Hacker News new | past | comments | ask | show | jobs | submit login

One of the reasons for why Apple disallowed third-party browser engines is because Mobile Safari alone is allowed to use a JavaScript JIT, ostensibly for security reasons. This is why Firefox on Safari uses WebKit, and why Chrome must rely on iOS's stock webviews rather than Blink's own JIT. Mobile Safari has this via the dynamic-codesigning entitlement.

Further reading:

https://saagarjha.com/blog/2020/02/23/jailed-just-in-time-co...

Discussion: https://news.ycombinator.com/item?id=22401146




The actual reason is rule 2.5.6 from the App Store review guidelines:

> 2.5.6 Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript.

Sure, if Apple does the predictable thing and allows JIT compilation only for WebKit-based browsers, questions will be asked. But so far it has been impossible for anyone to just accept that tradeoff and publish a browser with their own engine anyway.


This is really the big reason. IOS blocks applications from running dynamic code. The kernel is immutable and replaced on every update, and safeguarding the JS engine is a huge benefit of controlling the OS. Antivirus's really struggle with this on PC because of all the dynamic code being ran that they can't really enforce things like code signing, requiring executable code to be mapped to the disk, etc.

This is going to make everyones phone ALOT less secure. There's a reason android malware and hacks are a big issue and there's almost none on IOS, as the footprint is so low due to things like this.


> There's a reason android malware and hacks are a big issue and there's almost none on IOS, as the footprint is so low due to things like this.

Actually, iOS exploits are cheaper than Android exploits because iOS exploits are so plentiful in comparison[1][2].

[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/

[2] http://zerodium.com/program.html


Are they still? The first article is about iOS 13.


Apple is by far the most secure, which is why you rarely see kernel exploits and the market for IOS security researchers are in high demand. While the market for android researchers are hot, it's luke warm in comparison. Even in IOS 13, meaningful iphone exploits are hard to come by, while android it's like candy.

Key point, it's going to be difficult to find a way to unlock the bootloader on an Iphone, or a root on modern versions of IOS. Meanwhile you can buy a android phone day 1 and load your own bootloader and get code running in the kernel. This is exactly what a malicious application does. The security boundaries of apps are pretty strong on both OS's, but Apple makes sure apps can't violate that.


Regardless of the validity of restricting JIT I'm sure many people would be happy having slower JS if they could use different browser engines.


It's possible that faster browser engines could be created, if potentially less secure. It would at least introduce more competitiveness into this space on iOS.


“normal” people would pick a slower browser? Why would they do that, for any normal person reason?


It's not a "slower" browser if it's the only browser that works on sites not supported by safari.


I don't see the word "normal" in my comment but judging by their behavior with Windows and Chrome: yes, they will pick whatever works.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: