DEV Community

Meghan (she/her)
Meghan (she/her)

Posted on

Spectre & Meltdown: How does this affect mobile apps?

I'll be honest, I live in a bit of a Web bubble. While I dabble in other languages, JavaScript is by far what I spend the majority of my time researching. And through that I've read how because of Spectre and Meltdown certain features in web browsers (Chrome, Firefox, Edge, and Safari) are all disabling SharedArrayBuffers (while allow for sharing memory between threads in a web page) as well as making the readings from performance metrics temporarily less specific.

On top of that, Windows, Linux, and macOS have all worked on OS level patches in the mean time.

So I thought I'd ask about Android or iOS since I've seen ARM is affected too.

Discussion (3)

Collapse
orkon profile image
Alex Rudenko • Edited on

Apple's recommendation is to avoid installing apps from untrusted sources. I guess due to their review process they believe that the apps in the App Store have no exploits. So the only exploitable thing is JavaScript.

Regarding Android, I guess you need to check with the particular vendor because there are many.

P.S. as far as I understood it, Spectre can only access the data of the current process (therefore, it's dangerous for browsers). I may be wrong about it and I have not found the exact answer yet.

P.P.S. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown My message is about Spectre.

Collapse
nektro profile image
Meghan (she/her) Author

Thanks!

So that's where the slowdowns in iOS came from! hahaha

Collapse
__richardt profile image
Richard Taylor

There are two variants of the Spectre bug that impact ARM cores. Variant #1 can potentially allow JavaScript to break out of its sandbox and read other memory from the process of the browser. Variant #2 is a lot more difficult to setup but could potentially allow one app to read the data of another. This is theoretical, is very difficult to do in practice and hasn't been shown on an ARM device as far as a I know but there is certainly a risk. See my summary of the bugs at dev.to/__richardt/you-just-need-to... and I also plan to write about the impact to mobile apps in particular.