The restriction is against programs that can download and execute code from random places on the internet, and you only need to look at a family of Android malware that Google has been unable to keep out of the Play Store to see why.
>Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats.
One of the keys to Joker’s success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.
Apple requires all executable code to go through the App Store's vetting process. Apps that download code to be executed have never been allowed, which is why you have the Webkit restriction.
Webkit can download and execute code. Your app cannot.
The article's conclusion that users need to be wary of apps downloaded from inside Google's walled garden should be all the warning you need about the danger of allowing random apps to download and execute code.
>With malicious apps infiltrating Play on a regular, often weekly, basis, there’s currently little indication the malicious Android app scourge will be abated. That means it’s up to individual end users to steer clear of apps like Joker. The best advice is to be extremely conservative in the apps that get installed in the first place. A good guiding principle is to choose apps that serve a true purpose and, when possible, choose developers who are known entities. Installed apps that haven’t been used in the past month should be removed unless there’s a good reason to keep them around.
Nothing stops you executing arbitrary code on iOS, you just have to use an interpreter to do so, and Joker is in fact running interpreted code (a dex file).
Bear in mind one reason you may hear less about malware on iOS is simply that security researchers aren't allowed to sell products for it and they are blocked by the infrastructure from examining apps like anyone else is anyway, so they have no incentive or ability to figure out what apps are actually doing. On Android you can get APKs from the Play Store more easily, and APKs from third party stores very easily, and you're allowed to sell security apps into that market, so they have both means and an incentive to go find malware for it. Apple just point blank refuses to allow their commercial existence unless it's by selling vulns to Apple itself.
> Nothing stops you executing arbitrary code on iOS
Nothing except the App Store review process?
We already have tech sites warning Android users to beware of apps inside the Play Store, because Google has been unable to block Android apps from downloading malicious code and executing it on a regular basis.
If you're happy with that state of affairs, by all means, buy an Android device.
The point being made by the cited article is that a tiny interpreter that activates days or weeks after an app goes live can't be detected by any app store review process. You have no idea how many such droppers are active in the iOS App Store because only Apple can look for them, and nobody knows if they do or to what extent they do.
That's why both platforms also use a sandbox. The dropper still needs to work within whatever permissions the app has been granted. App Review doesn't involve a full blown security audit of your app's source code and then a deterministic build process on top.
> The point being made by the cited article is that a tiny interpreter that activates days or weeks after an app goes live can't be detected by any app store review process. You have no idea how many such droppers are active in the iOS App Store because only Apple can look for them, and nobody knows if they do or to what extent they do.
The point being that Apple doesn't allow information downloaded from random places to be executed as code in third party apps at all. This is literally the reason for the Webkit only policy.
Google does allow it, and they (very predictably) have no way to know if that code will be malicious or not.
Which is why Ars had to warn Android users that they had to be wary of apps downloaded from the Play Store.
I think we're talking at cross-purposes here. The issue is not what Apple allows, it's what they can detect and block. They can't detect arbitrary interpreters and therefore you have no idea if this is happening on the app store. You just have to take Apple's word for it that it's not. We're talking about malware, by definition it doesn't care what the rules are. Android is more open and so third parties can go investigate and find malware that uses interpreters to execute remote code, but Apple simply doesn't allow such explorations so we don't know what's out there.
The restriction is against programs that can download and execute code from random places on the internet, and you only need to look at a family of Android malware that Google has been unable to keep out of the Play Store to see why.
>Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats.
One of the keys to Joker’s success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.
https://arstechnica.com/information-technology/2020/09/joker...
Apple requires all executable code to go through the App Store's vetting process. Apps that download code to be executed have never been allowed, which is why you have the Webkit restriction.
Webkit can download and execute code. Your app cannot.
The article's conclusion that users need to be wary of apps downloaded from inside Google's walled garden should be all the warning you need about the danger of allowing random apps to download and execute code.
>With malicious apps infiltrating Play on a regular, often weekly, basis, there’s currently little indication the malicious Android app scourge will be abated. That means it’s up to individual end users to steer clear of apps like Joker. The best advice is to be extremely conservative in the apps that get installed in the first place. A good guiding principle is to choose apps that serve a true purpose and, when possible, choose developers who are known entities. Installed apps that haven’t been used in the past month should be removed unless there’s a good reason to keep them around.