iOS App Update Technique Puts Users At Risk

itwbennett writes: An increasing number of iOS application developers use a technique that allows them to remotely modify the code in their apps without going through Apple's normal review process, potentially opening the door to abuse and security risks for users. An implementation of this technique, which is a variation of hot patching, comes from an open-source project called JSPatch. After adding the JSPatch engine to their application, developers can configure the app to always load JavaScript code from a remote server they control. This code is then interpreted by the JSPatch engine and converted into Objective-C. 'JSPatch is a boon to iOS developers,' security researchers from FireEye said in a blog post. 'In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes.'

Brought it on themselves

[jareth-0205]

I have to think that Apple have brought this kind of thing on themselves - their ridiculous app approval system is uncertain and slow and developers are obviously going to try to find a way round it. If I find a bug in Android I fix it and release it. My iOS counterparts often have to live with the bug for weeks before they release because of the faff of the approval process.

Re:Brought it on themselves

[tepples]

You could distribute your app as source code under a free software license and allow iOS device users who also own a Mac to install the fix right away. Since Xcode 7, Apple has stopped requiring each individual user to buy a $99 per year developer license just to test an app compiled on his own Mac on his own iOS device.

Re:Brought it on themselves

[gstoddart]

By the same token, I'm not going to trust an app which decides it's going to silently update itself without telling me.

I think it's high on the "software-asshole meter". It says "we'll do anything on your device we choose", and I'm sorry to say, but it's my fucking device.

And since this has huge potential for security exploits and other malicious acts, it's a big risk for users that may not even know it's there.

I'm pretty sure unless you explicitly set Android to automatically update stuff your fix isn't going to get pushed to my device without me knowing it ... and enabling auto-updates is something Microsoft and host of others have demonstrated is idiotic.

Because you really can't trust people who expect to just do a quick fix when nobody is looking. Because in my experience that usually means the software was poorly tested and pushed out the door.

Apple app approval may be "ridiculous" to you, but it beats the alternative of malware, or poorly thrown together code.

Boo hoo, you need to wait weeks ... software cycles used to be FAR longer than that, and overall quality has suffered. Because people expect to push out a steaming turd every few weeks and call themselves agile.

I view software which bypasses approved update mechanisms and just does it in the background as little more than trojans and malware.

Re:Brought it on themselves

[Duckman5]

You could distribute your app as source code under a free software license and allow iOS device users who also own a Mac to install the fix right away.

Please tell me you're kidding. These are iOS users we're talking about. They have purposely chosen the "easy to use" OS (even with all its limitations). Like hell you're going to get them to figure out how to compile an app

Not only that, in order to run XCode you need to have a Mac. You just went from a $200-$600 investment in the iPhone/iPad and added a thousand dollars to it. There are no shortage of iOS users with Windows machines who like their iDevice but aren't ready to make that leap to a Mac.

Re: Brought it on themselves

[_merlin]

Well you thought wrong. Google Play Services automatically and silently updates itself with no user interaction. The only way to stop it is to disable it completely, but this also breaks that use its APIs. Most Android apps don't/can't update update silently, but Play Services definitely can and does unless you go out of your way to stop it.

Re:Brought it on themselves

[macs4all]

Apple app approval may be "ridiculous" to you, but it beats the alternative of malware, or poorly thrown together code.

This. EXACTLY this!

I hope that Apple changes the iOS App Store approval process to look for this insanely-dangerous BACKDOOR, and make the inclusion of that cause for instant REJECTION of the App.

Just like with Encryption backdoors, there is NO WAY this won't be exploited in 3...2...1...

Re:Brought it on themselves

[tepples]

I'm not kidding that it's possible. In fact, several developers of iOS apps that do things forbidden by the App Store Review Guidelines, such as classic game console emulators or WLAN troubleshooting apps, have chosen this route of requiring a Mac for installation. But I agree with you that it's unrealistic for the majority of users.

and added a thousand dollars to it

The last time I checked Apple.com, a Mac mini started at 499 USD plus tax. Where do you get this "thousand dollars", unless you live in a country whose dollar happens to have such an exchange rate with the USD?

Re:Brought it on themselves

[Fnord666]

I hope that Apple changes the iOS App Store approval process to look for this insanely-dangerous BACKDOOR, and make the inclusion of that cause for instant REJECTION of the App.

I'm curious when exactly they changed their policy in the first place. Apple used to reject any application that tried to do anything like this.

Re:Brought it on themselves

[dissy]

Your post is either a standard Apple troll, or you are just purposely being dense.

Please tell me you're kidding. These are iOS users we're talking about. They have purposely chosen the "easy to use" OS (even with all its limitations).

WE are talking about iOS users, but I'm not sure you are on the same page...

Like hell you're going to get them to figure out how to compile an app

Are you seriously arguing Mac users are too stupid to double click one icon? Trollolol?

Not only that, in order to run XCode you need to have a Mac.

That's very likely why he said: and allow iOS device users who also own a Mac

Or put another way, no you are very incorrect. If one already owns a Mac, there is no need for any additional Mac computers. Just the one will do.

I suppose you bought your Android phone to make phone calls, then went right out to buy two or three more Android phones due to your thinking that one of the things somehow wasn't enough?

You just went from a $200-$600 investment in the iPhone/iPad and added a thousand dollars to it.

If you purchase no computer, you will spend $0. How are you arguing not buying a second computer costs thousands of additional dollars?

There are no shortage of iOS users with Windows machines who like their iDevice but aren't ready to make that leap to a Mac.

Hate to have to be the one to tell you this but MacOS is not Windows, and Windows is not MacOS.

He clearly stated this option is only for Mac users. Why do you feel the need to repeat what was already said and specifically name Windows users as excluded?
You forgot to mention Linux users can't do this either, nor can QNX users, nor can Mainframe users...

Quit being dense or try to troll somewhat intelligently next time.

Re:How long before Apple rejects

[jonwil]

Apps using JSPatch are already violating the app store rules anyway. Apple prohibits any app that downloads unapproved code from somewhere and runs it (or did last time I checked)

Article is a piece of crap...

[fabrica64]

The linked article is just FUD. It basically says that using JSPatch the App can circumvent the app sandbox, and without any technical exlication. Just Fud

Mac + display, keyboard, and mouse = $529

[tepples]

I suppose the users are going to use some combination of telepathy and telekinesis to use that computer without a keyboard, mouse and monitor?

The last time I checked Apple.com, a Mac mini started at 499 USD plus tax, to which one can add either A. the display, keyboard, and mouse of one's existing non-Mac PC or B. one's existing HDMI TV and a 30 USD keyboard and mouse, bringing the total to 529 USD. This is still well shy of the $1,000 that Duckman5 quoted.

Not to mention the router and other network hardware and ISP costs they'll incur while trying to get the thing onto the internet to download a compiler and the source code.

I was assuming someone who already owns an Internet-connected PC running Windows or X11/Linux and an iPhone or iPad and is looking to replace the PC running Windows or X11/Linux with a Mac in order to receive updates to a particular Free program before App Store users receive them. How would an iPod touch or iPad user use the App Store anyway without paying "router and other network hardware and ISP costs"?

Just exposes the APIs in Javascript

[sc0rpi0n]

How is this different from what you can do with Cordova and Appcelerator? These frameworks allow you to create new plugins to expose any iOS APIs you want to Javascript and can load Javascript remotely.

I assume that the app cannot access any functionality that was not enabled during the App Store submission, though I'm not sure of that. Anyone any insights regarding this?