Vincent Gable’s Blog

July 21, 2010

Sneaking Malware Into the App Store

Filed under: Announcement,iPhone,Programming,Security | , , , ,
― Vincent Gable on July 21, 2010

It’s happened. An app that grossly violated Apple’s terms of service (by enabling free tethering) made it through Apple’s review process, onto the App Store, and into the #2 most-popular spot before being taken down. Although this app wasn’t malicious to users, it’s absolutely malicious to Apple’s agreements with AT&T and other phone-companies. It is a real demonstration that Apple can’t keep malware off the App Store.

A Few Sneaky Ideas

It’s not hard to come up with ways to fool App-Store reviewers.

You might just get lucky. With over 230,000 Apps in the store, reviewers are swamped. They’re only human and they might not notice some subtle evil — especially if it’s not on their naughty-behavior list.

Time-Bombs, apps that hide their bad-behavior for a few days, are undetectable without periodic audits, since they act normally during the pre-release review period.

Phoning home to a server that let’s an app know it’s passed review and can begin it’s life of crime, would let an app be even more precise.

With just a few minutes thought, I’m sure you can think of even more clever tricks, or combination of tricks.

Not a Fully Open Vulnerability

That’s not to say your iPhone is in as much danger as your PC. iOS apps don’t have the same free-reign that traditional computer programs have. That limits their usefulness, but it also limits the damage they can cause. An iOS App can’t stop you from killing it, and it can’t mess with other apps, so it can’t “take over” your phone. But it can do anything it likes with your Contacts, and secretly abuse the phone’s always-on network connection, and get up to other sorts of minor mischief.

I don’t have room here to fully analyze the risks of a rogue iPhone’s program. But generally, the danger isn’t too great: a little more than a what website can do, a lot less than what a PC program with administrator access can do.

Ultimately, Apple’s best defense against malware isn’t control of the App Store review process or iTunes payments (although they help), but control over iOS. A well-designed operating system limits what kinds of malware are possible. The review process can screen for egregious mistakes. But it can’t catch everything, and it’s least-able to catch the most clever malware, which ultimately, are the programs we should be most worried about. Apple’s review process doesn’t provide real security against modern malware.

July 7, 2010

Worthless on an Unimaginable Scale

Filed under: iPhone | , ,
― Vincent Gable on July 7, 2010

There are other App Farms we know of…. One example is Brighthouse Labs with 4568 Apps, all virtually worthless.
Brighthouse Labs in AppStore screenshot

Zee, writing for The Next Web

I have a hard time wrapping my head around that number. Nearly five thousand “apps”. Near as I can tell, it’s a solid 2% of the whole App Store. With an (optimistic) 5-day-per-app approval time, it would take Apple 86 years to approve them serially.

June 11, 2010

Simulator Advertising?

Filed under: Announcement,iPhone,MacOSX,Programming | , , , , ,
― Vincent Gable on June 11, 2010

I wish I could take credit for this idea, but it’s from someone else, will Apple sell iAds that only show up in the iPhone simulator? Probably not, but it would be a hell of a targeted demographic.

For those of you who aren’t familiar with how building iPhone software works, we developers spend thousands of hours testing and debugging our programs in an iPhone Simulator application that runs on our Macs. The simulator can’t run Apps from the App Store, only programs compiled from source code with Xcode. So the only people using the simulator are programers, or otherwise deeply involved with building iOS apps. Apple could make it so that any iAds in the simulator would show special ads targeted to developers.

Better still, iAds in the simulator could show something useful like rules from the Human Interface Guidelines (that too few read), good tips or even inspiring quotations.

January 15, 2010

EULA Today Fail

Filed under: Announcement,iPhone | , , , , , ,
― Vincent Gable on January 15, 2010

The EULA1 for the USA TODAY iPhone App starts off

General

These Terms of Service govern your use of the USATODAY.com website (the “Site”) only and do not govern your use of other USA TODAY services, such as services offered by the USA TODAY print newspaper.

Clearly this invalidates the agreement on the iPhone, since the iPhone App is not “the USATODAY.com website”.

This is mildly embarrassing for USA TODAY, and even more of a fumble for Mercury Intermedia, who built the app. But I can’t think of any way this actually hurts anyone, even in theory. Users are already bound by the App Store Terms and Conditions, so why bother putting your own EULA (that nobody’s ever going to read much less care about) in your app?

