Allow or Deny
Native iPhone apps have the ability to get a user’s location. Whenever an app tries to do this, a popup comes on screen asking whether you would like to allow or deny this application’s ability to get your location.
Similarly, Flash has the ability to use your camera. Whenever a web site tries to do this, a popup comes on screen asking whether you would like to allow or deny this website’s ability to use your camera.
Apple, thus far, has not exposed javascript APIs that allow a website to gain access to a user’s location or camera. It has been thought for a while that some things should just be off limits to a web page. Applications are installed and therefore the user has taken a distinct action to access it. This is in contrast to clicking a link and visiting a site.
But here’s the thing. Apple and Adobe (through AIR), have made it so easy to install applications that it pretty much is one click at this point. If Apple exposed a location API to web sites through javascript, you can bet that it would have the same ‘allow or deny’ popup that the native apps have. So is there really a security concern here?
The next version of Flash (version 10) will have direct access to the bytes of a file if a user chooses it in a dialog box. This is not direct access to the file system. It is popping up an ‘allow or deny’ like box that will give the user a choice. Adobe is clearly pushing in the direction of providing more access to web developers. I believe Apple will end up doing the same in the iPhone. Eventaully, web sites will have access to everything a native app does. And the security model will be ‘Allow or Deny’.
