Vulnerabilities / Threats
3/15/2011
02:41 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Web App Slowdown Prompts Conspiracy Theories

Some developers fear Apple is deliberately crippling Web apps, but others attribute the issue to technical and security problems.

Apple claims that its new Nitro JavaScript engine in iOS 4.3 runs JavaScript twice as fast as iOS 4.2. But Web developers have noticed that Nitro's acceleration is only available inside mobile Safari. Web applications that have been saved as a home screen object and are then run in fullscreen mode and apps that access the Web through the UIWebView API in iOS don't benefit from Nitro acceleration.

In other words, JavaScript in Web apps running in fullscreen mode executes more than two times slower than JavaScript processed by mobile Safari.

Given Apple's abandoned plan to ban a variety of third-party programming technologies last year and its Flash vendetta, some Web developers see the performance gap as a deliberate effort by Apple to undermine Web apps.

Apple did not respond to a request for comment, but most developers weighing in on the matter appear to be satisfied that the issue is either a bug or due to an unresolved security issue related to just-in-time (JIT) compilation.

The issue has reportedly been submitted to Apple, which doesn't make its bug database public, and has also been submitted to Open Radar, a public, unofficial bug database for iOS and Mac OS X.

"I don't believe this is a deliberate attempt to hinder PhoneGap, HTML5, Web apps or even pseudo-browsers (such as SkyFire)," said developer Maximiliano Firtman in an e-mail. "I don't work at Apple, so I can not be sure; but from my point of view this is just a bug, or a 'missing feature.'"

Firtman says that a source at Apple recently told him that while Safari and UIWebView, which is used in third-party development frameworks like PhoneGap, share the same WebKit engine, Safari is not using UIWebView internally. "That means that Safari and UIWebView are two different things inside the framework, so Nitro can be inside Safari and not inside UIWebView," he said.

Firtman adds that if Apple disabled Nitro for third-party apps due to security concerns, he has to wonder whether Safari is secure enough.

Given that both the desktop and mobile versions of Safari were hacked last week during the Pwn2Own contest at CanSecWest, despite a substantial patch from Apple hours before the competition, it's a fair question to ask.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.