1To see the EULA, tap that little i near the bottom left of the homescreen, then tap Terms of Service. The text above was copied from version 1.5 of the USA TODAY iPhone App.

November 15, 2009

Social Engineering iPhone Ratings

Filed under: iPhone,Quotes | , , ,
― Vincent Gable on November 15, 2009

The “Sex Jokes Lite” application is clever/manipulative about their ratings. They push people to give 5 star reviews with this little bit of a social contract: in their app-description they say,

“IMPORTANT: If you think the jokes are TOO dirty, please give a 1-star review. If you want them dirtier, give a 5-star review. This way we know what direction to take in the upcoming updates !”

Dan Grigsby

Clever, but a bit of a dirty trick *rimshot*.

October 22, 2009

iPhone Shows the Irrelevance of the Programmer User

Filed under: iPhone,Usability | , , , ,
― Vincent Gable on October 22, 2009

There’s a lot of discord over Apple’s draconian “closed” handling of the iPhone and App store. And rightly so. But there are a few interesting lessons in the current situation. The one I want to discuss now is that,

Being able to program your own computer isn’t enough to make it open

As things stand today, Apple can’t stop you from installing any damn iPhone app if you build yourself.

To do that you have to join the iPhone developer program of course. And there’s a $99/year fee. That’s inconvenient, but it’s just using a subscription-based way of selling iPhone OS: Developer Edition.

That’s the kind of dirty money-grabbing scheme I’d expect from Microsoft. It’s a bit shady, because it’s not how most OSes are sold. But it’s not without precedent. And unless you are against ever charging money for software, I don’t think there’s an argument that it’s actually depriving people of freedom.

Yes, it’s an unaffordably high price for many. But the iPhone is a premium good that costs real money to build — it’s inherently beyond many people’s means, even when subsidized.

Observation: Only Binaries Matter

If you have a great iPhone app that Apple won’t allow into the store, you can still give it to me in source code form, and since I have iPhone OS: Developer Edition, I can run it on my iPhone.

But clearly that’s not good enough.

In fact, I’m not aware of any substantive iPhone App that’s distributed as source. By “substantive” I mean an app with a lot of users — say as many as the 100th most downloaded App Store app — or an app that does something that makes people jealous, like tethering (See update!), which we know is possible using the SDK. I realize this is a wishy-washy definition — what I’m trying to say is that distributed-as-source iPhone Apps seem to be totally irrelevant.

“It’s not open until I can put Linux on it”

I believe it’s technically possible to run Linux on an iPhone without jail-breaking it. (Although it’s not terribly practical.) Just build Linux (or an emulator that runs Linux) as an iPhone app, and leave it running all the time to get around the limitations on background processes.

Apple won’t allow such a thing into the App Store of course —but how does that stop you from distributing the source for it? As best I can tell, it doesn’t.

So as things stand today, yes you can distribute source code that lets any iPhone OS: Developer Edition user run Linux. It’s technically challenging, but it’s doable.

Conclusion

It’s possible to build open systems on top of closed systems. We’ve done it before when we built the internet on Ma Bell’s back.

But the iPhone remains a closed device. User-compiled applications have 0 momentum. And I think that clearly shows the irrelevance of the rare “programmer user”, who is comfortable dealing with the source code for the programs he uses.

UPDATE 2010-01-21: iProxy is an open-source project to enable tethering! Maybe the programmer-user will have their day after-all.

August 27, 2009

Prometheus 1.0 Released!

Filed under: Announcement,iPhone | , ,
― Vincent Gable on August 27, 2009

My first iPhone app is in the iTunes App Store!

PrometheusLogoChrome.png

Prometheus

App_Store_Badge_EN.png

There are many apps for reading Wikipedia. Prometheus is different. It’s an editor for the Simple English Wikipedia

Simple English Wikipedia is like regular English Wikipedia, but it’s written with simple words and grammar, so kids and non-native speakers can easily grasp it.

Features

  • Shake for a random page
  • Or search and browse with purpose.
  • All articles are formatted for iPhone.
  • Tap the words you want to change to start editing.
  • Landscape keyboard support for easy typing.
  • Unfinished edits are automatically saved for later.

Simple Wikipedia makes a complex world comprehensible. Use it to teach what you know to someone who wants to know it.

Download from the iTunes App Store

Powered by WordPress