A French Company is Suing Apple To Open the iPhone To Rival Browsing Engines (recode.net) 72
A French maker of open-source software said Friday it is suing Apple in an effort to get the company to make iOS more supportive of Web standards. Nexedi is suing Apple under French law in hopes it can force Apple to allow rival browsing engines onto the iPhone. From a report on Recode:Although Apple allows rival browser apps, such as Google's Chrome, on to the iPhone, the'y all have to use Apple's Web rendering engine. That means the ability to draw on the latest Web standards is is limited to whatever Apple decides to include. That means some newer technologies, like the WebM video standard and the WebRTC protocol for real-time communications, can't be made to work in an iOS browser even though they work in nearly all other browsers. "We hope [this lawsuit] will help Apple to sooner support the latest Web and HTML5 standards on its iOS platform -- the operating system used by all iPhones," Nexedi said in a blog post, which also explains the more granular details of how technology works and what needs to change, in their estimation.
Why should they? (Score:3, Insightful)
Just because you want another poorly coded standard as a way to track people, and allow exploit code to run?
No thanks.
Re:Why should they? (Score:5, Insightful)
Safari is holding the web back much like IE6 did when Microsoft refused to upgrade it.
Re:Why should they? (Score:4, Informative)
The latest version of Safari (10) is 100% compliant with ES6.
Re:Why should they? (Score:5, Insightful)
Then don't buy Apple. Buy Android, like I did.
Dang, people. Freedom isn't hard to understand.
Re: (Score:2)
Security... (Score:3, Insightful)
Apple has said time and time again the issue is security-- making a sandbox isn't fucking easy. Despite whether that's good or bad, it's hard to do right. There's very little chance with the exception of Mozilla or Google proper making a secure (not massive security hole of a) browser for iOS.
Not gonna happen (for a few years at least). Not in France, not in the us, not anywhere.
Well I could see Apple doing this but on the proviso if you have a security hole that compromises the phone-- you owe them a billion dollars.
Re: Security... (Score:3, Insightful)
Unix has had sandboxing since forever with chroot.
BSD jails have existed for more than a decade.
These days, Linux has both lxc and systemd application level sandboxing (which is attained via cgroups, I believe).
This isn't the middle ages. How hard is it to sandbox a fucking browser, really?
Re: Security... (Score:4, Informative)
Re: (Score:2)
linux also has a sandbox application, separate from chroot.
"A sandbox application"? Do you even know what we are talking about here?
Re: (Score:3, Interesting)
Hmm, chroot needs to include its own OS or at least the parts you need to run said chrooted process unless compiled statically and still. This would make it more than sandbox lite according to your definition.
chroot is viewed as less secure as bsd jails because it wasn't designed for a security purpose in the first place.
I have a slackware pure 64 bits, no compat 32 what so ever. I chroot to a 32 bits full install and everything runs smoothly for legacy 32 bits apps.
Granted, only one kernel runs, 1 /sys /pr
Re: (Score:2)
Granted, only one kernel runs, 1 /sys /proc, etc., which is "less isolated" than a qemu vm but lets you run on bare metal for specific applications.
If stuff is actually running, then there's probably a /dev in the chroot as well. And if there's anything running as root, then it's trivial to mount /dev and escape from the chroot. It sounds as if you're using chroot for exactly its intended purpose: running applications that don't necessarily work with the host system libraries and tools. There was never intended to be any serious attempt to prevent an attacker from escaping from a chroot.
Re: (Score:2)
Actually, you can give access to what you want, /dev, /proc, /sys... or not as you wish. Letting anything run as root in a chroot when using it as a mild isolation technique is a big no-no and has always been.
chroot can still be used as a mild isolation technique if you know what you are doing. That's why I mentioned that privilege escalation can happen even in VMs.
Damn, I remember back in the days, logging in a system as guest and getting root in 30 seconds with an xterm exploit. Privilege escalation is th
Re: (Score:3)
There are other risks as well, such as Android's default Web browser lets attackers spoof the URL shown in the address bar [computerworld.com], allowing for more credible phishing attacks.
Re: Security... (Score:5, Informative)
Second, the grandparent doesn't really mean sandboxing, he means compartmentalisation (which depends on some isolation primitive). Process-based isolation is fine when your threat model is different levels of trust for different processes. In a web browser, that isn't the case. Your tab browsing some random site needs to be strongly isolated from the other tab that contains your webmail login. Ensuring that this isolation is really present and not leaky is a very hard problem. Even that isn't really enough: if someone sends you an image as an email attachment and there's a vulnerability in your copy of libpng that allows arbitrary code execution, it doesn't really help you that the attacker can't compromise any other tabs: they already have the high-value target.
Beyond that, mobile Safari also has some quite neat tricks. It makes use of execute-only memory for the JavaScript engine. On startup, it reserves a range of memory for the JIT code emission and generates a special memcpy that copies data into an offset within that address range. It then deletes all copies that the process holds of the base address and marks the special memcpy as execute-only, so there is nowhere in readable memory that contains the address range where JavaScript code will run, making it almost impossible to exploit gadgets placed in JIT'd JavaScript code.
That said, no security is perfect and a monoculture is a good way of turning a vulnerability into a pandemic. If you have 4 different browsers with approximately equal market share, it's a lot harder to exploit all of them. This is why Verisign uses a mixture of FreeBSD and Linux with 3 different DNS server implementations on their root nameservers: If you want to take down their root zone, you need a to have a compromise for at least two DNS servers and for both operating systems.
Re: (Score:2)
How has all that Unix/Linux security worked out for Android?
