Steve Jobs’ recent comments about the refusal to use Adobe Flash on Apple mobile platforms have gotten some notoriety in the technical world. Although Adobe CEO Shantanu Narayenhas has provided a response, the debate has led to some QNX customers asking if there are issues that would impact their embedded system designs that use Adobe Flash or the QNX Aviage HMI Suite. There are not. This letter will address the concerns raised by Mr. Jobs about the suitability of using Adobe Flash.
- “Flash is a closed system.”
Mr. Jobs describes Adobe Flash as being “100% proprietary”, “only available from Adobe, and Adobe has sole authority as to their future enhancement, pricing, etc.”, and further comments about Adobe being closed. However, that language would also describe the situation created by Apple. Apple controls the OS, the development tools, the development machines, the app store, the application approval process, and even the language used to create applications. Objective-C is not used in any other environment besides Apple and is defined by Apple, just like ActionScript from Adobe. In itself, these facts are not an issue, since both companies develop and promote both proprietary and open portions of their technology portfolio.
However, Mr. Jobs goes on to talk about how Adobe Flash products are “available only from Adobe.” Whereas this statement is in fact true for Apple’s development products, it is not true for Adobe. Adobe has published the definitions of the language, APIs, file formats and more. In addition to the Adobe tools, there are a number of open source tools that are created and used by Flash developers, like the Adobe Flex SDK and Flash Develop (Flash IDEs), MTASC (Flash compiler), Ming (Flash library), Gnash (a GNU swf player) and Tamarin (a Flash VM with JIT). Unlike the Apple environment, developers are able to do Flash development using open source and community tools, which is contrary to the “closed” stance that Mr. Jobs has mistakenly communicated.
- “Symantec recently highlighted Flash for having one of the worst security records in 2009.”
Contrary to Mr. Job’s statement, the referred to report from Symantec does not claim that Flash has one of the worst security records. Rather, it points out that the broader the software availability, the more likely that exploits will be attempted against that software. More specifically the report notes:
“Because [IE and PDF] technologies are widely deployed, it is likely that attackers are targeting them to compromise the largest number of computers possible. Of the Web browsers analyzed by Symantec in 2009, Mozilla® Firefox® had the most reported vulnerabilities, with 169, while Internet Explorer had just 45, yet Internet Explorer was still the most attacked browser. This shows that attacks on software are not necessarily based on the number of vulnerabilities in a piece of software, but on its market share and the availability of exploit code as well.”
Analysis of the actual report is needed to explain what is being claimed by Mr. Jobs. Symantec lists the five top web vulnerability targets as:
1) Microsoft Windows SMB Remote Code Execution
2) Adobe Reader and Flash Player Remote Code Execution
3) Microsoft IE 7 Uninitialized Memory Code Execution
4) Microsoft Windows ActiveX Remote Code Execution
Only vulnerability #2 might apply to an embedded deployment of the Adobe Flash Player, since #5 refers to PDF files using the Acrobat reader. However, the details of vulnerability #2 affect browser plug-ins only and not embedded systems, since it requires running a maliciously crafted .swf file (the compiled Flash binary) hosted on an attacker’s web site. On an embedded system the .swf file content is completely static, and .swf files are created and controlled by the developers. Even in embedded environments that use a browser, the system would be protected from potential malicious execution by virtue of QNX’s microkernel architecture. Under the QNX Neutrino RTOS, the browser process is completely isolated from every other system process, and exploits like memory overruns that can be used to gain kernel privilege in a monolithic operating system are not possible.
Most importantly, the attacks in question have been patched for some time. The number of attacks reported by Symantec in 2009 is actually not related to existing vulnerabilities, as the report further explains:
“Many of the vulnerabilities observed through Web-based attacks in 2009 have been known and patched for some time. For example, the Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness was published on August 23, 2003, and fixes have been available since July 2, 2004, yet it remains the second-ranked Web-based attack. This is likely because of the use of Web attack kits like Fragus, Eleonore, and Neosploit. These kits come bundled with a variety of different exploits, including some exploits for older vulnerabilities. Because an older vulnerability is likely to be included in more kits, it will probably be seen in more attacks than many of the newer vulnerabilities.”
The number of attacks is not a correlation of actual vulnerability, as Mr. Jobs incorrectly assumes. There are no reports of Flash vulnerabilities when Flash is being deployed in an embedded system.
- “Flash is the number one reason Macs crash.”
The idea underlying this statement comes from reports about process failures that users choose to send back to Apple. It is worthwhile to note that these are not instances where the Mac OS itself is crashing, but instead are Mac programs that crash. Those user reports identify browser plug-ins as the most frequent source of process exceptions. Further information that details the specific errors that are received has not been divulged by Apple. Since Flash is the most pervasive software platform, reaching 99% of Internet-enabled desktops, and the assumption that Flash is the most popular and widespread plug-in, then it stands to reason that it will be responsible for a larger frequency of plug-in failure reports. If a crash occurred once out of a thousand times an application was run, but it was run one thousand times more often, it would show up with identical crash statistics as a piece of software that crashed every single time it was run. This is not an indicator of software quality, but of the depth of software deployment.
Adobe’s chief technology officer Kevin Lynch says in an interview with PC Magazine that “Regarding crashing, I can tell you that we don't ship Flash with any known crash bugs, and if there was such a widespread problem historically Flash could not have achieved its wide use today." Flash is deployed on many embedded devices that do not experience the crash results that Mr. Jobs has claimed.
- “Flash has not performed well on mobile devices.”
This statement is not accurate, and reflects an outdated understanding of Flash. Current versions of Flash and FlashLite perform very well, and the Flash rendering engine can use hardware accelerated graphics on many platforms. QNX has analyzed the performance of hardware accelerated Flash, observing a substantial speed up in most cases. External assessments of Flash 10.1 and HTML5 show that Flash compares nicely:
"When it comes to efficient video playback, the ability to access hardware acceleration is the single most important factor in the overall CPU load," concludes Jan Ozer, "On Windows, where Flash can access hardware acceleration, the CPU requirements drop to negligible levels. It seems reasonable to assume that if the Flash Player could access GPU-based hardware acceleration on the Mac (or iPod/iPhone/iPad), the difference between the CPU required for HTML5 playback and Flash playback would be very much narrowed, if not eliminated."
- “Fourth, there’s battery life.”
Mr. Jobs provides little evidence that Flash’s battery consumption is poor. He instead explains the problem as fundamentally related to how people host their video content. Even this unrelated assumption is based on an incorrect understanding of Flash capabilities, namely that the Flash player does not support H.264 video format (which has been supported in Flash since 2007).
Video playback aside, most embedded Flash execution that concerns itself with battery life will be under control of the developer. FlashLite has been used for the user interface for mobile phones from Samsung, Sony Ericson, and LGE, shipping on over a billion phones, and is very capable of performing with optimal battery life.
- “Flash was designed for PCs using mice, not for touch screens using fingers.”
This is true, but it is also true for Apple’s technology. However Adobe Flash, just like Apple’s development environment, was easily retrofitted to handle touch screens. QNX has demonstrated many Flash based systems that employ a touch screen.
In summary, the claims levelled by Steve Jobs towards Flash are either not substantiated or untrue. Adobe is fundamentally a cross-platform tool, which is noted by Mr. Jobs himself several times, and as a cross-platform tool it enables leveraging development effort across multiple platforms. This means that developers using Adobe Flash would not be locked into the iPhone or iPad development target, and would be able to use their software efforts across a broad base of devices. It would appear that Mr. Jobs’ stance against Flash is for business reasons, not technical ones. Gartner research vice president Ray Valdes provides a similar assessment towards the purpose of this attack:
"This is not about technology. The criticisms from Apple about Flash can also be applied to many other systems that Apple has not directly opposed. Therefore Apple's stance appears driven by their business need to protect the iPhone platform against the threat of a cross-platform competitor."