Homebrew malware for everyone with Xcode 7?

Looks like, with Xcode 7, Apple introduced the possibility to develop and test apps for everyone. If you don’t need your App to be in the App Store, no Apple Developer Program will be required to deploy your own Apps to your own iOS Devices from Xcode.

I don’t believe, this will lead to App “piracy”, as some other blogs have suggested. To deploy Apps to your own devices, you’ll need the source code, first of all. (Although I could imagine some sort of .ipa loader app becoming popular, but that’s another story).

However, what I think is going to happen is this:On Android, beside the malware that’s in the in the Play Store, due to less strict guidelines and reviews, it’s possible to install any kind of app if “allow applications from unknown sources” is enabled, with possibly malicious contents.

This feature didn’t exist on iOS yet, and it didn’t exist for a reason.

There is, however, demand for apps that get rejected by apple for one reason or another — GameBoy Emulators, File browsers, you name it.

The possibility to deploy apps to your iPhone is going to be the “allow applications from unknown sources” for iOS. Although the majority of users won’t use Xcode to make their own iPhone apps, they’ll use it as a way to install apps. App Developers can offer their app’s Xcode projects for download from a website, with a  simple apple script that handles all the deploying for you. Once Xcode is installed and set up to work with an iPhone, all the user will have to do is download something and double-click it.

Technically, the same thing would’ve been possible before apple made private testing free. However, this new rule opens that opportunity for millions of users that aren’t part of the Apple developer program.

Or to say it with different words:

There would be 99% less malware on android if it cost $99 per year to “allow applications from trusted sources”.

The non-developer iPhone user who wants to install a GameBoy emulator will simply go to a website, download a bundle that contains the source files of the software and a script that will deploy it to the iPhone (it could even be an app bundle). This causes the problem that the software might contain malware.

Developers, of course, usually know what they’re doing. But when non-techies just wants to run an application, they are not going to look at what they’re actually compiling.

Although it may sound absurd, I’d like apple to make that process a bit more complex and/or expensive. Having to sign up for a developer program is going to repel kids who would otherwise load their iPhones with malware and then complain that iOS is insecure.

Unfortunately, in a couple of months, the mainstream news will be full of stories about iOS being insecure.

And just like mainstream users not bothering to look at the source code of what they’re compiling, they won’t bother to look at why their iOS devices got insecure in the first place.

Leave a Reply

Your email address will not be published. Required fields are marked *

Connect with Facebook