• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Application Security...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Application Security...

  • Subject: Re: Application Security...
  • From: publiclook <email@hidden>
  • Date: Tue, 18 Feb 2003 19:19:59 -0500
On Tuesday, February 18, 2003, at 06:16 PM, Salter, Adam Q wrote:

Is Cocoa really secure?
To the extent that the underlying Unix/Darwin is secure ? maybe.


I mean I'm starting to realise that Cocoa is built as a loosely
interconnected series of objects. It allows for fantastic modifications
(Unsanity APE), but doesn't it also mean that no Object can be sure of the
security of any other object?
More or less yes.

What is to stop a malicious programmer from writing an object to masquerade
as internal to my application and I then pass authority/information to it?
Your application normally can not pass any more authority to an object than you have as the user running the application.


It just seems to me that no object can be sure:
A. it is not being observed.
Any object can be observed by either taping into the Objective-C run-time or by a dynamically loaded object... See input servers or something like that always loaded into Cocoa programs.

B. it is really talking to another "secure" object (System internal or
application internal)
Objects are not secure. Logins are secure. The objects in the applications you use can't do anything that you don't have authorization to do.


And similar question:
C. Can other applications just pick the data from inside your apps object?
More or less yes.


Feel free to correct me here,
Adam
Ps I understand that object transparency is advantageous in most
circumstances...


"Cocoa Programming" has a section on security and authorization. It basically says that Objective-C and Cocoa are not suitable for writing applications that have more authority than the user running them. These are called uid applications or something.

You can always write a small tool that actually does secure things and call the tool from a Cocoa application. I wouldn't write sendmail in Objective-C/Cocoa.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: Application Security...
      • From: "Sven A. Schmidt" <email@hidden>
References: 
 >Application Security... (From: "Salter, Adam Q" <email@hidden>)

  • Prev by Date: Re: formatting NSDate
  • Next by Date: Problem with a splitterview...
  • Previous by thread: Application Security...
  • Next by thread: Re: Application Security...
  • Index(es):
    • Date
    • Thread