Slashdot Mirror

← Back to Stories (view on slashdot.org)

iOS App Update Technique Puts Users At Risk (csoonline.com)

Posted by timothy on from the key-under-the-doormat dept.

itwbennett writes: An increasing number of iOS application developers use a technique that allows them to remotely modify the code in their apps without going through Apple's normal review process, potentially opening the door to abuse and security risks for users. An implementation of this technique, which is a variation of hot patching, comes from an open-source project called JSPatch. After adding the JSPatch engine to their application, developers can configure the app to always load JavaScript code from a remote server they control. This code is then interpreted by the JSPatch engine and converted into Objective-C. 'JSPatch is a boon to iOS developers,' security researchers from FireEye said in a blog post. 'In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes.'

2 of 67 comments (clear)

  1. Re:How long before Apple rejects by jonwil · · Score: 5, Informative

    Apps using JSPatch are already violating the app store rules anyway. Apple prohibits any app that downloads unapproved code from somewhere and runs it (or did last time I checked)

  2. Re:Brought it on themselves by dissy · · Score: 2, Informative

    Your post is either a standard Apple troll, or you are just purposely being dense.

    Please tell me you're kidding. These are iOS users we're talking about. They have purposely chosen the "easy to use" OS (even with all its limitations).

    WE are talking about iOS users, but I'm not sure you are on the same page...

    Like hell you're going to get them to figure out how to compile an app

    Are you seriously arguing Mac users are too stupid to double click one icon? Trollolol?

    Not only that, in order to run XCode you need to have a Mac.

    That's very likely why he said: and allow iOS device users who also own a Mac

    Or put another way, no you are very incorrect. If one already owns a Mac, there is no need for any additional Mac computers. Just the one will do.

    I suppose you bought your Android phone to make phone calls, then went right out to buy two or three more Android phones due to your thinking that one of the things somehow wasn't enough?

    You just went from a $200-$600 investment in the iPhone/iPad and added a thousand dollars to it.

    If you purchase no computer, you will spend $0. How are you arguing not buying a second computer costs thousands of additional dollars?

    There are no shortage of iOS users with Windows machines who like their iDevice but aren't ready to make that leap to a Mac.

    Hate to have to be the one to tell you this but MacOS is not Windows, and Windows is not MacOS.

    He clearly stated this option is only for Mac users. Why do you feel the need to repeat what was already said and specifically name Windows users as excluded?
    You forgot to mention Linux users can't do this either, nor can QNX users, nor can Mainframe users...

    Quit being dense or try to troll somewhat intelligently next time.