This is such a ridiculous argument, and Gruber chooses to lead with it. So, according to Gruber, if 10 years from now everything else on iOS got crazy faster (including Mobile Safari), but web apps on the home screen remained the same speed as they do today, then Apple still wouldn't be hampering them. How can anyone even read the rest of the article after this?
But, if we do, we find the security argument is equally frivolous when it comes to home-screen web apps. There is nothing less secure about a home screen app (which is just a glorified bookmark) than MobileSafari. MobileSafari is connected to the web, which means they're already allowing anything access to Nitro. If anything, there would be a much better argument for ONLY allowing home-screen web apps, because the user is implicitly stating they trust it more (than any random page you might be redirected to).
Beyond all this, I am willing to believe the "hey, it'll come with time" argument. But we should just say that, not bend over backwards to manifest false reasons.
Possibly forever, destroying web apps on the iPhone completely, or possibly just until Apple is able to sort out the security implications of having to mark in memory pages as executable.
You get to chose which scenario you think is most plausible.
I am also not entering the discussion of native apps running UIWebView. I have zero comment on that (mainly because I'm disinterested in the subject).
My only comment is on home-screen web apps, which are 100% equivalent to opening the page on your browser. They deserve more privileges because the user had to make a decision to install them. It makes no sense to me whatsoever that a random advertisement loaded from some insecure URL on a web page is allowed to access Nitro and web cache, but a web app that I trust enough to install on my home screen is not.
Ironically, I'm actually pretty happy with this decision, because I believe all apps should be in the browser. I'm just telling it like it is when people make nonsensical arguments.
"My only comment is on home-screen web apps, which are 100% equivalent to opening the page on your browser."
"Web apps that are saved to the home screen do not run within Mobile Safari. They’re effectively saved as discrete apps — thin wrappers around the UIWebView control."
"I'm just telling it like it is when people make nonsensical arguments."
Your failure to read and understand his arguments have made them sound nonsensical to you. This is not his fault.
1. MobileSafari, from a web page loaded from a URL.
2. Home-Screen Web Apps, web pages loaded from a URL that the user then 'saves to the homes screen' which are loaded in some mysterious, but APPLE WRITTEN, "wrapper" process X.
3. UIWebViews within native apps that you buy on the App Store.
Now, my position is that (1) and (2) are for all intents and purposes the same, and (3) is possibly different. So, the whole argument about turning it off for UIWebView is that the interaction between native code and Nitro might offer an additional vector of security concern. Well, in both (1) and (2), there is no user native code. It literally just either downloads the JS off the web, or reloads it straight from the web. All the native code is written PURELY by Apple. So in a world where the only user modifiable code comes from the web, then clearly this is the same as where we started with MobileSafari. The additional thing to realize, is that unlike native apps (3), home-screen web apps (2) are NOT code signed, just like web pages (1). So that also nullifies the argument that allowing Nitro on home-screen web apps would go against Apple's code signing policies.
Hopefully that explains my thinking a little bit clearer.
Once again, I am very willing to believe that they had a deadline to meet, and turning it on for home-screen web apps got punted. That makes perfect sense. The security argument however falls flat on its face.
The way Apple implemented Home-Screen Web Apps was by placing a thin wrapper around a UIWebView.
Hence, Home-Screen Web Apps are not like Mobile Safari at all in actual implementation.
They are, instead, exactly like an iOS application developed by a third party developer who put a thin wrapper around a UIWebView.
Hence, they do not get the same special privileges as Safari Mobile.
That is a fact of their implementation.
It makes a heap of assumptions though, and feels kind of like a non-techie person saying "why dont you just whip up a GUI app to trace my IP".
Enabling Nitro JIT for UIWebView for some applications without enabling it for every app in the app store is probably more difficult than toggling a switch.
The alternative appears to be that to create Web.app they went to all the trouble of reusing the Mobile Safari code, and then methodically went through and broke things such that it behaves exactly like every other application that uses UIWebView.
