undefined | Better HN

0 pointskaladin-jasnah2y ago0 comments

https://developer.apple.com/support/dma-and-apps-in-the-eu/#...

> To help keep users safe online, Apple will only authorize developers to implement alternative browser engines after meeting specific criteria and committing to a number of ongoing privacy and security requirements, including timely security updates to address emerging threats and vulnerabilities.

This criteria seems arbitrary. Doesn't this allow Apple to arbitrarily prevent competitor engines like Blink and Gecko?

0 comments

0x02y ago

Browsers that bring their own javascript engine will likely also need to support JIT in order to be able to compete with Safari on performace. Doing JIT on iOS requires a special entitlement grant from Apple in order to map memory pages as executable. An application that has permission to map memory pages as executable is a coveted target for spyware and malware as it provides a much better starting point for pivoting to root and pwning the entire OS. Most other regular apps, even if they have a buffer overflow somewhere, will require a lot more fiddling in order to execute arbitrary code, and are thus a lower risk for users to install.

In short, browsers will have higher privileges that normal apps, as they can execute arbitrary code in memory, so they are naturally held to a higher standard.

To be honest I am happy about this. I don't trust a random banking / government / public transport app contracted out to the lowest bidder to be safe from all buffer overflows or other memory safety issues, so making sure they are sandboxed away from executing arbitrary code is a good thing.

alerighi2y ago

> An application that has permission to map memory pages as executable is a coveted target for spyware and malware as it provides a much better starting point for pivoting to root and pwning the entire OS

No more than any other app. It runs anyway in the app sandbox, and can only access the resources that are accessible from the app sandbox itself. For the application to gain root privileges it would need to exploit a flaw in the sandbox itself, something difficult these days.

Android allows applications to map memory pages as executable (in fact you can also launch any Linux executable as a subprocess) and there was never an issue about security: if you don't have a rooted phone you don't have chances to get code running as root, since everything runs in the app container.

And if there is a flaw that allows escaping from the app sandbox, it can probably be exploited without being able to map memory pages as executable anyway, since it will probably be a flaw in a kernel system call or library function.

So really: this was always a limitation that Apple did impose to not allow in practice competing browsers in the Apple store, since a browser to be efficient this day needs to compile code as JIT, as well as not allowing applications that benefit for JIT execution (such as emulators or compilers).

0x02y ago

There's been plenty of flaws in the app sandbox, but without the ability to execute arbitrary code they are often much much more difficult to exploit since you won't be able to invoke the particular system call or function you want to hit with just the right arguments.

lozenge2y ago

But Apple was scanning all applications' executables before Notarization/App Store listing. With browsers or JITs they can't do so.

Kon-Peki2y ago

For now. The EU Product Liability Directive updates and Cyber Resilience Act is going to force software and hardware makers to take a much harder look at their security choices.

autoexecbat2y ago

What I'm hearing from this, is that JITs are a security hazzard so we should all move to interpreted wasm

mr_toad2y ago

https://bytecodealliance.github.io/wamr.dev/blog/introductio...

https://v8.dev/docs/wasm-compilation-pipeline

postalrat2y ago

WASM was designed work well with JIT code generation. Interpreted WASM is probably much slower than JIT javascript.

crazygringo2y ago

I think it seems pretty clearly meant to include major competitors like Firefox and Chrome and Edge if Microsoft wants, but you can't just include a random build of Chromium that you never update.

And this seems understandable to prevent a proliferation of 100's of "browsers" trying to steal your data. You actually have to be developing something legit -- not just reskinning a browser engine and leaving it.

Yujf2y ago

That is fine as an app store policy, but they also want to impose those requirements for apps outside the appstore. That is a problem, if I want to run a sketchy browser downloaded from github apple should not be able to prevent this

DaiPlusPlus2y ago

> That is a problem, if I want to run a sketchy browser downloaded from github apple should not be able to prevent this

You can already do that today (yes, on iOS) by using your own developer-signing certificate (because if it's from github, you can build it from source; or re-link/assembly prebuilt linkable binaries if you really feel like it).

