Vulnerabilities / Threats
02:41 PM
Connect Directly

Apple Web App Slowdown Prompts Conspiracy Theories

Some developers fear Apple is deliberately crippling Web apps, but others attribute the issue to technical and security problems.

Apple claims that its new Nitro JavaScript engine in iOS 4.3 runs JavaScript twice as fast as iOS 4.2. But Web developers have noticed that Nitro's acceleration is only available inside mobile Safari. Web applications that have been saved as a home screen object and are then run in fullscreen mode and apps that access the Web through the UIWebView API in iOS don't benefit from Nitro acceleration.

In other words, JavaScript in Web apps running in fullscreen mode executes more than two times slower than JavaScript processed by mobile Safari.

Given Apple's abandoned plan to ban a variety of third-party programming technologies last year and its Flash vendetta, some Web developers see the performance gap as a deliberate effort by Apple to undermine Web apps.

Apple did not respond to a request for comment, but most developers weighing in on the matter appear to be satisfied that the issue is either a bug or due to an unresolved security issue related to just-in-time (JIT) compilation.

The issue has reportedly been submitted to Apple, which doesn't make its bug database public, and has also been submitted to Open Radar, a public, unofficial bug database for iOS and Mac OS X.

"I don't believe this is a deliberate attempt to hinder PhoneGap, HTML5, Web apps or even pseudo-browsers (such as SkyFire)," said developer Maximiliano Firtman in an e-mail. "I don't work at Apple, so I can not be sure; but from my point of view this is just a bug, or a 'missing feature.'"

Firtman says that a source at Apple recently told him that while Safari and UIWebView, which is used in third-party development frameworks like PhoneGap, share the same WebKit engine, Safari is not using UIWebView internally. "That means that Safari and UIWebView are two different things inside the framework, so Nitro can be inside Safari and not inside UIWebView," he said.

Firtman adds that if Apple disabled Nitro for third-party apps due to security concerns, he has to wonder whether Safari is secure enough.

Given that both the desktop and mobile versions of Safari were hacked last week during the Pwn2Own contest at CanSecWest, despite a substantial patch from Apple hours before the competition, it's a fair question to ask.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio