Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Can Remotely Disable iPhone Apps

Posted by Soulskill on from the they're-making-a-list dept.

mikesd81 writes "Engadget reports Apple has readied a blacklisting system which allows the company to remotely disable applications on your device. It seems the new 2.x firmware contains a URL which points to a page containing a list of 'unauthorized' apps — a move which suggests that the device makes occasional contact with Apple's servers to see if anything is amiss on your phone. Jonathan Zdziarski, the man who discovered this, explains, 'This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. I discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.'" Update: 08/11 13:07 GMT by T : Reader gadgetopia writes with a small story at IT Wire, citing an interview in the Wall Street Journal, in which this remote kill-switch is "confirmed by Steve Jobs himself."

18 of 550 comments (clear)

  1. Refunds by Anonymous Coward · · Score: 4, Informative

    I Am Rich app, anyone?

    1. Re:Refunds by BasilBrush · · Score: 4, Informative

      No. This is a Core Location Black List. It stops listed apps from retrieving your current location. But it doesn't stop that app from working otherwise.

    2. Re:Refunds by BasilBrush · · Score: 4, Informative

      No. There is a certificate system for all apps, and Apple can revoke the certificate. In tabloid terms that is a kill switch. BUT the functionality described here - the URL with the blacklist - is a Core Location Black List. The clue is in the library that that URL was found in, and in the URL itself if you read it.

    3. Re:Refunds by iElucidate · · Score: 4, Informative

      Seriously, no, it is theCore Location Blacklist. He got it from the Daring Fireball link he included in his comment. Apple does claim that there is a capability to remotely disable applications. He does not claim that the URL to the Core Location Blacklist is that capability.

    4. Re:Refunds by jcr · · Score: 4, Informative

      Steve Jobs apparently confirms that it is a malicious app kill switch.

      No. He confirmed that there is a "kill switch", he said nothing about how it's implemented.

      The Core Location black list is only about what apps get to access your phone's location data.

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
    5. Re:Refunds by BasilBrush · · Score: 5, Informative

      Security is layered.

      Applications have permission to run by virtue of the fact that they are signed by Apple. That certificate can be revoked. (The so called kill switch).

      This black list deals with apps that make inappropriate use of Core Location, but are otherwise OK. For example an app might constantly use explicit Core Location requests to find the current location. That would drain the battery in no time. (versus requesting to be notified when location has changed by more than a threshhold). The App is non-malicious, just sloppily programmed. Apple could blacklist it's core location functionality, whilst leaving the rest of the functionality working. Until such time as the developer produces a fixed version.

  2. It is a Core Location Blacklist by Anonymous Coward · · Score: 5, Informative

    http://daringfireball.net/2008/08/core_location_blacklist : "An informed source at Apple confirmed to me that the âoeclblâ in the URL stands for âoeCore Location Blacklistâ, and that it does just that. It is not a blacklist for disabling apps completely, but rather specifically for preventing any listed apps from accessing Core Location â" an API which, for obvious privacy reasons, is covered by very strict rules in the iPhone SDK guidelines."

    1. Re:It is a Core Location Blacklist by zonky · · Score: 4, Informative

      helpfully, the url: contains the template! https://iphone-services.apple.com/clbl/unauthorizedApps { "Date Generated" = "2008-08-11 09:19:37 Etc/GMT"; "BlackListedApps" = { "com.mal.icious" = { "Description" = "Being really bad!"; "App Name" = "Malicious"; "Date Revoked" = "2004-02-01 08:00:00 Etc/GMT"; }; }; }

    2. Re:It is a Core Location Blacklist by teh+kurisu · · Score: 5, Informative

      € is your friend ;)

  3. re: CoreLocation by akarnid · · Score: 5, Informative

    Sorry guys. This is brouhaha over nothing. The blaclist in question does NOT disable apps remotely but instead disallows listed apps form accessing the CoreLocation framework. See http://daringfireball.net/2008/08/core_location_blacklist

  4. Re:Spin this! by dangitman · · Score: 5, Informative

    Except that it doesn't. The blacklist in question does not blacklist applications on the phone. It's a registry of applications which the user denies access to the "Core Location" service - i.e, when you don't want the phone to use GPS or triangulation data for privacy reasons. Seems perfectly reasonable to me. I don't want apps broadcasting my location without permission.

    --
    ... and then they built the supercollider.
  5. Re:Spin this! by lucas+teh+geek · · Score: 4, Informative

    Well if that seems perfectly reasonable to you, iPhone isn't really for you since currently no applications are blocked from using your GPS...

    is that so mr anonymous coward? that's odd, since my iPhone pops up a message ""app_name" would like to use your current location" the first time each app tries to access the GPS since the last reboot. seems to me you're talking right out your ass

    --
    TIAEAE!
  6. Re:Story is untrue by Anonymous Coward · · Score: 4, Informative

    Will you kindly shut the fuck up already? We've had about 5 posts like this so far, all of which contradict the following respective pieces of obvious logic and in-your-face authoritative evidence:

    1. Just because someone uncovered one URL which is likely to be a Core Location services blacklist, it doesn't automatically disqualify that there are [i]other[/i] blacklists which disable an app entirely.

