Flash and Java on the iPhone: Video Dream vs. Security Nightmare Redux

iPhone SDK: Smashing Flash Rumors

Last week the UK ruled that Apple was misrepresenting the iPhone's provisioning of "just the internet" due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We've previously covered the will they/won't they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.

More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)

How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!

Before we begin, I'll just mention again that I'm a long time (10+ years) web developer who works quite a bit with Flash. I'll also add that some coverage of the issues I'm about to get into has tended towards the sensationalistic. The sky is not falling. We're not doomed. Or, at least, not because of anything to do with Flash, Java, or the iPhone.

Caveat'd enough? Good.

Back in early August at the Black Hat conference, Alexander Sotirov and Mark Dowd presented a paper amusingly titled How to Impress Girls with Browser Memory Protection Bypasses. While Vista security proper is beyond the scope of this blog, as Operating Systems like OS X on the iPhone become increasingly hardened against security exploits, the web browser becomes the path of least resistance for hackers to get at us and our stuff.

The iPhone's browser, MobileSafari is currently the closest thing to a desktop-class rendering engine as can be found on a handset. It's based on the same WebKit core as Safari for Mac and Windows, and so it's not unreasonable to imagine it shares the same advantages (real HTML, CSS, and AJAX) and risks (can be exploited). This could potentially include buffer overruns, cross site scripts, and -- yes -- plugin vulnerabilities.

On a recent episode of the TWiT network's popular Security Now! podcast, Steve Gibson summed up the problems with Flash and Java:

Their technologies, especially in the case of Java, Java has, deliberately has readable, writable, and executable memory because of the way it operates. o it's a big target. And so many of these third-party things, which you could pretty much depend upon, you know, Flash player is installed in the high 90 percentile of Windows machines so you can count on it being there.

And what if we could likewise count on their being on the iPhone? What potential problem could that expose?

Certainly after this paper has come out where these guys demonstrate clearly the exploitability of Flash, which is not [Data Execution Prevention] compatible, it's like, okay, Adobe, if you want your code in my machine, you make it safe. Because we've seen a bunch of Flash exploits here in the last few months. And, you know, this wouldn't be possible if Adobe would do the work. I don't care how hard it is, it's certainly possible to code around this [...] Basically this is laziness. In this day and age, for Flash still not to be marked as DEP friendly when it is in a highly vulnerable environment, it's not like it's something down on your tray, it's in your browser. And we know what a target browsers are just by their very nature. I mean, in fact, the whole focus of this paper was specifically browser vulnerability. [...] It is very common applications like Silverlight, like Flash, commonly used components, or even Media Player, that are invokable by the browser and still not yet safe, that is really now the main target of exploitation.

We've already seen MobileSafari exploits in the wild (indeed, a TIFF-based vulnerability was one of the first ways people found to jailbreak the iPhone 1.1.1 -- just by entering a URL in the browser!)

Again, this is not breakworld stuff. No need to panic and lock your handset in a lead box. Future versions of Flash and Java (and similar plugins) will likely address these issues.

Just remember, for now, that the iPhone is tremendously popular, and thus will be a tremendously popular target for hackers. Apple already has to worry about securing the HTML, CSS, AJAX (Javascript), and Quicktime (which they own and can therefore rapidly address) components of Mobile Safari. Add to that the complications of 3rd party code interpreters with a very real history of not only exploits, but (in the case of Flash) for being bloated and buggy on the Mac (another thing Adobe has chosen not yet to prioritize fixing), and it begins to make more sense why we haven't seen Flash or Java on the iPhone, a device that knows who we are (all our date) and where we are (3G aGPS).

But wait, other smartphones run versions of Flash and Java, though, don't they? Sure, but I'd argue that the iPhone isn't really a smartphone, it's a mobile computer. Full darwin kernal, BSD networking -- pretty much a UNIX box in your pocket. To me, that's a far bigger target than Palm OS, the Java Micro Edition inside a Blackberry, and even Windows Mobile (which, despite the name, is a very different animal under the covers than Microsoft's desktop OS).

And isn't there a battle going on for the Rich Internet Application (RIA, aka WebApp) space? You betcha. Google didn't just drop Chrome for no reason. SproutCore, Flash/Air, Silverlight/.Net, Prism, Safari, Java, etc. all want to own what's likely the next major computing platform (the web "cloud").

Bottom-line: Both for Apple and for consumers, the advantages for Flash and Java currently do not outweigh the drawbacks, especially as standard web technologies continue to decrease the gap between proprietary plugin capabilities and the open internet (HTML, CSS, AJAX).

That's my opinion, at least. What's yours?

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Apple to Unleash iTunes Music Extras via App Store?

Next up →

App Review: Jott- take an audio note!

