back to article Apple App Store apps are often old, vulnerable versions

Apple is publishing outdated software packages, subject to critical security vulnerabilities in some cases, through its App Store. The problem was discovered by security researcher Joshua Long, who discovered that users who download a copy of Opera via the App Store get a copy of the software released in March. Opera fixed a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    non-story?

    Your single example other than Opera is the Kindle app.

    Firstly, Apple's own page (http://itunes.apple.com/us/app/kindle/id302584613?mt=8) lists the last update as Apr 21, 2011

    Secondly, is there any issue with this app at the moment - I'm not sure why there would be with a reader app (it's rather different to a web browser as the content is 'known' - it doesn't sync pdfs in the way the physical Kindle does)? Frequent updates are fairly irritating once you have a lot of apps on an iOS device. If there's no security risk is there any reason why the gap between updates shouldn't be 6 months, a year, or more?

    1. DanJB
      Stop

      Not the iOS store!

      I believe the author was talking about the Mac App Store, where users can download programs for their Mac OSX devices. Mainly because the only version of opera on iOS is Opera Mini. Here is the link to the current version of opera discussed in the article, http://itunes.apple.com/us/app/opera/id404764921?mt=12 and for comparison here is the Kindle page, http://itunes.apple.com/us/app/kindle/id405399194?mt=12, which lists the date of release as the 7th of Jan.

  2. DZ-Jay

    Wrong

    >> "However, it does introduce a delay that means Apple is falling short of its promise to "keep track of your apps and tell you when an update is available"."

    It is not falling short on that promise; the apps nor not available yet in the App Store. Are you suggesting that Apple notify its users every time a developer submits an update for review?

    I personally think that the fact that developers can't rely on patching constantly will entice them to test more thoroughly before deploying. Furthermore, I don't think that bug fixes and other patches should have any special privileges that shortcut the approval process. What if said bug fix or patch was implemented in reactionary haste an introduces more issues, or affect customers in any other way?

    -dZ.

    1. Andrew Moore

      I see your point...

      but I don't think that Apple have introduced such a long delay between submitting an App and it appearing on the App store simply to concentrate the minds of the developers- I do think it's because they are overwhelmed. Though there does seem to be some evidence that paid-for Apps do get priority over free Apps.

      But to look at your point from the otherside. What about a scenario where a developer releases an App only to discover that there is a critical vulnerability in it and can not get a patched version out in a timely manner, leaving all his App clients compromised until Apple pull their finger out.

      1. DZ-Jay

        Re: I see your point...

        I was not suggesting that Apple was artificially introducing a delay in the approval process. I meant that the delay is germane to the process itself. If they are overwhelmed, this is a legitimate concern, and it will be sorted out eventually. Keep in mind that this is a different and fairly novel model, and it has only been running for about three years and is growing exponentially, which may make it harder to scale.

        The scenario you mentioned is very valid, and I would imagine in such situations that Apple would be receptive to the developer and perhaps expedite the process.

        However, in any case, I'm sure they will assess the risk themselves and make the determination on their own terms. It serves nobody to automatically and blindly react to the developers claims. After all, I am sure that every developer thinks *their* patch is more critical the others'.

        -dZ.

  3. Anonymous Coward
    Jobs Halo

    Sigh.

    >> "However, it does introduce a delay that means Apple is falling short of its promise to "keep track of your apps and tell you when an update is available"."

    Far be it for me to be an Apple apologist, but fair is fair:

    The delay introduced by Apples' vetting of app store submissions is about two weeks, slightly longer at times (like when a major iOS version is released and a bunch of apps need new versions to be compatible) and is often shorter. So if a version in the app store is an "old, vulnerable version", it is because the app developer either hasn't submitted it, or Apple has found problems with the app that need to be fixed before they will publish it in the store.

    Also, as pointed out previously, since the app isn't yet available, Apple isn't fallng short of their promise. As soon as the app passes their tests and is available, the users are notified as a part of the normal app update process.

    Angelic Steve because... yeah, I know, it was hard but it really isn't his fault this time

    1. Sean O'Connor 1
      Thumb Up

      Title

      I've always found it takes about 7 days to approve an app (or an update) so I agree, if the app is way out of date it's the developer's fault and not Apple's. Would be nice if Apple had a mechanism for an emergency update though.

      1. Anonymous Coward
        Happy

        Re: emergency update

        Actually, they do - you can ask for an expedited review, and we have received a "one-time exception" and had the app reviewed and approved within 24 hours. I've heard of others getting a "one time exception" more than once, so I don't know how they decide to give an expedited review but if you need it, it can't hurt to ask...

  4. Anonymous Coward
    FAIL

    The Mac App Store isn't a closed garden,,,

    This article is fundamentally flawed. Its not a closed garden because you can get both apps directly from the supplier, and you can install apps that aren't in the store. Thus we - and Apple - might expect the developers ensure critical apps phone home for updates. Under these circumstances, keeping versions up-to-date is not as critical as it is in a =real= walled garden such as the iPhone, where Apple is entirely responsible for the apps installed.

    What it does say is that Apple are at present a little tardy at reviewing new versions of some apps. Well, surprise surprise - new app store for established platform is a little behind in its homework.

    It also might have been more honest if the qualification about it being the MAC store was a little less buried in the prose... given the entirely different operating models of the iOS app store and the Mac app store.

    Instead of this guff, what we REALLY want to know is Apple's response to critical vulnerabilities for iPhone and iPad apps.

  5. Anonymous Coward
    Happy

    Yeah but , no but!

