Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
IOS Apple

A French Company is Suing Apple To Open the iPhone To Rival Browsing Engines (recode.net) 72

A French maker of open-source software said Friday it is suing Apple in an effort to get the company to make iOS more supportive of Web standards. Nexedi is suing Apple under French law in hopes it can force Apple to allow rival browsing engines onto the iPhone. From a report on Recode:Although Apple allows rival browser apps, such as Google's Chrome, on to the iPhone, the'y all have to use Apple's Web rendering engine. That means the ability to draw on the latest Web standards is is limited to whatever Apple decides to include. That means some newer technologies, like the WebM video standard and the WebRTC protocol for real-time communications, can't be made to work in an iOS browser even though they work in nearly all other browsers. "We hope [this lawsuit] will help Apple to sooner support the latest Web and HTML5 standards on its iOS platform -- the operating system used by all iPhones," Nexedi said in a blog post, which also explains the more granular details of how technology works and what needs to change, in their estimation.
This discussion has been archived. No new comments can be posted.

A French Company is Suing Apple To Open the iPhone To Rival Browsing Engines

Comments Filter:
  • Why should they? (Score:3, Insightful)

    by Anonymous Coward on Friday October 07, 2016 @06:11PM (#53035149)

    Just because you want another poorly coded standard as a way to track people, and allow exploit code to run?

    No thanks.

  • Security... (Score:3, Insightful)

    by Anonymous Coward on Friday October 07, 2016 @06:22PM (#53035171)

    Apple has said time and time again the issue is security-- making a sandbox isn't fucking easy. Despite whether that's good or bad, it's hard to do right. There's very little chance with the exception of Mozilla or Google proper making a secure (not massive security hole of a) browser for iOS.

    Not gonna happen (for a few years at least). Not in France, not in the us, not anywhere.

    Well I could see Apple doing this but on the proviso if you have a security hole that compromises the phone-- you owe them a billion dollars.

    • Re: Security... (Score:3, Insightful)

      by Anonymous Coward

      Unix has had sandboxing since forever with chroot.

      BSD jails have existed for more than a decade.

      These days, Linux has both lxc and systemd application level sandboxing (which is attained via cgroups, I believe).

      This isn't the middle ages. How hard is it to sandbox a fucking browser, really?

      • Re: Security... (Score:4, Informative)

        by molarmass192 ( 608071 ) on Friday October 07, 2016 @08:29PM (#53035665) Homepage Journal
        Ok, but chroot != sandbox, it's not really even sandbox-lite. A sandbox is complete process isolation, almost full virtualization, not just obfuscating the system root. I say almost because the process doesn't have to include it's own OS.
        • Re: (Score:3, Interesting)

          by ls671 ( 1122017 )

          Hmm, chroot needs to include its own OS or at least the parts you need to run said chrooted process unless compiled statically and still. This would make it more than sandbox lite according to your definition.

          chroot is viewed as less secure as bsd jails because it wasn't designed for a security purpose in the first place.

          I have a slackware pure 64 bits, no compat 32 what so ever. I chroot to a 32 bits full install and everything runs smoothly for legacy 32 bits apps.

          Granted, only one kernel runs, 1 /sys /pr

          • Granted, only one kernel runs, 1 /sys /proc, etc., which is "less isolated" than a qemu vm but lets you run on bare metal for specific applications.

            If stuff is actually running, then there's probably a /dev in the chroot as well. And if there's anything running as root, then it's trivial to mount /dev and escape from the chroot. It sounds as if you're using chroot for exactly its intended purpose: running applications that don't necessarily work with the host system libraries and tools. There was never intended to be any serious attempt to prevent an attacker from escaping from a chroot.

            • by ls671 ( 1122017 )

              Actually, you can give access to what you want, /dev, /proc, /sys... or not as you wish. Letting anything run as root in a chroot when using it as a mild isolation technique is a big no-no and has always been.

              chroot can still be used as a mild isolation technique if you know what you are doing. That's why I mentioned that privilege escalation can happen even in VMs.

              Damn, I remember back in the days, logging in a system as guest and getting root in 30 seconds with an xterm exploit. Privilege escalation is th

      • by TheSync ( 5291 )

        There are other risks as well, such as Android's default Web browser lets attackers spoof the URL shown in the address bar [computerworld.com], allowing for more credible phishing attacks.

      • Re: Security... (Score:5, Informative)

        by TheRaven64 ( 641858 ) on Saturday October 08, 2016 @05:58AM (#53036865) Journal
        First, chroot isn't a sandbox. For desktop applications, it isn't even useful isolation because you have a big attack window via the IPC to the display server. That said, iOS uses the TrustedBSD MAC framework (also in FreeBSD - Apple funded the development of both), which allows very fine-grained resource control to processes. The entire sandboxing framework is based on this.

        Second, the grandparent doesn't really mean sandboxing, he means compartmentalisation (which depends on some isolation primitive). Process-based isolation is fine when your threat model is different levels of trust for different processes. In a web browser, that isn't the case. Your tab browsing some random site needs to be strongly isolated from the other tab that contains your webmail login. Ensuring that this isolation is really present and not leaky is a very hard problem. Even that isn't really enough: if someone sends you an image as an email attachment and there's a vulnerability in your copy of libpng that allows arbitrary code execution, it doesn't really help you that the attacker can't compromise any other tabs: they already have the high-value target.

