How Apple proved the importance of app permissions

There has been a lot of outrage in the past week after it was uncovered that some iOS apps have been ‘stealing’ the data in your Address Book and sending it all to private servers. The apps, such as Path, Instagram and possibly Twitter, then presumably use this data to help to obtain new users or to guide you how to follow based on people that are already in your Address Book. I can’t really imagine that they would really need to use the data for anything else and it makes sense that you could utilize the various APIs to send lots of addresses at once so that the server could then reply with the usernames of the users in your address book. However, some of the data may be stored on the servers.

Most people’s (or Congress’) problem with this is that all of this has been happening without the direct permission of the users. Any iOS app that you install is able to access pretty much anything on the system but on the basis that Apple has already approved the app it should be OK. Because Apple obviously can’t check through all the code that an app uses it is hardly a surprise that they didn’t spot that the apps were submitting this data.

In the future apps will now have to post a message to the user telling them that the app would like to access Address Book data however it will still be technically possible to access the data anyway.

What this incident has essentially highlighted is a major flaw in the iOS security system. Android apps require specific permissions to allow code to run to do things like write to the SD card, change the wallpaper, use the camera, use the Internet and access the Address Book. Examining the Android app for Path we can see that it does request some of these permissions which are granted by the user when they install the app. This means that Google have to do a lot less work reviewing apps and it also means that Android apps are a lot more sandboxed on the device.

I should imagine that this will leave Apple in a position where they need to start implementing permissions to ensure that users remain safe because at the end of the day they can’t pick up everything by using humans to review apps.

Firefox is no longer the most secure?

This is horrible. A study has been carried out (it is worth noting that Google sponsored it, hence how Chrome obviously wins)  that shows Chrome as the most secure web browser followed by Internet Explorer and then Firefox. The main reason that Chrome wins is probably because security (and speed) was one of the key aims when Chrome was originally created and every single tab, app and extension are sandboxed very tightly so that they can’t do anything that they shouldn’t be allowed to do. Internet Explorer has been slowly gaining this feature over the last few versions and it is still quite bad implemented.

I would say that Firefox has quite a lot of security though and it does sandbox to a certain extent, although probably not as much as the other browsers. Plugin security has been something that has been included in all three browsers for a while and theoretically Microsoft would win this if only Silverlight were judged.

I think that the main reason that Firefox has fallen behind is because the security was the main reason that people downloaded it initially. Aside from being faster, Firefox 1 was what was bringing people away from IE because it wasn’t going to infect their computer and had relatively good reviews. Over time Firefox added new problems that led to security holes.

By the time that Chrome was released Firefox was getting quite clunky and Chrome, being built from scratch, was offering both security and speed. Firefox then had to catch up with Chrome’s speed which meant that security was ignored and even now the new releases are advertised as being faster rather than safer. It doesn’t really surprise me that IE has improved in the last few years and the main reason is probably also Chrome; it needed to be better because it had already had such bad press.