iOS 5 to Allow Nitro JavaScript in Home Screen Web Apps

Apple introduced the Nitro JavaScript engine in iOS 4.3 to give Mobile Safari a massive boost in speed, however, full-screen webapps on the home screen are unable to take advantage of this extra performance increase in 4.3. According the Charlie Miller (of Pwn2Own fame), the issue is with security and permissions within the OS.

The way code signing works on the iPhone is that only pages [in memory] that come from signed applications can be executable. If an app tries to make a writeable page executable, it cannot. However, for JIT, this is exactly what you’d like to do.

iOS 5 gives home screen webapps the same executable permissions as Mobile Safari, fixing this issue. Sadly, 3rd party app which use the UIWebView are  still unable to use Nitro for the same security concerns. For example, a browser within an app, like some RSS readers or Twitter clients. Graham Lee explains: “…code injection in third-party apps doesn’t just allow Nitro to work, it allows any code injection mechanism to work…“. Of course, such security holes would be wonderful for the Dev-Team, but not-so-good for Apple’s PR department. If Apple does eventually find a middle ground between speed and security, we may see a fancy iOS 5 delta update that allows Nitro in 3rd party apps.

[Ars Technica]

Post a response / What do you think?