Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

I've Inadvertantly Created Malware for the iPhone!

bdj21ya

bdj21ya

macrumors 6502a
Original poster
Sep 13, 2006
559
0
So while working on my first web app for the iPhone (should be released here in a couple days) I found a rather annoying security bug in the way the iPhone handles javascript prompts. If you set an infinite loop to call the prompt function, the iPhone continuously pops up prompts, which blocks your ability to navigate to another web page in any way, because Apple has made no other controls available while the prompt is showing.

The only way out? Restart the iPhone.
 
couldn't you hit the home button to go back to the home screen? and i believe there's a force quit option for the apps that are running.

and this isn't iPhone specific, if you put a javascript:alert() inside an infinite loop in any browser you can't close the browser without doing a force quit.

...and how exactly is that malware? it doesn't do anything destructive.
 
It's considered malware because it creates a situation which the user cannot stop... however this is pretty much like the endless popup ads on windows :apple:
 
When you hit the home button it goes to home, but then when I went back into Safari, it was still on the same page, and none of the buttons (back, bookmarks, tabs) would respond, so yeah, it is an annoying vulnerability.
 
it's not a vulnerability, it's bad coding. it happens in every single web browser on every platform that has javascript enabled. if you run this on any browser, you can't do anything in the browser until you force quit (or kill, or end process, or whatever your OS calls it):
Code: 
<body onload="killerloop();">

</body>
<script language="javascript">
function killerloop()
{
     alert("isn't this annoying");
     setTimeout("killerloop()", 100);
}
</script>
 
With a regular browser you can force quit the browser session. Here that does not seem to be possible. I think that is what bdj21ya is getting at. If you visit a page with such code, you will have to reboot your iPhone...I think that is the implication which is bad.
 
Or possibly find a link in say, an Email, that opens a new browser "window," and then close out the other one? Haven't tested.
 
dangleheart said:
With a regular browser you can force quit the browser session. Here that does not seem to be possible. I think that is what bdj21ya is getting at. If you visit a page with such code, you will have to reboot your iPhone...I think that is the implication which is bad.
Click to expand...

Thank you, that is exactly what I mean. It is frustrating that you cannot shut down the program, but rather have to restart the whole device. They ought to make some way around this.
 
switchy said:
Or possibly find a link in say, an Email, that opens a new browser "window," and then close out the other one? Haven't tested.
Click to expand...

I haven't tried either, but you might have something there, since it would open up to another page first. I'd still guess no though, anyone try this out?
 
yes, the instructions for force-quitting an app are in the iPhone User Guide, p. 110:

If iPhone won’t turn on, or if the display freezes or doesn’t respond:
Press and hold the Home button below the screen for at least six seconds, until the application you were using quits.


edit: OP - you do realize you've shot yourself in the foot as far any anyone reading this thread even trying your new app?
 
from my experience if you select home and then safari again, safari will reload the page, that should make it possible for you to close the window/enter in a new URL before the script gets loaded.
 
gr8tfly said:
yes, the instructions for force-quitting an app are in the iPhone User Guide, p. 110:

If iPhone won’t turn on, or if the display freezes or doesn’t respond:
Press and hold the Home button below the screen for at least six seconds, until the application you were using quits.


edit: OP - you do realize you've shot yourself in the foot as far any anyone reading this thread even trying your new app?
Click to expand...

I'm not too worried about that. In it's final form, the App will be beautiful and perform a very useful function for me. (If you're wondering, it will be an app that splits a restaurant bill by item for you or allows you to share an item, set the tip rate and tax rate). When I go out to eat, I like to pay for what I ate and make sure things are fair. I'm sure it will be useful for others too.

Besides, apparently I just needed to read the user manual, AND you can trust there will be no infinite loops in the release app.
 
synth3tik said:
from my experience if you select home and then safari again, safari will reload the page, that should make it possible for you to close the window/enter in a new URL before the script gets loaded.
Click to expand...

Yeah, in this case it wouldn't do that, not that I'm really interested in trying it. One great thing we've learned from me sharing this info is how to force quit apps. Anyone try this yet?
 
bdj21ya said:
I'm not too worried about that. In it's final form, the App will be beautiful and perform a very useful function for me. (If you're wondering, it will be an app that splits a restaurant bill by item for you or allows you to share an item, set the tip rate and tax rate). When I go out to eat, I like to pay for what I ate and make sure things are fair. I'm sure it will be useful for others too.

Besides, apparently I just needed to read the user manual, AND you can trust there will be no infinite loops in the release app.
Click to expand...

I'm pretty sure it won't, but I just meant if your current user name is tied to it some readers might have lost trust. I'm personally pretty convinced you were just doing an experiment.
 
gr8tfly said:
I'm pretty sure it won't, but I just meant if your current user name is tied to it some readers might have lost trust. I'm personally pretty convinced you were just doing an experiment.
Click to expand...

Actually, I was just working on error checking for the input. I was looping so it would keep prompting you if you entered invalid input. However, my while loop condition had been written incorrectly, so it was an infinite loop.

I've now tested the method of holding the home button to end an app. It works great! Thanks for the tip on force quitting apps!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back