anonymous Coward
          Anonymous Coward

          Re: Code injection.

          Apple cares about end users because they've built their business on getting "sticky" customers. People who buy an iPhone, and want to buy another two years later, and another two more years later. People who buy an iPhone and decide to get a Macbook rather than a Dell for their next laptop, or an Apple TV rather than a Roku. Subscribe to Apple Music rather than Pandora.

          You don't get those loyal customers by screwing them over, intentionally leaving them vulnerable to hacking or selling off their personal information. Of the Android OEMs, Samsung is the only one who is trying to build a similar loyalty amongst its customers, because they have a lot of other products to sell. i.e. if you like your GS8, maybe you will buy Samsung for your next TV or washing machine.

          The rest of the crowd like HTC or whoever only care about selling you a phone today, and don't really give a damn about you after that. They aren't making any money selling phones as it is, so they will do the minimum possible after sale, i.e. a token Android update or two, and then you're left on your own. Google only cares about you so long as they can keep sucking up a constant stream of your personal information to feed their advertising juggernaut that is their only real source of income.

          1. Ian Joyner

            Re: Code injection.

            I mainly agree with DougS. I can think of lots of things that Apple has done, that includes original ideas, or ideas taken from others and popularised (including Wifi that was invented in the building where I work at Macquarie University). I can put names and faces to people who have worked at Apple. The others are just electronics companies. I can't think of what Dell or Samsung have contributed to computing, nor of any names that are know or revered in the industry. Yes, Google (where I can think of things they have done and names) also has just become an advertising company, making their money out of anything else but computing.

  2. Michael Hoffmann
    Gimp

    Stuff like this...

    ... is how you end up with backdoor code that makes the magnetic bottle of your Epstein drive go super-critical and turns you into a star for a very brief moment.

  3. Louis Schreurs BEng Bronze badge
    Devil

    Yeah

    So the need for hotpatching comes from ........... indecent code that was released before it was decent code?

    The IT community should think about giving out a house for rent before fixing the leaking roof. Or selling, or better, giving out to hire for other people a car with bad wheel bearings.

    IT should roll out code that has no flaws, but I bet this will be impossible, according to the people who work in IT in general, but that says everything about the used people and software, imo incompetent for the most, or at least for an important part.

    Biting the hand that feeds IT.

    Start the downvoting.....................

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah

      Have an upvote.

      Yes there will be many who say, Apple has just made that wall around their garden even taller.

      Allowing patching this way was probably a mistake and the NSA/CIA docs released this week may well have given Apple the hint that it could be used for bad things. So for the protection of the many, a feature for the few is removed.

      Any software developer worth it knows that releases have to follow a process. Yes I have gnashed my teeth at times like when it took 3 weeks to get a 2 line code change put into production but that's life.

      Live with it or move to another profession like Grave Digging perhaps?

      Perhaps I'll get the downvotes instead of you?

    2. Filippo

      Re: Yeah

      Rolling out flawless code is not technically impossible, but there are strong diminishing returns. In the time it takes to create a flawless application, your competitors will have released a crashing piece of crap software, that people have bought en masse, because your application was not released yet and even crap software is better than no software.

      1. P. Lee Silver badge

        Re: Yeah

        Flawless is one thing, but I see two things here.

        Yes, code should not be self-updating, but also, why aren't there technical barriers surrounding allowed and restricted behaviour?

        If premium rate dialling is a thing which is blocked on Apple's say-so during a code review, it should also be blocked at a technical level at execution time.

        1. Stevie Silver badge

          Re: barriers

          Wouldn't static linking be one such barrier?

      2. Ian Joyner

        Re: Yeah

        >>Rolling out flawless code is not technically impossible...your application was not released yet and even crap software is better than no software<<

        There is some truth to that. But we should also not give up. Precedent says that Apple spent years developing the Macintosh. Microsoft ripped some code off them (Raskin's Quickdraw), quickly released Windows 1 before Macintosh. Windows 1 was compete 'crap', but Windows ended up winning. But it won because IBM backed MS got that horrible QDOS installed everywhere, and all the IBMers were happy because IBM almost crushed another good company - Apple.

        After that experience did Apple 'learn its lesson'? No, they stuck to producing better systems, spending the time, effort, money, risk to do it. Eventually, that model has proven a success.

        People talk about the software crisis - that is rubbish software getting out there without sufficient testing, leading to bugs and security flaws. If we are to get around this problem, we need to become much more professional and follow Apple's lead in this. We must keep going and put the cowboys with their 'crap' software out of business. Under the cowboy model, the consumer loses and will continue to lose.

    3. Anonymous Coward
      Anonymous Coward

      Re: Yeah

      Au contraire, expect a waterfall of upvotes to drop on you if you're not agile enough to avoid it

  4. cb7

    Without self updating code

    I guess we'll never see true AI...?

  5. Roopee

    "even crap software is better than no software."

    I beg to differ. The world would be a better place if there was no software, rather than masses of crap software.

  6. EnviableOne Silver badge

    Given that awareness, it's certainly possible Apple could some day offer developers a service that provides an automated, rapid way to update apps without revisiting review purgatory. It might even find a way to will charge loads for the service.

    FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020