Apple Hates Flash

**Husar** · 04-30-2010, 10:20

Tello Athenaios really nails it even if half his post was full of things I don't entirely understand.

Though I would like to add/correct a bit.

Firstly, it can take up to a month or more from the time a developer hands in any app to when it actually appears in the AppStore, this is because Apple does test them.

Secondly, this testing sort of reared it's ugly head when they refused the Opera browser, reason unknown to me and an Amiga emulator because, as they said, it allowed the execution of external code, which is a nono for security concerns, yes, I just read the thing about root access but doesn't mean you have to make the door wide open IMO.

Thirdly, Opera Mini has been allowed lately and I'm using it all the time now, this was surprising even to me, but may be because they just launched their own advertisement service for apps that will probably make up for the lost revenue due to people using Opera instead of Safari.

And concerning Adobe, I hate them, more than Apple(look, I got an iPhone and it's really nice but that doesn't mean I have to love Apple or think it's perfect), they got a quasi-monopole on image editing software and Flash is just...well, it doesn't work correctly in my Linux Opera(no, not going to use Firefox except for a few flash videos), there was no 64bit Linux version at all last time I checked and even in Windows it's using ressources like crazy and generally acting up now and then. Like apple, I can't wait for html5.
Oh and I use Corel Graphics Suite 12, it's perfectly fine for doing all the things I want to do with pictures, gimp works, too, although I hate the layout.

Concerning openness, it has benefits and drawbacks, the android store is open it seems but I read it got flushed with fake homebanking apps that would steal your login data and bank passwords before it was detected and they were deleted, it seems such programs would not get through Apple's testing which I consider a great plus as I can trust that at least around 99% of what the AppStore offers me is actually safe and not a package of viruses and trojans(doesn't mean it's bug-free and flawless but most apps get quite a few free patches with new features, sometimes complete redesigns, bug fixes etc.).

**Tellos Athenaios** · 04-30-2010, 16:48

Apple certainly does test them to some extent. But one of the things it does *not* do is return the developer the results of the testing. Mostly a simple “no” or “yes”. It's more of a backlog of applications waiting to get the rubber stamp than extensive security auditing (which would see them return you an extensive documentation of vulnerabilities found, if any).

In fact one could make the case that if they were so very concerned about security they would hail the likes of Java (and to a lesser extent Flash) as a Good Thing. After all, it is much harder to write a Java application that crashes the underlying OS due to the fact that any half decent underlying VM takes away many of the common attack vectors for arbitrary code execution (buffer over/under-runs, stack smashing, and generally everything to do with unmanaged pointers and references). C++ & libraries is a much less secure `platform' than Flash is. Let's entertain the following scenario:

You write an application that handles transactions of some nature and thus has to do with sensitive data from a user account. You are not an experienced coder; in fact your natural inclination would be to write your application in Flash. You can't because Jobs doesn't like it; so instead you write an application in C++. How hard can it be? Now you don't like it when people have to sign on every time: you want your application to remember their authentication details for them. You are not stupid: you know that saving a password in plaintext is not a good idea, generally speaking. Assuming that the server where you authenticate with your credentials expects both user name and password to be encrypted with SHA-256 hashes you cook up the following text file format:

Code:

url = http://www.auth-domain.com/path/to/app?query=string&params=values
name= sha-256-of-account-name
pass = sha-256-of-account-pass

What would an attacker have to do but overwrite the URL field, conditionally, disguised in a silly game? But more subtly: is your application prepared for a malformed sha-256 that is *not* 256 bits long? If you read that as binary data and you attempt to read a byte buffer of exactly 64 bytes from name where there was only "hook-line-and-sinker" what will hapen? You will read: "hook-line-and-sinker\x0Apass = "+58 characters of pass.

This type of attack, incidentally is not as uncommon as you might hope. It can happen to *any* application that uses the scanf() family of functions to interpret a line as a formatted string and extract the formatted data from it. The typical result would be a segfault.