Re: (Score:2)
Re: (Score:2)
In general, that's true. But oddly enough, there are some sites that Firefox can handle just fine but drop out in both Safari and Chrome. My company's web portals to Peoplesoft and SAP are the first two that come to mind. I can login with any browser. But they work correctly only on Firefox. When I mentioned this to the SAP help desk, they told me the site is "optimized for IE 6" (Seriously, WTFH? This was in 2014, not 2002!.) and that if I'd already upgraded, there was a tool on the IT public shared
Hmmm... (Score:2)
Interesting. This might turn into a crack in the garden wall. It might even be a harbinger of more cracks. Given its history in such matters, I suspect the French government won't side with Apple.
Apple might end up having to comply, if only under the "you're voiding your warranty and cutting yourself off from manufacturer support" caveat that comes with rooting an Android device. Then again, they might just say "Sorry France, no more Apples for you"...
Re: (Score:3)
Because previous legislation against Microsoft.... (Score:4, Insightful)
Well they should... or who doesn't remember the "N" SKU for Windows that prevented the instant bundling of Internet Explorer? Microsoft had to develop a separate version of Windows XP, etc. and beyond to meet this standard that stripped out the "preferred" browser that came with Windows in Europe and other regions. This allowed those users to choose and install the browser(/rendering engine) of their preference instead of being defaulted into the browser packaged with their operating system. Why should Apple be given a golden ticket and allowed to skip over such similar legislation? This is not that much different.
Peace out.
Re: (Score:3)
Re: (Score:2)
You probably can. But you would lose quickly on the basis that you can if fact swap a ford engine into a Toyota if you really want you.
In the same way that you can put another browser engine onto an iOS device if you really want to. Case closed.
Re: (Score:3)
Are the Developers being forced to make web browsers? Are They being forced to make browsers for iPhones? Are They being forced by Apple?
You really didn't grasp the gist of the complaint did you?
This would destroy Apple's walled garden... (Score:2, Interesting)
...because you could deploy apps without the App Store.
Let's hope this happens! :)
Re: (Score:2)
So while we are at, should we also force Sony, Microsoft, and Nintendo to open up their respective consoles?
Re: (Score:2)
Who is stopping you?
WebKit is Open Source - So why not help improve it (Score:1)
So if the compatient's beef is that WebKit [webkit.org] doesn't support the "latest" HTML5, WebM, "whatever is hot today" standard. Why not actually help improve the WebKit engine, since you know, its Open Source. They can first begin by first reading the Getting Started [webkit.org] page. And for those individuals that want to know the Licensing WebKit [webkit.org] page indicates that "WebKit is open source software with portions licensed under the LGPL and BSD licenses."
Is WebKit the best rendering engine under the sun, not really, but then no
It's javascript engines Apple doesn't allow. (Score:3, Informative)
Re: (Score:1)
Apple are allowing other web rendering engines. They just aren't allowing engines running arbitrary code on their plaform. That includes Java, Flash, JavaScript and emulators.
It's still hard for me to believe Apple has really built a cellphone empire on turning a general purpose computer into a limited purpose computer. I guess this is what comes of not teaching programming in schools.
Re: It's javascript engines Apple doesn't allow. (Score:1)
When iPhones first came out, everyone thought Apple was crazy and that native-code apps (Appke at first tried to assuage security concerns by allowing only HTML5 apps) would be phoning Nigeria and 1-900-KGB-DOOD to charge users fraudulently. AT&T took a lot of convincing to get them to agree to a phone with ObjC apps as opposed to just HTML applets. No phone company wanted that kind of security nightmare. The current restriction against running arbitrary downloaded code (no JS engines, which is what thi
Re: (Score:2)
When iPhones first came out, there was no App Store, there was no native-code apps, and everything was HTML. Touch events were introduced at that time.
Right, the carriers didn't want the masses of asses running arbitrary code on their phones. Yes, cellular phones could already run apps. But they also had extraordinarily limited computing environments. Most phones' ability to run externally developed software was restricted to some Java MIDlets, and typically a given phone would only implement a subset of the available APIs, usually a fairly small one. The phone literally wasn't capable of running any apps that were a threat to the network; even if you got
Re: (Score:2)
The iPhone was not significantly (or even at all) more powerful than the smartphones that were popular at the time it was launched.
Uh, what? Yes, yes it was. The dominant devices were ~200MHz single-core flip phones.
The opinions of mobile network companies were not relevant. The only way they were involved was with the weird monopoly scheme Apple was trying to pull of.
Ah, the past looks so simple from your perspective, because you weren't paying attention. Apple had to kiss carrier ass to make those deals at first. Later, when the iPhone proved it would shift units, the situation was reversed.
Re: (Score:2)
What you are talking about is feature phones, and in America maybe that's about as much as you had. In Europe we had full smartphones years before th iPhone. The Market leader was Nokia phones running Symbian OS, which had full apps written in C++. For 7 years before iPhone.
Re: (Score:2)
Today, you're correct that Apple doesn't have to rely on the carriers' good graces to sell usable phones. But that's because we've had 9 years of the iPhone to show carriers that they'll lose out on a lot of data charges if they don't allow iPhones on their network. When Apple was making deals in 2006-2007, they had to find a carrier that would permit them on the network to begin with. Both Apple and AT&T made out like bandits, but one of the things Apple had to give up was selling the phone on other
Re: (Score:2)
Re: (Score:2)
That's like saying I don't ban motorcycles, I only ban engines under 1.4L. The technicalities are different but the effect is the same. An alternate rendering engine which can't do javascript is as useless as useless as teats on a bull.
Vale Firefox OS (Score:2)
A web browser and universal app platform rolled into a phone OS. Winning was not so much market share but 'keeping the bastards honest'.
But, to summon the app app luddite apps guy, a platform without software is stillborn and the mobile web stagnates...
Perhaps if management at Google loosened the strings, they'd release a spin of Chrome OS as a ROM for Nexus/Pixel devices - a web device with Android app support.