This would seem like an unreasonable way to get an application that behaves exactly like an application that uses UIWebView.
I think it is technically different, but on other systems, the HTML pages I put on my desktop have fewer privileges than the ones I load from web sites. (https://bugzilla.mozilla.org/show_bug.cgi?id=230606)
As to the subject at hand: one line of reasoning says that not allowing JIT-ting for home-screen apps is an oversight; home-screen apps apparently do not run in the Safari process. I guess there is no way to find out whether that is true. If Apple fixes it in the next firmware update, one could argue either that they fixed the problem, or that they stalled fixing it for as long as they could get away with, and I am sure the internet will be filled with such arguments, even if that next update appears tomorrow.
All Gruber is arguing is:
1) that there is a significant difference in security
2) that Apple didn't release any JIT for webkit all this time [edit: since 2008] because of security concerns
3) that Apple did not go out of its way to remove JIT from those instances of webkit that occurr outside of Mobile Safari
4) that perhaps Apple is simply rolling it out gradually
I don't see how any of this is ridiculous or could be called "bending over backwards" unless you are pre-loaded with a bias against Gruber.
There goes what little karma I earned since 2008.
Have you read these arguments? Do you disagree with them? Or are you saying something else?
Just trying to understand...
If you read my other posts I think you'll see I have no issue with the idea that there may be a security issue with JIT. That is fine and acceptable.
What I have an issue with is the idea that MobileSafari is somehow the safest place to put it. If there is a security issue, then MobileSafari is clearly the absolute least safe place to put it (vs homescreen web apps), since any malicious web page has access to it. That includes random ads loaded on otherwise safe web pages. The user is not prompted when entering a web page if they want to use Nitro or not, so basically anything goes on the open web. If a security flaw is discovered in Nitro, I have only to place it on an ad that gets deployed to popular sites to take advantage of it. And Apple's only recourse is to issue an entire system upgrade and hope people update.
Home-screen web apps are thus at least as safe as MobileSafari, since they are literally just bookmarks that load web pages (in a different process and without chrome, but fundamentally the same, no access to any other native code or anything). They are in fact arguably more safe, because the user has to first grant it "home-screen" status. This is a sensible time to ask the user if this ONE app should deserve more privileges than the rest of the wild-west web. In other words, had apple done the opposite, ONLY allowing home-screen web apps access to Nitro, it would make a lot of security sense, especially because Apple could warn the user before they download the app saying "downloading this app gives it access to the special Nitro engine, which may be less secure...".
The situation is complicated by the fact that he is reporting what Apple is doing and what he has been told is the motivation for doing so. So he could be right that Apple is doing this, but you assert that Apple is wrong. Or that Apple is doing this, but not for the reasons they give.
You assert that there is no vulnerability in home screen apps wrapping UIWebView that isn't in Mobile Safari, and thus there is no downside to granting writeable code page permission to home screen apps. Ok, I think I understand what you are saying, why you are saying it, and what you would do in Apple's shoes.
Even a technical argument is somewhat hard to fathom, since it should be a trivially simple thing to enable, but given that none of us can see the code it's at least possible.
As far as native apps with embedded UIWebViews, this is a believable technical argument, though it isn't obviously true either. In other words, the political argument isn't significantly less likely than the technical one.
Someone (who I think works on Cydia - the Jailbreak App Store) commented about this further down:
Of course, this means that there is no real good reason why Apple has disabled Nitro for full-screen web applications (that I at least yet understand), and so I'd expect that this was frankly just a silly oversight
I have no trouble at all believing that they have been able to mitigate those concerns for Safari Mobile by using a solution that is not appropriate when applied to any arbitary App that may choose to include a UIWebView.
If they can make it work for Mobile Safari, they can make it work for a "thin wrapper" without working for all UIWebViews.
The way I would do it for a single application is enable a special case for it in the underlying OS....
Instantiate the app by copying it and placing the files related to the specific instance (manifest, html, cached files) in the standard mutable data directories (Documents, Cache, ...), which wouldn't affect the signature. (The name of the app and icon would have to excluded from the signature.)
If this is how things work now, I wouldn't be surprised if the lack of Nitro was just an oversight on Apple's part (i.e. they forgot to give the template app the right permissions). If home page web apps are granted a special exception to the usual app-signing, I could imagine that they can't give them these permissions without leaking them to everyone.
With every thing he writes like this, he's behaving more like a fanboy and less like a reliable source of information. It's a bit sad.
'"Ah, that is different!" said Boxer. "If Comrade Napoleon says it, it must be right."'
If the new JS engine is a security problem either fix it or remove it. Compromise helps no one.
Thanks for weighing in, sir – this was just the expert opinion I was hoping to see.
The effects this would have are in:
a) security (although codesign is a fundamentally flawed system due to return-oriented programming techniques and is frankly just security theatre at this point)
b) meta-store fronts (Apple would have to be much more careful about approving applications that downloaded other applications at runtime; Apple could revoke these, though, and you can already do stuff like this with interpreters, although you might not want to bother)
and, I'd say most importantly, c) JITs (suddenly there would be no technical obstacles to having good versions of Java, Mono, or even Flash; and given that the contractual obligations they added got so much pushback that they were removed, we /would/ see good versions of Java, Mono, and even Flash)
On a similar note, in order for similarly interesting behaviors to work with iAd (home button acting as "close", address space isolation to keep your process from messing with the ad, etc.), there is an application that backs them called WebSheet.app that also causes these to be in separate processes.
Of course, this means that there is no real good reason why Apple has disabled Nitro for full-screen web applications (that I at least yet understand), and so I'd expect that this was frankly just a silly oversight (and I may know more about what reasoning went into this when I get around to pulling apart how Apple grants MobileSafari this privilege).
The only real question is why Apple's own app that's used to display those saved-to-home-screen webapps didn't get an exception alongside Safari. My guess is that the Nitro engine is built directly into Safari and that the UIWebView control (which is used by webapp viewer app) simply can't use it at all, regardless of ability to execute writable code. I'm sure this will change, either the viewer app will get rewritten, or UIWebView will get its own sandbox etc. They probably just didn't have the time to do that yet.
If UIWebView could JIT, somebody would write an app that dumps the JITs code (I assume that ARM does not have the ability to mark pages as 'executable, but not readable') and run it on a development system. From there, (s)he would figure out what the JIT does to make data executable. That knowledge could be used in an app that can execute code that Apple hasn't seen.
Of course, that app would need to pass the app store approval process to be useful, but that should not be hard.
A way around this is to move the JIT to the kernel or to a different process. I would guess that that would hinder performance so much that, in typical usage, JIT-ting becomes too expensive to speed up things. Alternatively, Apple could not have spent the time to do so (yet).
Having the hosted browser in a different process shouldn't be too expensive. That's what Chrome and IE do. When you open up a UIWebView and process gets spun up that hosts the JIT (amongst the other plubming for the browser) and the host just has a window where the rendering takes place. This also fixes a whole host of other security problems hosting a browser in process.
I also guess that some iOS apps will want to overlay stuff on their web views, postprocess the data, register callbacks, etc. Supporting such use might be a bit of work that Apple hasn't done yet.
Doesn't that imply that the JIT has privileged access to pages that other code within the same process does not? As saurik (who knows about these things) mentions elsewhere, Apple can trust Safari to not tamper with the executable pages - can they trust 3rd party apps?
Home-screen based web-apps being another question entirely.
Perhaps his best work was when he distilled the ecosystem down into a fantastic stream of links, a brilliant and hard-working focused aggregator/editor.
Bit more of a bloviating opinion columnist now-a-days. And I guess his biases are brought to the front more.
