That's even more interesting. How do you check signature on execution? Have the page non-executable up to and including the point of transferring control to it, and do the signature check from the page fault handler?
Conversation
It's essentially MPROTECT combined with checking the signature of pages faulted in via memory mappings.
Permitting only code loaded from the verified images would be stricter, but they need to permit user-installed apps. They require that Apple has signed all the code pages.
1
3
This is part of what people mean when they talk about code signing on iOS. Safari has a special exception allowing it to bypass this for the JavaScript JIT compiler and Safari is the only permitted browser engine. Apps are allowed to ship powerful interpreters and blur the lines.
2
1
How does Firefox on iOS work? Is it just a fake Firefox that's reskinned Safari widget with some Firefox features on top, or do they just use interp-only? (The latter would be *extremely* preferable no matter how slow it is.)
1
Chrome and Firefox on Android are skins over top of a Safari widget. Apple's policies forbid shipping any alternative web engine implementation. An interpreter-only approach would work at a technical level but isn't permitted by their App Store policies. This is common for them.
2
1
I guess you mean on iOS; it's definitely real on Android. Why isn't interpreter permitted by policies if the interpreter does not expose any access to system facilities?
2
Like, as a really stupid exercise, you could compile Firefox (or at least a non-bloated browser) to wasm and run the whole thing inside a tab in their Safari junk to get a real browser on iOS... So why can't you just do that with an app?
1
Nothing at a technical level stops you from shipping Firefox or Chromium with a pure interpreter approach. Safari is a loophole in their policy. It's the only permitted web rendering engine, and you're allowed to use it to download and execute dynamic web content.
1
Ttheir policies permit you to download and execute arbitrary content in the Safari WebView.
If you ship a Python interpreter and then you download Python code from your servers to run, that's a violation of the rules. If you run only Python included in the app, that's fine.
1
The Play Store has a directly comparable rule. The reason for the rules is that they want to be able to review all of the code. If they allow you to dynamically download and execute code, they can't review all of it, so they will ban apps caught doing that. Safari is a loophole.
1
There are many apps essentially using it as a loophole by shipping an app that's heavily driven by content running in a WebView. Apps can heavily use reflection to dynamically expose native APIs to the WebView and bend the rules to ship out-of-band updates bypassing review.
Play Store has the same rules but they're far more lax with enforcing them. Technically, apps like Termux violate the Play Store rules but Google doesn't usually enforce anything unless they spot something malicious happening. It does mean they let apps bypass review in practice.
1
Apple is pretty lax with enforcing these rules against major apps. A lot of widely used apps are pretty much breaking the rules with sketchy loopholes and they're able to ship major app updates out-of-band through reflection, interpreters, etc. Can find a lot of blogs about it.
1
2
Show replies