«
»

Humans reading source is not a strategy to defeat viruses

Apple’s policy of reviewing all apps is officially (amongst other reasons probably) to make sure apps don’t contain viruses etc.

However here we clearly see that having humans look over source code of all apps does not catch all policy violations (violations include writing viruses, and include other things as in this case):
http://www.mobilecrunch.com/2010/08/12/apple-pulls-camera-from-the-app-store-after-its-developers-reveal-a-contraband-feature/

If they can’t catch this policy violation, they won’t be able to catch all viruses either. (And they would need to catch all viruses to make it worth looking for viruses at all; catching all but one viruses is not sufficient. A single virus can do a lot of damage and infect widely.)

Apple not allowing one to just write and distribute code on their iPhone platform is an outrageous limitation of freedom. Presumably they have their reasons for doing so (e.g. so they make money on every commercial purchase of an application), but at least that reason they claim for doing it (protecting the public) is demonstrably not true.

(P.S. I’m not proposing a strategy which will defeat viruses; I’m just saying that Apple’s app store policy is not one.)

(P.P.S. Game console manufacturers have always had similar restrictions, those limitations of freedom are just as outrageous.)

This entry was posted on Thursday, August 12th, 2010 at 12:23 pm and is filed under Uncategorized. You can subscribe to Adrian's blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Humans reading source is not a strategy to defeat viruses”

  1. ch Says: August 12th, 2010 at 2:17 pm

    Apple never gets to see the Application source.

  2. adrian Says: August 12th, 2010 at 4:10 pm

    OK I have looked on the web and I have found no evidence that they do or don’t look at the source code. (But welcome input if you know better e.g. have done it?)

    I assumed they looked at the source because a) how else could they find viruses b) why else would one have to write in Objective-C? I mean if they just got a binary, how could they even tell if one wrote it e.g. in Pascal? (Assuming suitable tools existed, but they could do in theory.)

  3. ch Says: August 16th, 2010 at 12:13 pm

    Yeah, I’ve done some iPhone App programming. For one, they look at the binary, possibly using some static analyzers, and make sure you don’t call private API. Then they do manual testing of the app in action, and (here comes speculation) check out all the features (and what they do to/with the rest of the phone). If they find you hiding features from the review process, they’ll pull the app…

  4. ch Says: August 16th, 2010 at 12:26 pm

    BTW, there’s also the disputed “YOU MUST USE XCODE” clause in the developer agreement. I suspect that this clause also helps them (to some extent) doing their binary inspection – if you can only use their compiler binaries, static analysis probably gets a lot easier to do.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

For inserting HTML or XML please remember to use &lt; instead of <