Slashdot Mirror
Apple Can Remotely Disable iPhone Apps
mikesd81 writes "Engadget reports Apple has readied a blacklisting system which allows the company to remotely disable applications on your device. It seems the new 2.x firmware contains a URL which points to a page containing a list of 'unauthorized' apps — a move which suggests that the device makes occasional contact with Apple's servers to see if anything is amiss on your phone. Jonathan Zdziarski, the man who discovered this, explains, 'This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. I discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.'" Update: 08/11 13:07 GMT by T : Reader gadgetopia writes with a small story at IT Wire, citing an interview in the Wall Street Journal, in which this remote kill-switch is "confirmed by Steve Jobs himself."
http://daringfireball.net/2008/08/core_location_blacklist : "An informed source at Apple confirmed to me that the âoeclblâ in the URL stands for âoeCore Location Blacklistâ, and that it does just that. It is not a blacklist for disabling apps completely, but rather specifically for preventing any listed apps from accessing Core Location â" an API which, for obvious privacy reasons, is covered by very strict rules in the iPhone SDK guidelines."
Sorry guys. This is brouhaha over nothing. The blaclist in question does NOT disable apps remotely but instead disallows listed apps form accessing the CoreLocation framework. See http://daringfireball.net/2008/08/core_location_blacklist
Except that it doesn't. The blacklist in question does not blacklist applications on the phone. It's a registry of applications which the user denies access to the "Core Location" service - i.e, when you don't want the phone to use GPS or triangulation data for privacy reasons. Seems perfectly reasonable to me. I don't want apps broadcasting my location without permission.
... and then they built the supercollider.
"There's just *no way* a phone should contact another server without the user knowing it..."
Actually, when you stop to think about it, every cell phone in existence does just that, as all of 'em continually poll local cell towers to tell the servers that they're in that particular neighborhood. You might not have known it's doing that, but it does.
Then there's the fact that the iPhone checks iTunes servers for application updates, does push/pull on various and sundry mail servers, handles SMS messaging, will shortly begin checking for push notifications, checks who knows what stock and weather servers....
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Security is layered.
Applications have permission to run by virtue of the fact that they are signed by Apple. That certificate can be revoked. (The so called kill switch).
This black list deals with apps that make inappropriate use of Core Location, but are otherwise OK. For example an app might constantly use explicit Core Location requests to find the current location. That would drain the battery in no time. (versus requesting to be notified when location has changed by more than a threshhold). The App is non-malicious, just sloppily programmed. Apple could blacklist it's core location functionality, whilst leaving the rest of the functionality working. Until such time as the developer produces a fixed version.
"Oh, but's Apple, and this is good! Want to know why the PC prospered? Apple around the time of when it could have gone its way introduced an SDK development process where every developer who wanted to deliver something had to have a developer token. Without the blessing of Apple no go on Apple hardware! It annoyed many developers and the rest is history...
Don't believe? Do some historical checks..."
Really, I was an Apple developer back in the day, moving from the Apple II all the way to the original Mac (the all in one) and then getting out of the business a few years later.
I don't remember EVER contacting Apple for the SDK. I simply bought Lightspeed /Think C and Pascal and developed. Want more in-depth info? Get the Inside Macintosh books. I had like 2 dozen...each taking up a few hundred pages, and each focusing on an API and/or group of related items. Things like Audio had entire volumes written about it (this was my focus).
In this time, I *NEVER* once asked Apple for a 'token'...it wasn't needed. The most you'd ever need would be to have an official App ID (or whatever it was called) that ensured that documents created with specific doc types would know what application would open it -- and to keep other developers from trying to usurp yours. It could easily be done on the local computer.
Honestly, you don't know what the fuck you are talking about. This falls into the realm of not just ignorance, but making shit up.