Understandable though. Everyone is converging on his range of primary sources and editorially crowd-sourcing it in realtime.
I'll still be frequenting his site. It's still quality. You just read with a bias-aware filter like you do any other news source.
What's more, such "home screen web apps"
can't use various web caching systems,
including the HTML5 Application Cache,
which means they can't be cached to
I will be very interested to see whether Apple fixes this and how quickly they do it. If they fix it urgently then I will recall the cynic hound-dogs within me. But if they let this lag for months then it seems pretty clear to me that they are just cynically closing down any attempt to route around the app store, if only by ensuring nobody will try to do so due to the chilling effect of knowing such apps could be broken for months at a time.
Look, I hate Apple as much as the next guy (maybe more so: I mean, I've dedicate my life to messing with them), but the random rumor mongering surrounding tiny actions that they perform needs to stop.
Like, the HTML5 Application Cache? That code is horribly broken. I started using the HTML5 Application Cache in Cydia (and am now sufficiently "down that road" that I'm launching with this, hell or high water), but WebKit's implementation's barely works, and I don't think it is reasonable for people to be holding Apple quite to task on whether this feature happens to be working in every scenario.
I mean, seriously: when you start going through the WebCore code history and public bug tracker teasing apart what is going on, you find that the developers working on with some of these issues (and there are still critical show-stopper bugs that have only been noticed a few months ago, as well as ones that are still open) actually claim "no one understands this system", something you really believe when you see the massive unstable state machine that surrounds it.
It is therefore entirely plausible to me that the reason the app cache isn't working in apps with some random meta flag is solely because of one of the numerous queue bugs in WebKit's appcache logic that totally wedge the mechanism (even crashing it at times) if things happen to reload in the wrong order.
Like I said - if they jump on it and fix it I'll say fair enough - anything can get broken in the rush to put out a new release (especially with a high profile new device involved - one can hardly expect they would be delaying release of iPad2 because of something like this). So we will see what happens. However until I see it fixed or some kind of indication that it will be I remain highly skeptical.
It's not just the Register, Ars http://arstechnica.com/apple/news/2011/03/confirmed-some-web... makes the same claim, but it works on my desk ;)
Of course there are plenty of ways that Apple could address this problem, just as there are plenty of ways that Apple could address the non-executable pages problem.
Ars: Apple is aware of the issues, which are currently filed as bugs... are marked "not to be fixed by exec order,"
Well, this ought to be interesting.
But according to Matt Asay, who is vice president of business development for mobile Web framework maker Strobe, Apple supposedly has no plans to fix them. Instead, they are marked "not to be fixed by exec order," suggesting that a higher up at Apple is preventing engineers from fixing the problems.
"Supposedly" and "suggested" let Ars weasel out of determining the truth of these assertions. Unless Apple has suddenly turned absurdly transparent, I have a hard time believing that this guy actually has any inside knowledge. On the other hand, he certainly has an incentive to bring pressure on Apple to make his business work better.
It very well could be an executive order not fix it because of the security issue.
<cynical>Unless, of course, you want to discourage their development</cynical>
Not quite. In essence, a native app using UIWebView is created on the fly, and past that point it acts just like a standalone app. Only real-deal Safari gets the exception.
Bugs and difficult to solve issues arise in all sorts of code. Just by prioritising what you work on and fix you can hose your competitors both within or outside your ecosystem. In this case, extra speed for Mobile Safari was clearly more important to Apple than extra speed for mobile apps that compete with their native apps.
I suspect RIM's security model allows them to do package / API specific permissions and prevent the app from doing things such as mmap(... PROT_EXEC) - anyone familiar with BB Security/Permissions model - care to comment?
Maybe they think that people are aware that the web is generally less safe and act accordingly? And they don‘t want someone to smuggle that unsafeness into apps? (The homescreen webapps are more or less just collateral damage if you take on this view.) That’s the only somewhat plausible explanation I can think of and it doesn’t make all that much sense.