Reader comments

Flash and Java on the iPhone: Video Dream vs. Security Nightmare Redux


The "advantage" to blocking these technologies is NOT to the consumers Rene but Apple's and supports their increasingly Micro$oft way of attempting to control all they survey under the "360 spherical" moniker. And don't think for a minute standard HTML, CSS, AJAX are going to catch up to Flash and Java's capabilities anytime soon (think years if ever) and so it's simply untrue that this is a good thing.
If Flash and Java had no value - no one would use them. That they are in fact heavily used by millions indicates their value - and thus theymustbe considered part and parcel of the "full" internet.
Just like we didn't want MS forcing what solutions and technologies we use in years past - likewise we don't want Apple doing the same now - on any platform. Every technology (including iPhone OS) has security holes that get filled. This is not an excuse to not use different technologies just as undermining our rights to privacy or reasonable search and seizure is not a solution for better "homeland" security.
jeeze...fanboi much?

If iPhone incorporates Flash it's going to set a precedence for other plugins, and eventually the Mobile Safari will be as bloated as the desktop-based web browser can potentially become. More generally, is Flash even necessary? Everything that is currently done with Flash can be done better with HTML, CSS, and Ajax anyway - which by the way is far more conducive to a touch screen based browser than Flash ever could be. The only way I want Flash on the iPhone is if Adobe and Apple develop some sort of working relationship, where bugs and security fixes are addressed in a timely fashion.

Arguably, Mac OSX is a more solid mobile foundation than, say, Windows CE, but Apple's actions render that advantage nearly irrelevant. A 'UNIX box in your pocket' does not throw the most useful features of UNIX, and no, I am not talking about a terminal shell, though I would not mind one. (A real computer might have a visible file system, for example.) As for your specific examples, what good is 'BSD networking' if developers are prohibited from managing sockets and keeping them alive? What good is a 'full Darwin kernel' if the device is restricted essentially to a single-process machine? Apple relies on these abilities itself, even if they prohibit 3rd parties from doing so in the name of 'battery life.' Remember, we have the advantage of the 'full Darwin kernel,' which has one of the best task schedulers around, yet Apple cannot seem to tweak that scheduler to manage resources effectively in a mobile environment, so they give up, eliminating an entire class of useful applications unless they happen to make it themselves. The BSD kernel itself shows the value of a larger pool of developers than just those in-house.
With that track record, it is hard to take claims of security seriously, especially if nebulous security concerns are touted as the drawback for these plugins. If security is a problem, force plugins to run as a different user with lower privileges -- that is yet another advantage of a 'full Darwin kernel,' right? A cracker would have not only to find an exploit in Flash, but also in Apple's userlevel management, to do any real damage. Apple would the final word on security, just as they do now. If they are running Safari as root, then they already are open to the same security issues that Mac users mock in Windows. If they cannot create such process jails, then it is hard to argue they have created a full 'UNIX box in your pocket;' either technically or with product restrictions, they have negated what could have been a great advantage.
Don't get me wrong -- I am enjoying my iPhone 3G, and have not even jailbroken it (yet). However, it pains me to see Apple making the same mistakes with the iPhone in 2008 they made with the Mac in 1988. In the 80s, Apple feasted on its tech lead and high margins, until somebody came out with something more open to developers and cheaper. It did not matter if Windows only did 80% of the things, and only did those 80% as well. It stepped in and squashed the Mac, sending it into a two decade long tailspin from which it may now be recovering.
The iPhone is in that same mid-80s honeymoon period as the Mac, where it enjoys some clear advantages. However, as long as Apple keeps holding on to these artificial restrictions, they leave the door open for another phone (WinCE? Android? Symbian?) to swoop in and take over. Hopefully, they have learned from their mistakes.

Totally agree with /disagree, couldnt be better explained, the only thing he may have missed is the business&marketing perspective with its time constraints that could be the reason for all the "lacking".
Apple might be enjoying a sweet time but if they dont deliver in the future (near one) they could loose their momentum as there will be plenty of superior devices, with better screens (i was expecting a higher resolution screen), camera, gps... Every tech-spec of the iphone is bettered by another device on the market, except for the multi touch screen, and the App store platform. As disagree said, it would only take another vendor to combine the best of every current device, and create a more open development&distribution platform to end Apple's sweet moment, and everything is at hand for, say, SE or Htc, Google or even MS, to do it, proven whoever tries to get the momentum back doesnt fall for the same mistakes.

There is no need for flash. It has a static size that would make it hard for iPhone users. Even on a desktop, not everyone has flash installed. Web designers must remember this! Flash and keyboard input would be arkward. My main bug with flash/java is the lack of a standard GUI for controls. Just make a web app, or use javascript. Is it really that difficult? I have an nes for games... And a great native platform on the iPhone! Another reason why it is not needed.