Remember the vast, vast majority of iOS users are people like (I assume) our parents - or people we knew in the late-1990s/early-2000s with an excessive number of Internet Explorer toolbars and Bonzi Buddy. I support Apple's mission to keep crap like that off their platform, but Apple sleepwalked into prompting this regulation of their app-store because they weren't the good-stewards they said they'd be - so I'm ambivalent about the whole thing.

6 more replies

kccqzy2y ago

While I agree with you, I think it is already possible to make a "browser" on iOS today that tries to steal your data. The only thing stopping it is manual review, not any technological measures. In fact, if the point of an app is to steal your browsing data, it is easier for them to stick with WebKit and WKWebView than to invest in a new browsing engine. Existing APIs provide plenty of opportunity to inject almost annything into web views.

ginko2y ago

No it's not understandable. The iphone is a Turing complete computer. I should be allowed to install whatever I want on it. If I want to install a reskin of firefox then I should be able to do that. It's certainly not up to Apple to decide this for me.

musictubes2y ago

Why? It’s one thing to say that you will never buy something because you can’t use it the way you want. It’s quite another to say that thing should adhere to your standards whether you buy it or not. It sounds even sillier if you make your demand after you already bought it.

“I should be allowed to…” will always reek of entitlement. Pick your hardware and platform on your likes and needs. There are plenty of options to choose from.

skydhash2y ago

Even my AV receiver is a turing computer. My keyboard is also one too.

kaba02y ago

You can. But I don’t agree that it should be installable from an app store.

umanwizard2y ago

Nobody is forcing you to buy an iPhone.

Aeolun2y ago

Does that actually happen on Android though?

lacerrr2y ago

Nope

pompino2y ago

Its usual BS from Apple. Imagine Microsoft blocking all non-store applications from running on Windows "to help keep users safe". No I'm not cheering for Microsoft to do the same. Its strange, but I want Apple to be more like Microsoft in this regard.

hnburnsy2y ago

Yeah, if they wanted to keep users safe, all device permissions would be user controlled and all permissions would be default off.

pompino2y ago

Exactly, they're conflating choice with complexity. As you said, you can have any level of control, via various permission levels.

I think what would be helpful if there was a concept of a "system admin" profile that you could apply onto any device/computer. Non-technical users may want Apple to be the 'sysadmin' and only use the Apple store, use Apple recommended apps, etc. - Kinda like the an MDM profile.

Any other vendor, as a paid/managed service, could supply a more permissive app store, and manage updates, etc. Companies who issue work devices would have their own "profile" to manage the device.

kaba02y ago

Every permission is default off, and ios is the safest computing platform for users (next to android), while windows has a much worse track record.

3 more replies

addicted2y ago

Or not publishing documentation (they were also forced by the EU to do so ironically) that has allowed the likes of OpenOffice to read Office docs and become a legitimate alternative, because of security (Office docs are a security risk and showing hackers how they work makes them a bigger security risk…).

pb72y ago

Maybe you shouldn't use an example that is synonymous with viruses and malware throughout its history.

pompino2y ago

Thanks, but I like my example, even if you find it inconvenient. I don't find it strange at all that the most popular operating system gets exploited the most. Luckily, Windows is not in the top 5 for reported vulnerabilities.

https://www.cvedetails.com/top-50-products.php

1 more reply

TheLoafOfBread2y ago

MacOS is also not having any limit on installing applications outside App Store.

KolmogorovComp2y ago

I don’t think it will used against Blink and Gecko for obvious compliance reasons. But this clause will help Apple pressure them to keep security updates timely (which is a good things for the users).

On the other hand they will likely use this to deny all ‘niche’ browser engine without a structured organization behind them (think Ladybug, maybe servo etc.)

toyg2y ago

Apple patch their browser twice a year at best; Firefox gets updates every month, plus security ones. Apple is hardly a model of virtue in the sector.

madeofpalk2y ago

> A new version of Safari shipped 17 times in the last 28 months — version 15.0, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6, 16.0, 16.1, 16.2, 16.3, 16.4, 16.5, 16.6, 17.0, 17.1, and now, today’s Safari 17.2.

https://webkit.org/blog/14787/webkit-features-in-safari-17-2...