    2. Steve Jobs announced (see recent WSJ article summarized e.g. on macrumors.com) that iPhone has remote app disabling. To announce this if it's not true would be monumentally stupid for two reasons:

    (a) He knows he'll piss off a minority contingent of privacy advocates. (shame that it's only a minority, but if there's one thing we learn from our dear country, it's that its citizens generally get exactly what they deserve)

    (b) At some point, a malicious app [i]will[/i] appear. Imagine the reaction if, everyone with eyes looking to Apple to disable it, SJ responds with "oh, my bad, actually we can't disable stuff".

    In conclusion, the iPhone has remote app disabling. Apple can remotely disable any of your apps. Your apps are remotely disable-able.

    In other news, the iPhone developer agreement apparently must include the "we can pull any of your apps from the store for an arbitrary reason aside from the ones mentioned explicitly in the agreement" clause, since removal of _I Am Rich_ was, Apple claims, a "judgment call". Meanwhile, removal of _NetShare_ was due to the ability - the developer seems to have concluded, after a period of silence - to use it to break your service agreement on some of the many global networks iPhone is available for. This is all made harder by an NDA which specifically prohibits an iPhone developer community, let alone any open source + Free software, since you're [i]not allowed to talk about your code[/i].

    At the risk of confronting the No True Scotsman fallacy, no true developer codes for the iPhone. It's a get-rich-quick gamble, where Apple may pull your foundations from under you at a whim (as they've already three times to developers) and where you must code alone and in secret.

  7. Re:Apple can kiss my shiny metal ass by shmlco · · Score: 5, Informative

    "There's just *no way* a phone should contact another server without the user knowing it..."

    Actually, when you stop to think about it, every cell phone in existence does just that, as all of 'em continually poll local cell towers to tell the servers that they're in that particular neighborhood. You might not have known it's doing that, but it does.

    Then there's the fact that the iPhone checks iTunes servers for application updates, does push/pull on various and sundry mail servers, handles SMS messaging, will shortly begin checking for push notifications, checks who knows what stock and weather servers....

    --
    Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  8. Re:Net Share by Dog-Cow · · Score: 3, Informative

    Yes, if you get the .app bundle, you can install it manually on a jailbroken iPhone/iTouch.

  9. Re:makes sense to me.. by pdbaby · · Score: 4, Informative

    This is actually a few days old; it did the rounds on the Apple rumour sites and was debunked: it's a blacklist that can prevent applications using Core Location to determine a users' position (so if an app is abusing it & logging everywhere a user goes, they can be prevented from doing that while still allowing the app to function).

    The hint was in the filename (and the library that references it): clbl - Core Location BlackList

    --
    Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  10. Re:Spin this! by gaggle · · Score: 3, Informative

    Uh, yes it's justifiable. Apple wants its product to behave this way, and I purchase their devices knowing they want to control everything. Don't buy the phone if you want an open market model! Hell you shouldn't own any Apple product if that's the kind of market you prefer, it is simply not their thing.

    Besides, as other posters have pointed out, it's not phoning home to control apps, it's to prevent malicious use of CoreLocation because Apple cares about privacy.

    (okay I'm not actually arguing they care, but that's the impression they want to give. It protects their profit margin)

  11. Re:makes sense to me.. by Anonymous Coward · · Score: 5, Informative

    "Oh, but's Apple, and this is good! Want to know why the PC prospered? Apple around the time of when it could have gone its way introduced an SDK development process where every developer who wanted to deliver something had to have a developer token. Without the blessing of Apple no go on Apple hardware! It annoyed many developers and the rest is history...

    Don't believe? Do some historical checks..."

    Really, I was an Apple developer back in the day, moving from the Apple II all the way to the original Mac (the all in one) and then getting out of the business a few years later.

    I don't remember EVER contacting Apple for the SDK. I simply bought Lightspeed /Think C and Pascal and developed. Want more in-depth info? Get the Inside Macintosh books. I had like 2 dozen...each taking up a few hundred pages, and each focusing on an API and/or group of related items. Things like Audio had entire volumes written about it (this was my focus).

    In this time, I *NEVER* once asked Apple for a 'token'...it wasn't needed. The most you'd ever need would be to have an official App ID (or whatever it was called) that ensured that documents created with specific doc types would know what application would open it -- and to keep other developers from trying to usurp yours. It could easily be done on the local computer.

    Honestly, you don't know what the fuck you are talking about. This falls into the realm of not just ignorance, but making shit up.