iOS App Update Technique Puts Users At Risk

itwbennett writes: An increasing number of iOS application developers use a technique that allows them to remotely modify the code in their apps without going through Apple's normal review process, potentially opening the door to abuse and security risks for users. An implementation of this technique, which is a variation of hot patching, comes from an open-source project called JSPatch. After adding the JSPatch engine to their application, developers can configure the app to always load JavaScript code from a remote server they control. This code is then interpreted by the JSPatch engine and converted into Objective-C. 'JSPatch is a boon to iOS developers,' security researchers from FireEye said in a blog post. 'In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes.'

Re:How long before Apple rejects

[jonwil]

Apps using JSPatch are already violating the app store rules anyway. Apple prohibits any app that downloads unapproved code from somewhere and runs it (or did last time I checked)

Re:Brought it on themselves

[gstoddart]

By the same token, I'm not going to trust an app which decides it's going to silently update itself without telling me.

I think it's high on the "software-asshole meter". It says "we'll do anything on your device we choose", and I'm sorry to say, but it's my fucking device.

And since this has huge potential for security exploits and other malicious acts, it's a big risk for users that may not even know it's there.

I'm pretty sure unless you explicitly set Android to automatically update stuff your fix isn't going to get pushed to my device without me knowing it ... and enabling auto-updates is something Microsoft and host of others have demonstrated is idiotic.

Because you really can't trust people who expect to just do a quick fix when nobody is looking. Because in my experience that usually means the software was poorly tested and pushed out the door.

Apple app approval may be "ridiculous" to you, but it beats the alternative of malware, or poorly thrown together code.

Boo hoo, you need to wait weeks ... software cycles used to be FAR longer than that, and overall quality has suffered. Because people expect to push out a steaming turd every few weeks and call themselves agile.

I view software which bypasses approved update mechanisms and just does it in the background as little more than trojans and malware.