Re: attack vector
I think the main news is this:
This competently highlights what a waste of time the code review process is (and how it has nothing to do with security, only competition with Apple products, etc.) and how reliance on someone "spotting malicious behaviour" in app code is still the primary - and most useless - method of securing software.
This really demonstrates quite how useless things like Antivirus, etc. are. Even when they GO LOOKING for malware, on a limited number of apps, submitted over the course of months, their review process is totally unable to determine if an app is, or could be under certain circumstances, malicious.
It kind of knocks all of the "you cannot bundle a scripting language", etc. junk that Apple enforce under the guise of security into the waste-of-time bin.
Maybe if they had a permission model, like Android, it might be a bit better - but then as a user you're still able to install stuff that "can access your files" and "can go on the Internet" and not realise that means they could send out every byte of data you have stored on your device.
The solution here is not "let's check apps to see if they are dodgy", it's to lock down permissions to fine-grained and complete control. People who press OK will still press OK, but at least then people "in the know" will only "grant the app HTTPS access to domain.com, and r/w access to the virtual folder Data which is actually limited only to files specifically shared with the app by user-initiated file-association." Which helps immensely when working out quite what an app can or can't do, whether it can be blocked easily, and quite why those permissions are listed.
I'm still waiting for Android "list of permissions" to allow two options for every possible permission. "Allow" and "Emulate". When Emulate is selected for a permission, it pretends the app can do that (e.g. even hiding files the app wants "Deleted" from its view), but just ignores the actual request otherwise (i.e. doesn't actually delete anything). In this way, apps can't know whether or not their actions succeeded or were even monitored, and users can say "Free GPS app wants to send texts? Er... No." and carry on using the rest of the functionality as expected.
Biting the hand that feeds IT