        Beyond that, mobile Safari also has some quite neat tricks. It makes use of execute-only memory for the JavaScript engine. On startup, it reserves a range of memory for the JIT code emission and generates a special memcpy that copies data into an offset within that address range. It then deletes all copies that the process holds of the base address and marks the special memcpy as execute-only, so there is nowhere in readable memory that contains the address range where JavaScript code will run, making it almost impossible to exploit gadgets placed in JIT'd JavaScript code.

        That said, no security is perfect and a monoculture is a good way of turning a vulnerability into a pandemic. If you have 4 different browsers with approximately equal market share, it's a lot harder to exploit all of them. This is why Verisign uses a mixture of FreeBSD and Linux with 3 different DNS server implementations on their root nameservers: If you want to take down their root zone, you need a to have a compromise for at least two DNS servers and for both operating systems.

      • by Karlt1 ( 231423 )

        How has all that Unix/Linux security worked out for Android?

        • by DeVilla ( 4563 )
          Android has been exploited by the vendors. User's security was not the goal. Think windows 10.
  • Interesting. This might turn into a crack in the garden wall. It might even be a harbinger of more cracks. Given its history in such matters, I suspect the French government won't side with Apple.

    Apple might end up having to comply, if only under the "you're voiding your warranty and cutting yourself off from manufacturer support" caveat that comes with rooting an Android device. Then again, they might just say "Sorry France, no more Apples for you"...

    • But the world is full of devices on which you can't just install whatever software you like. If a lawsuit like this succeeds, then what does that mean for all those devices? Will all manufacturers of computing devices have to provide SDKs for them? And remove whatever cryptographic restrictions have been placed on them? That would certainly make for a pretty interesting world.
  • by Anonymous Coward on Friday October 07, 2016 @06:37PM (#53035249)

    Well they should... or who doesn't remember the "N" SKU for Windows that prevented the instant bundling of Internet Explorer? Microsoft had to develop a separate version of Windows XP, etc. and beyond to meet this standard that stripped out the "preferred" browser that came with Windows in Europe and other regions. This allowed those users to choose and install the browser(/rendering engine) of their preference instead of being defaulted into the browser packaged with their operating system. Why should Apple be given a golden ticket and allowed to skip over such similar legislation? This is not that much different.

    Peace out.

    • by tlhIngan ( 30335 )

      Well they should... or who doesn't remember the "N" SKU for Windows that prevented the instant bundling of Internet Explorer? Microsoft had to develop a separate version of Windows XP, etc. and beyond to meet this standard that stripped out the "preferred" browser that came with Windows in Europe and other regions. This allowed those users to choose and install the browser(/rendering engine) of their preference instead of being defaulted into the browser packaged with their operating system. Why should Appl

  • ...because you could deploy apps without the App Store.

    Let's hope this happens! :)

  • So if the compatient's beef is that WebKit [webkit.org] doesn't support the "latest" HTML5, WebM, "whatever is hot today" standard. Why not actually help improve the WebKit engine, since you know, its Open Source. They can first begin by first reading the Getting Started [webkit.org] page. And for those individuals that want to know the Licensing WebKit [webkit.org] page indicates that "WebKit is open source software with portions licensed under the LGPL and BSD licenses."

    Is WebKit the best rendering engine under the sun, not really, but then no

  • by Henriok ( 6762 ) on Friday October 07, 2016 @08:03PM (#53035577)
    Apple are allowing other web rendering engines. They just aren't allowing engines running arbitrary code on their plaform. That includes Java, Flash, JavaScript and emulators. It's the "running arbitrary code" that's the problem, not rendering web pages or showing WebM movies. You are allowed to make such apps.
    • Apple are allowing other web rendering engines. They just aren't allowing engines running arbitrary code on their plaform. That includes Java, Flash, JavaScript and emulators.

      It's still hard for me to believe Apple has really built a cellphone empire on turning a general purpose computer into a limited purpose computer. I guess this is what comes of not teaching programming in schools.

      • When iPhones first came out, everyone thought Apple was crazy and that native-code apps (Appke at first tried to assuage security concerns by allowing only HTML5 apps) would be phoning Nigeria and 1-900-KGB-DOOD to charge users fraudulently. AT&T took a lot of convincing to get them to agree to a phone with ObjC apps as opposed to just HTML applets. No phone company wanted that kind of security nightmare. The current restriction against running arbitrary downloaded code (no JS engines, which is what thi

    • by Guidii ( 686867 )
      Apple’s App Store policies state: “Apps that browse the web must use the iOS WebKit framework and WebKit Javascript.” Source: http://www.howtogeek.com/18428... [howtogeek.com]
    • That's like saying I don't ban motorcycles, I only ban engines under 1.4L. The technicalities are different but the effect is the same. An alternate rendering engine which can't do javascript is as useless as useless as teats on a bull.

  • A web browser and universal app platform rolled into a phone OS. Winning was not so much market share but 'keeping the bastards honest'.

    But, to summon the app app luddite apps guy, a platform without software is stillborn and the mobile web stagnates...

    Perhaps if management at Google loosened the strings, they'd release a spin of Chrome OS as a ROM for Nexus/Pixel devices - a web device with Android app support.

No spitting on the Bus! Thank you, The Mgt.

Working...