Comment by otterley
6 days ago
Apple made it very clear that their security concerns related to third party browsing engines are about difficult-to-contain threats posed by JIT compilation. (JITs require non-text memory pages to be executable.) Apple doesn’t allow other apps to use such technology, so they’re consistent in that respect.
Apple even disables JIT for Safari itself when you put an iPhone in lockdown mode, at no small cost to performance, in an effort to harden the device even more.
Do you have a rebuttal to that?
That's just their excuse. Javascript is used on practically every web browser in existence, across billions of devices, and it does not have the security risks that Apple claims. It just doesn't. There are plenty of other flaws in their own web browser that have allowed remote code execution, but Javascript isn't typically one of them, in any browser, in any platform, in the last decade or more.
And there are plenty of apps in Apple's app store that are malicious. So the JIT excuse is just Applespeak for "we control what our competitors can do on hardware we supplied that someone bought and paid for". It's abuse and they are being sued by the DOJ. Just read the lawsuit so I don't have to reply to any more of your comments:
https://www.justice.gov/archives/opa/media/1344546/dl?inline
First, are you a security expert? If so, please provide your bona fides. Apple employs some of the brightest software and hardware security experts in the business. (Cellebrite can attest to this; they possess far fewer capabilities to crack iPhones than every other phone on the market.) If they perceive handling out JIT capabilities to apps as risky, I believe them. You, on the other hand, come with no evidence to the contrary other than a bare assertion.
Second, I already told you that there is no claim in the complaint that Apple is withholding Safari features in order to pad its apps business. If you believe otherwise, please provide relevant passages from the complaint.
Third, you’ve never had to reply to any of my comments. That’s on you.
>First, are you a security expert? If so, please provide your bona fides.
Nice goalpost move. I'm not playing that game with you.
>Apple employs some of the brightest software and hardware security experts in the business.
And yet Safari still gets hacked.
From the DOJ lawsuit:
16. Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct. Indeed, it spends billions on marketing and branding to promote the self-serving premise that only Apple can safeguard consumers’ privacy and security interests. Apple selectively compromises privacy and security interests when doing so is in Apple’s own financial interest—such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engine when more private options are available. In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests.
https://www.justice.gov/archives/opa/media/1344546/dl?inline
>If they perceive handling out JIT capabilities to apps as risky, I believe them. You, on the other hand, come with no evidence to the contrary other than a bare assertion.
You are influenced by the reality distortion field, that much is clear, no conversation can be had with a cult member. Have a nice day.
3 replies →
>Do you have a rebuttal to that?
People should be allowed to run the software they want on a device they paid a lot of money to own. Period.
https://www.justice.gov/archives/opa/media/1344546/dl?inline
That’s not the law, and never has been. Devices are combinations of hardware and software. The fact that a device maker allows you to install software subject to limitations is a privilege, not a right. Some device makers, like automobile and medical device manufacturers, often give you no such privileges at all.
Nevertheless, you’re entitled to your belief, which is really at the core of all this discussion. Fine, just say that. But to take that desire and gin up some conspiracy about how Apple is intentionally crippling the browser just to pad its apps business is a bridge too far. You don’t need a villain. Your desire is enough.
Yes. Safari is a less secure browser than Chrome, architecturally. Took far longer to ship sandboxing. Still hasn't fixed SLAP and FLOP. Still hasn't shipped proper site isolation. Takes far longer to fix reported vulnerabilities, and consistently "fixes" them superficially and incorrectly, requiring another fix.
Enough with the Apple fanboy paternalism. They don't need absolute control "for users' sake". They're not entitled to it.
> Still hasn't fixed SLAP and FLOP. Still hasn't shipped proper site isolation.
Those are interesting facts, but are ultimately a red herring. How will enabling JIT for other browser engines, absent the detailed vetting Apple is requiring to provide a Web Browser Engine entitlement, yield a more secure outcome?
> Enough with the Apple fanboy paternalism. They don't need absolute control "for users' sake". They're not entitled to it.
You are, of course, welcome to choose an alternative. If you prefer Android, by all means, use it!
The "vetting" is irrelevant because the other engines will continue to not exist. By design.
I am currently forced to use a less secure browser due to Apple's restrictions, which invalidates your original claim. Your skillful dodging of that point is why it's so frustrating to have any conversation about Apple. There really are cult-like aspects.
5 replies →