Apple cracks down on iOS terminal apps because they can download code

iSH spared for now, but what will happen to a-Shell?

Two iOS terminal applications popular with developers – a-Shell and iSH – have run into problems with Apple, which has said they breach its App Store Review Guidelines, though iSH has been spared deletion after an appeal.

The iSH application is an open-source Linux shell for iOS using a x86 emulator, and at the time of writing is at number 2 in the App Store Developer Tools chart. Tutorials on the wiki include instructions for installing PHP, running an SSL server and Ruby programs, installing the R statistics project, installing a Python web server, and more. The wiki also warns that "much of the emulation is still not finished, and many programs will fail."

Another terminal application, called a-Shell and currently at number 7 in the Developer Tools chart, is a long-established utility that runs most Unix commands on iOS and also allows coding or executing Python, Lua, JavaScript, C, and C++ programs. In the case of C/C++, compilation is to WebAssembly. Python developers can use pip install to add Python packages.

These are powerful tools for developers as well as being handy for something as simple as performing a ping to check network connectivity. They are also running into problems with Apple thanks to clause 2.5.2 in its App Store Review Guidelines, which states: "Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps." Apple does make an exception for "educational apps designed to teach, develop, or allow students to test executable code."

iSH developer Theodore Dubois has long been aware that his application may breach Apple's guidelines. He first submitted iSH in May this year, but it was rejected on the grounds that it "allows the user to install Linux executable code." He discussed the matter with someone at Apple during the company's WWDC developer event, and learned that removing a package manager called apk (Alpine Package Manager) might or might not get it through. Apk was removed and success! "We submitted this on October 20, it was approved the next day, and we launched on the 22nd," said Dubois.

Not so fast. A few days later, Apple called to say it had found wget in the application, which downloads files from the internet, and that this was in effect also a package manager (perhaps because users had worked out how to use wget to restore apk).

Duboi said: "The nature of iSH meant that this problem was fundamental, as users can always add back functionality that we remove." The app was set to be removed from the App Store, but some social media fuss ensued, and Apple relented. "They apologized for the experience we had, then told us they've accepted our appeal and won't be removing iSH from the store tomorrow. We'll stay in contact with them to work out details," said the iSH team.

In the meantime, the a-Shell developers popped up to say: "Apple sent a-Shell a similar notice of termination a few days ago. Our appeal is still pending. The commands we would have to remove to stay in the AppStore are curl, pip and wasm." Curl is another command that is able to download files.

When will a-Shell be removed if the appeal is unsuccessful? "Our 2 weeks delay started later, and is suspended while the app is undergoing an extensive review," said the team.

Why has Apple done this?

There are several reasons for the 2.5.2 restriction. Apple cannot review an application for security or conformance with other guidelines if it is in effect a runtime that might download and run any arbitrary code. The company is also keen to prevent alternatives to its own official App Store, and to protect its 30 per cent fee for transactions made through in-app purchases – this is the subject of a long-running dispute with Epic Games.

In practice, there seems to be some leeway. The question of what is and is not an "educational app" is somewhat subjective, and a question now is why iSH might be considered OK but a-Shell not. "Why are lli, Python, Lua and TeX good, but not wasm?" asked a Twitter commenter, the reply from a-Shell being: "I have no idea. I don't think they noticed the others."

Despite the apparent power of these shell environments, they are sandboxed just like any other iOS application. Saagar Jha from the iSH team argued that "scripting applications" should be allowed. "We can distinguish a scripting application from a normal app that is trying to update its app logic by downloading code quite easily: a scripting application keeps a clear boundary between its native runtime and the scripts that run on top of it, and it also allows users to freely edit scripts."

The key thing is not so much Apple's Review Guidelines but whether Apple chooses to allow or block a specific application. The appeal process is not transparent and Dubois complained: "I and the other iSH contributors have had an incredibly stressful fourteen days as we tried to bend over backwards to meet Apple's arbitrary scheduling while also juggling our full-time jobs."

These applications target developers and administrators, for whom they make iOS a more useful environment, so Apple will be aware not only of bad publicity from blocking highly valued utilities, but also that it risks making its iGadgets less attractive to an influential section of the market. ®

Similar topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022