loading...

Spectre & Meltdown: How does this affect mobile apps?

nektro profile image Meghan Denny ・1 min read

I'll be honest, I live in a bit of a Web bubble. While I dabble in other languages, JavaScript is by far what I spend the majority of my time researching. And through that I've read how because of Spectre and Meltdown certain features in web browsers (Chrome, Firefox, Edge, and Safari) are all disabling SharedArrayBuffers (while allow for sharing memory between threads in a web page) as well as making the readings from performance metrics temporarily less specific.

On top of that, Windows, Linux, and macOS have all worked on OS level patches in the mean time.

So I thought I'd ask about Android or iOS since I've seen ARM is affected too.

Discussion

markdown guide
 

There are two variants of the Spectre bug that impact ARM cores. Variant #1 can potentially allow JavaScript to break out of its sandbox and read other memory from the process of the browser. Variant #2 is a lot more difficult to setup but could potentially allow one app to read the data of another. This is theoretical, is very difficult to do in practice and hasn't been shown on an ARM device as far as a I know but there is certainly a risk. See my summary of the bugs at dev.to/__richardt/you-just-need-to... and I also plan to write about the impact to mobile apps in particular.

 

Apple's recommendation is to avoid installing apps from untrusted sources. I guess due to their review process they believe that the apps in the App Store have no exploits. So the only exploitable thing is JavaScript.

Regarding Android, I guess you need to check with the particular vendor because there are many.

P.S. as far as I understood it, Spectre can only access the data of the current process (therefore, it's dangerous for browsers). I may be wrong about it and I have not found the exact answer yet.

P.P.S. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown My message is about Spectre.

 

Thanks!

So that's where the slowdowns in iOS came from! hahaha