Tuesday, January 14, 2020

The Security of Safari Extensions

Jeff Johnson:

Every Safari extension that runs JavaScript — in other words, almost every Safari extension — will have these same warnings, so what are users supposed to do with the warnings? Avoid Safari extensions entirely? Then why does Apple provide a developer API for Safari extensions, if they aren’t meant to be used? Why are Safari extensions available in the Mac App Store? Why does Apple advertise that they’re available in the Mac App Store? You get the feeling that different teams within Apple are not on the same page here, and they’re giving unhelpful mixed messages to users.

[…]

In general, my view is that you shouldn’t install software on your Mac unless you trust the developer. You can’t rely on the system to protect you from malicious software, because there are always vulnerabilities and ways to get around the system.

It’s a recurring theme. Without the scary warning, Apple gets blamed for any problems. With the warning, developers blame Apple for scaring customers away from their products, and if anything bad happens everyone blames the customer for ignoring the warning that they had no way to evaluate.

Previously:

8 Comments RSS · Twitter

Kevin Schumacher

I realize this is not the focus of the article here, but did he need to spend half a paragraph first claiming his restricted license Safari extension is "open source"* but since it's copyrighted** it would be "very illegal" to distribute it and he will "prosecute violations with extreme prejudice"***?

There's so much wrong with just that paragraph that it makes me question why anybody's bothering to listen to anything else he has to say. (Yeah, he's not wrong about the rest of it, but it's still curious.)

* It's not, it's visible source due to the nature of JavaScript and app bundles.
** Nearly all software is, including most open source; the license dictates what rights you have, and you don't have any rights for his software aside from running it yourself.
*** Extremely unlikely unless he makes a lot more from it than he lets on, given the cost of a copyright lawsuit, even from the plaintiff's side.

Kevin, it shouldn't be surprising that I'm worried about people appropriating my source code after I told everyone exactly where to find it. Your comment is bad, and you should feel bad.

Kevin should not feel bad, Jeff. I appreciate that you are protective of your source code, but that paragraph in your essay reads as oddly aggressive and needlessly distracts from the point you're making, and wouldn't be necessary in the first place if you didn't initially claim that your code was open source, which, as Kevin points out, it is only if one uses a definition of "open source" that is very different from most people's.

Saying that "JavaScript that gets loaded into web pages is open source" just isn't true. Also, saying something along the lines of "my code is copyrighted, so distributing it without permission is illegal" is also an odd thing to say, since all code, including open-sourced code, is copyrighted (with some small exceptions in some specific countries). Open-source licenses depend on copyright laws; they would not be enforcable if the code they cover wasn't copyrighted.

And finally, code theft isn't an actual problem to begin with, since a product's existing, written code represents only a tiny portion of that product's value. It just doesn't make sense to steal other people's code, apart from very specific situations (typically, when code theft occurs, the intention is not to sell it, but to do something like analyze it to find security issues).

To be clear, you should *also* not feel bad. Your article makes an important point, and I appreciate that you wrote it.

Lukas, it's ok if you found the paragraph a little distracting — I did intend it to be somewhat aggressive — and I appreciate that you said "Your article makes an important point", but keep in mind that Kevin said "it makes me question why anybody's bothering to listen to anything else he has to say", which is a ridiculously exaggerated criticism. I literally said "open source, in a sense". In other words, to be interpreted very broadly. I find it overly pedantic to argue whether I should have said "open source" or "visible source".

I disagree strongly that code theft isn't an actual problem. Over my career I've seen many instances of it, including in the App Store. Some violations have been reported to Apple, but Apple doesn't care about anyone's intellectual property but their own. Even when there's an open source projects with a quite permissive license, requiring only attribution, developers *still* violate those licenses.

Sure, open source licenses are violated all the time, but that's almost always a result of ignorance, not malice. People use open-source code in their apps under the assumption that they are using the code as intended by the developer or license holder. That's quite different from stealing somebody's commercially licensed code.

I'm sure there are examples of people actually stealing somebody else's commercial code and selling an application based on that code as their own, but it's rare enough that I can't think of a single instance. Maybe Silicon Knights? But even that is kind of a grey area. Code per se generally has very little value. The value is in the ability to maintain the code, and to legally own and sell products based on it.

Kevin Schumacher

I realize this is like three weeks later. I honestly forgot I made my earlier comment. Lukas, thanks for jumping in and reinforcing my point.

> I find it overly pedantic to argue whether I should have said "open source" or "visible source".

Jeff, words have meaning. Pedantry would be if you said visible source and I took issue with that because you technically can't see the source until you right-click on the bundle, choose View Contents, etc. etc. Misusing a term of art, even with the "in a sense" modifier, is a problem when you are making an argument that flies in the face of it. (By this I mean, many open source licenses allow a licensee to make derivative products, sell the derivative products or even the original product, and so forth, so long as the original source code is provided. By using the term open source and threatening lawsuits for people who "take your code," -- by which I assume you mean try to resell or make derivative products from it -- in the same breath, you're creating cognitive dissonance.)

As far as people stealing your code, I'm not suggesting you should have zero concern about it. I'm suggesting that taking a narrative left turn to not only mention it, but then get oddly aggressive about it while using a term in a very different way than the vast majority of people understand that term (again, even with the modifier), in the middle of what is basically an unrelated article strongly detracts from whatever value the rest of your article should be giving and detracts from the opinion of you being formed by someone whose first interaction with you is that article.

Hey Jeff, I appreciate your ariticle about the security. As of right now, besides scrambling through the source code or the injections, is there any other way of determining malignant js codes that come with extensions?

"As of right now, besides scrambling through the source code or the injections, is there any other way of determining malignant js codes that come with extensions?"

Not really. In my opinion, the best way to find trustworthy software is and has always been through recommendations from knowledgeable people you know, either personally or in the tech media.

Leave a Comment