    Might be a few dodgy apps in the Apple app store, but at least there's no gaping great hole letting your details out to all and sundry, so much so it ended up splashed across the front of the UK media today!

    ( After blue touch-paper is lit, do not return to forum comment as flames may have already started! )

    1. Steve Evans

      Re: Yeah but , no but!

      I assume you are referring to the Android log in token... The problem which was already fixed in the latest OS versions (unfortunately delayed by manufacturers and carriers), and then fixed for all on the servers by google?

      http://www.theregister.co.uk/2011/05/18/google_android_security_fix/

      Seems like a perfect example of why having software updates delayed by a middle man is a bad idea.

  6. Anonymous Coward
    Anonymous Coward

    Android

    Given that today someone has been told to disconnect their Android phone from our work WIFI as it was harvesting Windows logins and trying to log in to servers (causing people's accounts to lock out) I think that iPhones are the least of someone's worries.

    Checks take time but it's better than having vast amounts of malware in the app store.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android

      How on earth would it be doing that?

      You can't harvest unless you can see the traffic going past, and unless there is something very wrong with your network routing, the only packets being sent across the wifi to the phone will be ones marked specifically for its IP. Not ones from a desktop PC destined for the domain server.

      Plus harvesting would not lock out an account, harvesting is listening only. Brute force attempts (and fat fingers) cause the auto lockout.

      If you work for a large UK gov body (*cough* like TFL *cough*) it's probably just the conficker worm having another go because you still haven't put the several years old patch onto your windows machines yet.

      Actually, that might be unfair, they may have patched it by now, but I seem to remember them still having problems 12 months after the patch was released.

      1. skwdenyer
        Thumb Down

        Re: Re: Android

        Sorry, are you suggesting that there cannot be a malware app on an Android device which could attempt to bruteforce windows logins?

        If the Wi-Fi access point is serving multiple laptops (or even desktops) then is it impossible for an Android device's wifi interface to be put into promiscuous mode?

        It is all very well to cry that something is impossible, but proving that contention is a bit more tricky, I'd have thought!

        1. Anonymous Coward
          Anonymous Coward

          Re: re: re: Android

          You would need a rooted device to be able to go into promiscuous mode.

          Of course there could be a brute force app on the device, but it seems unlikely it would be an accidental virus, I'm sure we would have heard about something like that by now, so either the sys admin is an arse (wouldn't be the first time I've seen one like that) or the device owner is "having a go".

  7. Anonymous Coward
    Anonymous Coward

    Agree with the other commenters

    The author of the article went out of his way to mislead potential readers with the title which doesn't clearly state this is the much less popular Mac App Store and then seriously mislead by claiming it's a walled garden in the subtitle.

    Sure there could be a way for developers to submit urgent patches, but this would have to be well planned so as not to mean less review that would open to potentially much greater abuse.

    All it would take would be for a rogue dev to release an OK application and then submit a malware version via the urgent submission process. I can see how the media would be up in arms criticising Apple already.

    Guess Apple could charge some fee to pay extra staff handling urgent submissions, but again this model wouldn't work for free apps.

    1. chr0m4t1c

      Now you're in trouble

      I presume you've been down-voted by the "Apple==Evil" crowd for appearing to defend them.

      I would say that this article does appear to be intentionally misleading, though.

      There's nothing stopping any application downloaded from the Mac App store from side-loading a patch for itself and I'm quite surprised that Opera doesn't do this, although someone might be along in a minute to tell me that it does.

      If an application patches itself when run, then it doesn't really matter if a slightly older version is being delivered by the app store any more than it does if you bought it in a bricks-and-mortar store or got it from cnet (for example).

      All the app store brings to the party is the ability for apps to be updated even if you don't run them regularly, as if they were part of the OS.

      I'm struggling to see what the actual issue is, if you bought a physical copy of Win7 from PC World, would you be surprised that it didn't have all the latest patches already installed?

      1. Anonymous Coward
        Thumb Down

        App store apps can't patch themsleves

        Mac app store apps are not permitted to download and install patches. They are basically subject to the same rules as iOS, except for where that wouldn't make sense on the Mac (i.e, they can run daemon processes in the background and access a shared documents folder).

        The reason for this is so that users downloading apps from the Mac app store can have the same confidence that said app has been vetted to not contain anything nasty as the do on iOS. The difference of course is that if said user wishes to go to a random website and install themelves a copy of MacDefender, they still can.

  8. Justin Clements

    Oh do fuck off

    >>Security savvy Mac users would be better to get updated software from a vendor's own website.

    No, Mac App Store is perfectly capable and a brilliant device for updating installed applications. Yesterday it updated 6 apps that I had downloaded because I hadn't run it for a couple of weeks.

    So in 3 clicks, I had installed 6 updates, as apposed to visiting 6 different sites, navigating through various download menus, downloading all sorts of crap onto my machine from straight applications, to dmgs, and the whole 9 yards. 20 minutes vs 3 clicks ffs.

    No, instead 3 clicks (including clicking on Mac App Store app) and it's all done for me.

    1. Anonymous Coward
      Anonymous Coward

      Not the problem here

      The issue is that the versions being pushed by the automatic updating process are themselves, out of date. Yes, it's only 3 clicks to get the newest version of Opera from the store, but if the latest version is in itself out of date, how does that help anyone?

      Unless you're trying to simultaneously imply that you're both security savvy and too lazy to manually update apps that need updating, which is a little...contradictory.

This topic is closed for new posts.

Other stories you might like