Vulnerabilities / Threats
3/15/2011
02:41 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Web App Slowdown Prompts Conspiracy Theories

Some developers fear Apple is deliberately crippling Web apps, but others attribute the issue to technical and security problems.

Apple claims that its new Nitro JavaScript engine in iOS 4.3 runs JavaScript twice as fast as iOS 4.2. But Web developers have noticed that Nitro's acceleration is only available inside mobile Safari. Web applications that have been saved as a home screen object and are then run in fullscreen mode and apps that access the Web through the UIWebView API in iOS don't benefit from Nitro acceleration.

In other words, JavaScript in Web apps running in fullscreen mode executes more than two times slower than JavaScript processed by mobile Safari.

Given Apple's abandoned plan to ban a variety of third-party programming technologies last year and its Flash vendetta, some Web developers see the performance gap as a deliberate effort by Apple to undermine Web apps.

Apple did not respond to a request for comment, but most developers weighing in on the matter appear to be satisfied that the issue is either a bug or due to an unresolved security issue related to just-in-time (JIT) compilation.

The issue has reportedly been submitted to Apple, which doesn't make its bug database public, and has also been submitted to Open Radar, a public, unofficial bug database for iOS and Mac OS X.

"I don't believe this is a deliberate attempt to hinder PhoneGap, HTML5, Web apps or even pseudo-browsers (such as SkyFire)," said developer Maximiliano Firtman in an e-mail. "I don't work at Apple, so I can not be sure; but from my point of view this is just a bug, or a 'missing feature.'"

Firtman says that a source at Apple recently told him that while Safari and UIWebView, which is used in third-party development frameworks like PhoneGap, share the same WebKit engine, Safari is not using UIWebView internally. "That means that Safari and UIWebView are two different things inside the framework, so Nitro can be inside Safari and not inside UIWebView," he said.

Firtman adds that if Apple disabled Nitro for third-party apps due to security concerns, he has to wonder whether Safari is secure enough.

Given that both the desktop and mobile versions of Safari were hacked last week during the Pwn2Own contest at CanSecWest, despite a substantial patch from Apple hours before the competition, it's a fair question to ask.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio