Mobile LC Apps Downloading Stacks After installation

[Mark Waddingham]

On 2017-08-11 12:20, Jonathan Lynch via use-livecode wrote:
> I know the reviewers at app stores are not always careful, but
> something like an LC player would surely get their notice.

Review, from my understanding, is heavily automated (it has to be - if 
you think of the scale of the App Stores these days). However, there is 
always a means to get in contact with a human about specific issues 
(which can take a while to get escalated with someone who can actually 
do something - but at least it is possible).

> They do allow us to import JS, but JS is way more sandboxed than LC.

Yes - this is true - however, as I noticed this morning Apple no longer 
have their advisory about allowing arbitrary JS to be downloaded and run 
within a WebView. This is simply because you can could build a host app 
which gives access to every single OS
API on iOS and make all of them callable from JS (even if the JS bundled 
with the app does not use any of it).

So, the point is the language is not the point - what the code running 
in the language does is important.

Like Google, Apple are wanting to know precisely what OS APIs your app 
is calling at the point of review - so they have some idea of the 
surface area of attack for any malicious intent. How much analysis they 
currently do, no-one really knows - however the guidelines means that 
(in principal) they have reasons to pull any apps very quickly if they 
find that they are doing something which is 'not allowed'.

Warmest Regards,

Mark.

-- 
Mark Waddingham ~ mark at livecode.com ~ http://www.livecode.com/
LiveCode: Everyone can create apps