Yes, not as frequent as monthly releases, but Apple shipped 7 Safari updates on iOS in 2023.

https://webkit.org/blog/13691/webkit-features-in-safari-16-3...

https://webkit.org/blog/13966/webkit-features-in-safari-16-4...

https://webkit.org/blog/14154/webkit-features-in-safari-16-5...

https://webkit.org/blog/14416/webkit-features-in-safari-16-6...

https://webkit.org/blog/14445/webkit-features-in-safari-17-0...

https://webkit.org/blog/14735/webkit-features-in-safari-17-1...

https://webkit.org/blog/14787/webkit-features-in-safari-17-2...

Did you notice the new Safari 17.3 Apple shipped 3 days ago?

1 more reply

madeofpalk2y ago

Read through the technical announcement for browser engines https://developer.apple.com/support/alternative-browser-engi...

These requirements are things like "Use memory-safe programming languages", "Adopt the latest security mitigations", if you ship your own certificate trust you should "provide information on how a root certificate authority (CA) can apply to become part of the program".

All seems like pretty basic conditions designed to ensure that only Mozilla and Google can comply.

To be honest, the browser engine stuff seems significantly more robust and permissive that I was expecting.

jeroenhd2y ago

Pretty funny to see "use memory-safe programming languages, or features that improve memory safety within other languages" as a requirement when WebKit itself is built on top of C++ code.

I wonder if Apple would be allowed to ship WebKit if they enforce this requirement under the spirit of the EU laws that made them change their minds.

Wowfunhappy2y ago

Note that the full requirement is:

> Use memory-safe programming languages, or features that improve memory safety within other languages, within the Alternative Web Browser Engine at a minimum for all code that processes web content

Emphasis added.

Wowfunhappy2y ago

> Pass a minimum percentage of tests available from industry standard test suites: 90% from Web Platform Tests and 80% from Test262

Why is it any of Apple's business how many test suites a third party browser can pass?

Why can't iPhone users run Links if they want to? Why can't they run a browser without Javascript support? Why can't they try out Ladybird to see how development is progressing?

Like, even from a pure Apple-is-greedy perspective I don't understand the point of this.

Vespasian2y ago

On first glance, the browser stuff is mostly fine and seems to be motivated by security and UX concerns.

In the end it's not a big impact on apples revenue if some people run chrome or Firefox.

The store part on the other hand is really sketchy.

anon257832y ago

Absolutely! That's how the "walled garden" business model works.

eviks2y ago

> This criteria seems arbitrary

That's the point, but they sound nice

j / k navigate · click thread line to collapse

0 comments

0x02y ago

In short, browsers will have higher privileges that normal apps, as they can execute arbitrary code in memory, so they are naturally held to a higher standard.

alerighi2y ago

0x02y ago

lozenge2y ago

But Apple was scanning all applications' executables before Notarization/App Store listing. With browsers or JITs they can't do so.

Kon-Peki2y ago

For now. The EU Product Liability Directive updates and Cyber Resilience Act is going to force software and hardware makers to take a much harder look at their security choices.

autoexecbat2y ago

What I'm hearing from this, is that JITs are a security hazzard so we should all move to interpreted wasm

mr_toad2y ago

https://bytecodealliance.github.io/wamr.dev/blog/introductio...

https://v8.dev/docs/wasm-compilation-pipeline

postalrat2y ago

WASM was designed work well with JIT code generation. Interpreted WASM is probably much slower than JIT javascript.

crazygringo2y ago

I think it seems pretty clearly meant to include major competitors like Firefox and Chrome and Edge if Microsoft wants, but you can't just include a random build of Chromium that you never update.

