Slashdot Mirror
Unsanity Developer Comes to APE's Defense
beelsebob writes "Rosyna, the famously tellytubby-like Unsanity Developer has spoken out in the defense of their Application Enhancer (APE) framework. The framework has taken a beating since it came out, being accused of being spyware, or of crashing computers. In fact Unsanity have only received one bug report about APE itself, which was promptly fixed. The article is a very good defence of the product, and a very good read."
Bob
If you install a buggy application on your system, then it crashes, and you likely loose work. How is this different to if you install a buggy APE module on your system, then it crashes, and you likely loose work.
Bob
It is pretty poor analogy to compare APE to QT Codecs or Internet Plugins. Their behavior is for the app to dynamically load and run their code when needed, and they will not be loaded unless they are called. When I launch TextEdit there is no DivX or Flash code loaded into TextEdit's memory space. APE inserts code into all running apps. That is quite different.
Input Managers are a better analogy, and honestly I do not install 3rd party Input Manager since I understand their behavior.
I don't know enough about CMMs to comment.
Hyperbole is the worst thing ever.
I don't know what that's about, Rosyna looks pretty ordinary to me....
A lot of this came about because of the rash of URL handler exploits in Mac OS X recently.
u rity_update
In the mad rush to secure Mac OS X, two groups emerged. The Paranoid Android (based upon APE) and the RCDefault/More Internet side.
Unsanity (makers of PA) had a incomplete product at first that could not keep up with the rapid new discoveries. It was designed to check the URL handlers for you for suspicious behavior, problem was it didn't cover all the URL handlers.
v 1.1 was no good and finally unsanity came out with v 1.2 which covered them better.
Now on the other side of the camp is the RCDefaultApp and More internet crowd, which schooled people to turn off/reassign the URL handlers themselves with a very easy to use program.
Their argument was that one didn't need to install a "haxie" (in their own words) "injects code in all your programs" &
"they do their thing by violating the boundaries of protected memory."
http://daringfireball.net/2004/05/help_viewer_sec
Either way, I'm glad the Mac community turned out in force to solve these problems in a jiffy, Apple should be ashamed of themselves, being warned over 4 months ago about them.
If using Paranoid Android was the only option to prevent these exploits, I'm sure everyone would be happy using it. But it seems to me just disabling the URL handlers manually until needed or reassigning would have been a better option.
I'm glad we had a choice, so kudos to both and thanks.
Having praised APE's stability I should mention that I have studiously avoided ShapeShifter. I've had nothing but negative experiences with OS X theming software in the past and I finally decided just to give up and embrace aqua + brushed metal. The stability has been worth it.
Er, the only reason it would want you Administrator password is if you tried to install APE to /Library/Frameworks or a module to /Library/Application Enhancers.
Both APE and the modules allow you to choose whether you install localy or for all users on the machine.
T Money
World Domination with a plastic spoon since 1984
Don't think that APE is a security nightmare on its own. Sure, it provides means by which to inject code into programs that were launched after the code injector became present, but that's not a unique ability. Technically, any daemon can inject code into a program as it is being launched. The APE framework is not doing anything more than calling existing (but undocumented) APIs used in debugging Mac OS X. APE modules cannot poke around into any program they wish, they may only poke around in the applications in which they have been told to reside (something YOU have control over). They may not touch any other program. Sure, you can call APE a bad idea, and yes it can crash applications or spy on the user, but not more than any other piece of malware could, entirely separate from APE.
You don't understand. APE doesn't have access to physical memory nor the 'system' itself. By system, I mean operating system/kernel. APE uses the same user level techniques as debuggers. You know, break, step, continue...
This isn't strictly inserting new code, but does give allow an outside APE module to act like it was called from another piece of code: a code break pauses and notifies APE which calls an APE module and then returns control to the original module. I would guess one could also do variable introspection, but I assume this is harder without debugging markers.
It is perfectly possible to do this sort of thing on other Unixes.
Does this have potential to break things? Yes.
Does it break often between versions of code being hooked? Yes.
Is there potential for spyware? Yes.
Has anyone shown any evidence of problems from the standard licensed releases on the appropriate platforms/versions (i.e., non-development versions)? Not to my knowledge.
Anm
While Paranoid Android can increase security, so can RCDefaults which has the added benefit of being very unobtrusive.
I was very clear that my points were entirely theoretical and that I had no reason to believe that there were any current security issues with APE/APE modules. I don't think Unsanity is shipping their software with malicious intent.
But you make one point that is entirely false that I have to address:
"as far as security goes, there's nothing that APE can do that a sneaky application can't do"
That is true in a sense that a malicious app could do the same thing that APE does, though it would be complicated to get all those pieces set up. The thing that APE provides a convenient framework for that. What most apps can't do is to look around in any user's running app's memory space and do whatever it wants with what it finds. Normal apps can't go poking around in another app's memory space at all. APE lets you write code to do that and a malicious coder could use this for lots and lots of bad things.
I don't think it is too likely to be exploited since there aren't a lot of systems out there running APE. But the very fact that when installing APE one is installing a program that opens yourself up to that degree of a serious sercurity hole makes it untenable. Expecially when installing a haxie doesn't require much work, and is easy to hide for a clever developer, so it would be easy to exploit. APE make a complicated and difficult exploit requiring root prive really easy to run in user space.
It is analogous to creating a new app that runs as a daemon to do some cool peer to peer file sharing thing you really like, though it also allows remote users to run any commands on your system with no authentication. Even if you really like what the app does, the app is uncommon, and only runs on an obscure platform, it is still insecure by design.
Hyperbole is the worst thing ever.
APE, along with an older version of ASM (the MenuCracker part specifically) on 10.2 caused the finder to quit and restart repeatedly ad infinitum. I removed all modules, still caused the problem. removed APE, the problem stopped. Spoke to him about it, he denied it was the cause, but it's hard to deny.
He can say what he wants, but APE does things it's not "supposed" to be able to do, and this can cause conflicts. I've removed all "hacks" and I haven't had any trouble since.