zlacker

[parent] [thread] 6 comments
1. pilif+(OP)[view] [source] 2022-06-22 13:09:48
I don't think an audit will be able to even coming close to validate the security of a piece of software with the complexity of a browser.

As it stands now, WebKit and the processes hosting it (Safari, WKWebView) are probably the most complex piece of software running on our iOS devices and as we can see, they are full of security flaws.

But so are the engines of all other browser makers.

Audits is not what uncovers security flaws. Detailed research, fuzzing and effectively unlimited time to do both on the side of white-hat hackers and unlimited budget and criminal energy on the side of black-hats is what does.

Same is true for other engines of course.

But being restricted to a single engine shipped and updated as part of the OS with tailor-made support by the OS for sandboxing and JIT restrictions for this one engine does help to reduce attack surface.

Also, my initial concern isn't as much about third parties shipping their browsers (though, consider how many third party browsers exist and how many are well-maintained), but much more about apps embedding a vulnerable version of an engine and never updating it ("it works fine for us - no need to change a running system")

replies(2): >>pmoria+H >>spanka+I7
2. pmoria+H[view] [source] 2022-06-22 13:14:41
>>pilif+(OP)
"Audits is not what uncovers security flaws. Detailed research, fuzzing and effectively unlimited time to do both on the side of white-hat hackers and unlimited budget and criminal energy on the side of black-hats is what does."

Audits aren't supposed to be an ultimate guarantee of security, but provide a minimum, independently judged hurdle that has to be passed to get on the platform.

If there's a better, independent way to judge what browsers are "secure enough" to be on the platform (ie. not just "Apple says no"), I'd love to hear about it.

replies(2): >>pilif+91 >>spanka+08
◧◩
3. pilif+91[view] [source] [discussion] 2022-06-22 13:17:21
>>pmoria+H
Apple thinks (and I'm inclined to agree) that no browser engine is safe enough to be on the platform but as there has to be at least one by necessity, they might as well reduce the attack surface by restricting it to a single one that's tightly integrated with the OS security measures and which is updated together with other OS updates.
replies(1): >>pmoria+j3
◧◩◪
4. pmoria+j3[view] [source] [discussion] 2022-06-22 13:32:03
>>pilif+91
Following that reasoning there should only be one app of each kind on the platform: an Apple app.

Minimize attack surface, minimize choice.

replies(1): >>pilif+ln
5. spanka+I7[view] [source] 2022-06-22 13:58:22
>>pilif+(OP)
Having an engine monoculture doesn't actually reduce attack surface. People don't visit each web page with every browser they have installed on their device.

What it does is hold part of the system constant, so that attackers know ahead of time that iOS users will be running WebKit. Reducing variability makes attacks easier and increases the value of WebKit vulnerabilities.

◧◩
6. spanka+08[view] [source] [discussion] 2022-06-22 13:59:54
>>pmoria+H
What do you think an audit is, and why do you think you can even approach a useful one on a codebase the size of WebKit? It's not realistic.
◧◩◪◨
7. pilif+ln[view] [source] [discussion] 2022-06-22 15:09:03
>>pmoria+j3
A calendar app provides a much smaller attack surface than a browser. It can also perform good enough without the need for JIT compilation.

As I said in my comment: I believe Safari and the underlying WebKit to be the most complex and most insecure part of iOS by multiple orders of magnitude.

Not adding more of equally complex and demanding pieces does provide a significant reduction of attack surface

[go to top]