Yujf2y ago

DaiPlusPlus2y ago

> That is a problem, if I want to run a sketchy browser downloaded from github apple should not be able to prevent this

6 more replies

kccqzy2y ago

ginko2y ago

musictubes2y ago

“I should be allowed to…” will always reek of entitlement. Pick your hardware and platform on your likes and needs. There are plenty of options to choose from.

skydhash2y ago

Even my AV receiver is a turing computer. My keyboard is also one too.

kaba02y ago

You can. But I don’t agree that it should be installable from an app store.

umanwizard2y ago

Nobody is forcing you to buy an iPhone.

Aeolun2y ago

Does that actually happen on Android though?

lacerrr2y ago

Nope

pompino2y ago

hnburnsy2y ago

Yeah, if they wanted to keep users safe, all device permissions would be user controlled and all permissions would be default off.

pompino2y ago

Exactly, they're conflating choice with complexity. As you said, you can have any level of control, via various permission levels.

Any other vendor, as a paid/managed service, could supply a more permissive app store, and manage updates, etc. Companies who issue work devices would have their own "profile" to manage the device.

kaba02y ago

Every permission is default off, and ios is the safest computing platform for users (next to android), while windows has a much worse track record.

3 more replies

addicted2y ago

pb72y ago

Maybe you shouldn't use an example that is synonymous with viruses and malware throughout its history.

pompino2y ago

https://www.cvedetails.com/top-50-products.php

1 more reply

TheLoafOfBread2y ago

MacOS is also not having any limit on installing applications outside App Store.

KolmogorovComp2y ago

On the other hand they will likely use this to deny all ‘niche’ browser engine without a structured organization behind them (think Ladybug, maybe servo etc.)

toyg2y ago

Apple patch their browser twice a year at best; Firefox gets updates every month, plus security ones. Apple is hardly a model of virtue in the sector.

madeofpalk2y ago

https://webkit.org/blog/14787/webkit-features-in-safari-17-2...

Yes, not as frequent as monthly releases, but Apple shipped 7 Safari updates on iOS in 2023.

https://webkit.org/blog/13691/webkit-features-in-safari-16-3...

https://webkit.org/blog/13966/webkit-features-in-safari-16-4...

https://webkit.org/blog/14154/webkit-features-in-safari-16-5...

https://webkit.org/blog/14416/webkit-features-in-safari-16-6...

https://webkit.org/blog/14445/webkit-features-in-safari-17-0...

https://webkit.org/blog/14735/webkit-features-in-safari-17-1...

https://webkit.org/blog/14787/webkit-features-in-safari-17-2...

Did you notice the new Safari 17.3 Apple shipped 3 days ago?

1 more reply

madeofpalk2y ago

Read through the technical announcement for browser engines https://developer.apple.com/support/alternative-browser-engi...

All seems like pretty basic conditions designed to ensure that only Mozilla and Google can comply.

To be honest, the browser engine stuff seems significantly more robust and permissive that I was expecting.

jeroenhd2y ago

Pretty funny to see "use memory-safe programming languages, or features that improve memory safety within other languages" as a requirement when WebKit itself is built on top of C++ code.

I wonder if Apple would be allowed to ship WebKit if they enforce this requirement under the spirit of the EU laws that made them change their minds.

Wowfunhappy2y ago

Note that the full requirement is:

Emphasis added.

Wowfunhappy2y ago

> Pass a minimum percentage of tests available from industry standard test suites: 90% from Web Platform Tests and 80% from Test262

Why is it any of Apple's business how many test suites a third party browser can pass?

Why can't iPhone users run Links if they want to? Why can't they run a browser without Javascript support? Why can't they try out Ladybird to see how development is progressing?

Like, even from a pure Apple-is-greedy perspective I don't understand the point of this.

Vespasian2y ago

On first glance, the browser stuff is mostly fine and seems to be motivated by security and UX concerns.

In the end it's not a big impact on apples revenue if some people run chrome or Firefox.

The store part on the other hand is really sketchy.

anon257832y ago

Absolutely! That's how the "walled garden" business model works.

eviks2y ago

> This criteria seems arbitrary

That's the point, but they sound nice

j / k navigate · click thread line to collapse