Apple's highly restricted app store is a blade that cuts two ways. Fans of the high tech gear buy into a secure "walled garden," where they have the perception that malware will never infest their iPhones, unlike those "riskier" Android devices. Friday's news of an App store tethering app hidden inside a random number generator app proved for the umpteenth time it is possible to sneak one past Apple. Other apps with trojans, I mean, hidden features have made it past Apple in the past. (But, what is "trojan" other than "hidden?") How long will it be until the hidden feature really is malicious? Is Apple's vaunted walled garden nothing more than an illusion?
Security is never an "on/off" concept. We all know that it's about due diligence, and that there are tradeoffs between convenience and security. In Apple's case, we must surmise that if the App Store really did significant code review prior to posting, it might introduce unacceptable delay to App Store postings. Fair enough, and Apple does deserve a tip of the hat when it comes to its track record of iOS malware versus its biggest competitor, the Google Android platform. But, with Google introducing its new "Bouncer" service, which automates the search for suspicious behavior in apps, I think that Apple's central premise, that is, that Apple requires massive control over what features are in apps, will come under fire.
If app developers can sneak one past Apple, it would appear that one of Apple's central arguments--that their Draconian app practices are required to provide security--is flawed. Sure, Apple has now taken down the iRandomizer app (following the publicity), but the fact that the app made it in there shows that the walled garden has lots of holes in it.
By the way, we contacted the iRandomizer app's creator and asked whether Apple took action other than pulling the app. "No comment on that," wrote Nick Kramer in an email. "I designed the feature for family and friends, I should have pulled the app when it was discovered. Apple did what they had to do. Hopefully, in the near future Apple will begin allowing tethering apps into the U.S. App Store. If they did, the number of developers putting hidden features into their apps and users who jailbreak their iPhones would drop tremendously," said Kramer.
I will admit, I've never been a huge fan of Apple's walled garden. I love the fact that Apple, not the carriers, is the provider of the apps on the phone. This reduces "app crap". But the walled garden itself? Apple's strong arm on virtual machines, which rule out Flash and emulators? Totally unnecessary.
Fans of the Apple platform, including myself, have said that, in the field, iOS-based mobile devices tend to have fewer support calls associated with them than the equivalent Android platforms. But I'm not so sure that the walled garden can take credit for this. I think it's more of the classic Apple control-over-the-hardware and control-over-the-OS that can take credit for that. Safer? Mostly, but not "totally safe."
And, in terms of functionality, a jailbroken phone can be MORE functional than a non-jailbroken phone. Case in point: As an iPhone user, I'd love to save off some of my voicemails as files. If I had a jailbroken phone, I could save HOURS of voicemails off in about 30 seconds. Because I have not jailbroken my phone, I would need to hook an audio plug up to my phone, then manually record those voicemails. If I wanted to permanently capture all of the meaningful messages that I've received over the years, it would be a significant expenditure of time.
Innovation sometimes requires going outside the vision of what the platform designer intended. Witness the Air Force supercomputer built out of PS3 game consoles, a vision far beyond that which Sony had in mind.
So, while I think that CIOs have a stake in the game when it comes to security, I am not at all sure that the massive one-sided restrictions on platform use that come along with the walled garden are a plus for enterprise IT. And again, it is becoming clear that the walled garden doesn't necessarily offer apps that are completely vetted, so that so-called value proposition flies out the window.
But the question of whether the walled garden is a good thing may be out of the hands of CIOs soon; the question is now, should our system of government support mandatory walled gardens by making it illegal to jailbreak from that walled garden? Because of the Digital Millenium Copyright Act, it didn't used to be legal to jailbreak an iPhone. Then, copyright officials made an exemption to the DMCA to allow jailbreaking of phones. This exemption comes up for renewal soon, and the comment period expires next week.
Bunnie Huang, a jailbreaking champion, and Xbox hacker, says, in a letter to the Feds, "users of these products benefit from the flexibility to choose their own operating systems and run independently developed software. We need the law to catch up with how people are using technology. Jailbreaking is helping to make technology better, more secure, and more flexible." Most jailbreakers and jailbreaking researchers like the Dev-Team act responsibly. In fact, they take pains to let users know how to patch existing vulnerabilities in iOS that Apple may not have patched yet.
I am well aware of the risks that come along with jailbreaking. I don't have a jailbroken iPhone. But, as a matter of pragmatics, I have seen many IT problems over the years solved via custom code and/or the use of a device in a way that the original manufacturer did not intend. I am also significantly concerned about HOW the walled garden is being used. Specifically, it appears that the walled garden is going to be used for planned obsolescence. That translates into cost for my organization. The walled garden means single supplier, which means monopoly. Legal jailbreaking means the breaking of the monopoly. It means an opening for third party suppliers.
Third party suppliers are healthy for competition. If, for example, Rimini Street (a third party support provider for ERP) was breaking the law by maintaining ERP systems, you can bet your bottom dollar that ERP maintenance would go up, up, up.
So, on this one, I'm actually with the jailbreakers. Apple had its chance to show us that they could have a 100% capture rate on undesirable or forbidden apps. Apple failed. And, to be fair, anybody would fail, because it's just not possible to have 100% security. But this also means that it's just unacceptable to trade flexibility and/or to sustain a monopoly to continue the illusion of 100% security--in that innovation-free box canyon that they call a walled garden.