Vulnerabilities / Threats
3/15/2011
02:41 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Web App Slowdown Prompts Conspiracy Theories

Some developers fear Apple is deliberately crippling Web apps, but others attribute the issue to technical and security problems.

Apple claims that its new Nitro JavaScript engine in iOS 4.3 runs JavaScript twice as fast as iOS 4.2. But Web developers have noticed that Nitro's acceleration is only available inside mobile Safari. Web applications that have been saved as a home screen object and are then run in fullscreen mode and apps that access the Web through the UIWebView API in iOS don't benefit from Nitro acceleration.

In other words, JavaScript in Web apps running in fullscreen mode executes more than two times slower than JavaScript processed by mobile Safari.

Given Apple's abandoned plan to ban a variety of third-party programming technologies last year and its Flash vendetta, some Web developers see the performance gap as a deliberate effort by Apple to undermine Web apps.

Apple did not respond to a request for comment, but most developers weighing in on the matter appear to be satisfied that the issue is either a bug or due to an unresolved security issue related to just-in-time (JIT) compilation.

The issue has reportedly been submitted to Apple, which doesn't make its bug database public, and has also been submitted to Open Radar, a public, unofficial bug database for iOS and Mac OS X.

"I don't believe this is a deliberate attempt to hinder PhoneGap, HTML5, Web apps or even pseudo-browsers (such as SkyFire)," said developer Maximiliano Firtman in an e-mail. "I don't work at Apple, so I can not be sure; but from my point of view this is just a bug, or a 'missing feature.'"

Firtman says that a source at Apple recently told him that while Safari and UIWebView, which is used in third-party development frameworks like PhoneGap, share the same WebKit engine, Safari is not using UIWebView internally. "That means that Safari and UIWebView are two different things inside the framework, so Nitro can be inside Safari and not inside UIWebView," he said.

Firtman adds that if Apple disabled Nitro for third-party apps due to security concerns, he has to wonder whether Safari is secure enough.

Given that both the desktop and mobile versions of Safari were hacked last week during the Pwn2Own contest at CanSecWest, despite a substantial patch from Apple hours before the competition, it's a fair question to ask.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2015-2168
Published: 2015-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.