Slashdot Mirror
Apple Can Remotely Disable iPhone Apps
mikesd81 writes "Engadget reports Apple has readied a blacklisting system which allows the company to remotely disable applications on your device. It seems the new 2.x firmware contains a URL which points to a page containing a list of 'unauthorized' apps — a move which suggests that the device makes occasional contact with Apple's servers to see if anything is amiss on your phone. Jonathan Zdziarski, the man who discovered this, explains, 'This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. I discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.'" Update: 08/11 13:07 GMT by T : Reader gadgetopia writes with a small story at IT Wire, citing an interview in the Wall Street Journal, in which this remote kill-switch is "confirmed by Steve Jobs himself."
Given the unpatched Kaminsky DNS stuff on desktop OS X, or even just spoofed ips, doesn't this mean that a malicious attacker might be able to spoof the apple "ban list" and disable core functionality? How long until this can be exploited with a list of the core os x daemons thus "bricking" the phone until ?
Just what I was thinking. It seems they could actually allow people to try applications and return them for a refund without Apple having major concerns about piracy.
So how long before Net Share gets disabled?
Unfortunately I missed this app when it was on the App Store and I've been looking for a way to install it, but I suspect now that even if I succeed, that it will get disabled by Apple in the coming weeks/months.
iPhone newbie question:
Is there a way to install apps which have been removed from the App Store by somehow getting the binary?
The blacklist in question does not blacklist applications from running on the phone. It's a registry of applications which are denied access to the "Core Location" service - i.e, when you don't want the phone to use GPS or triangulation data for privacy reasons. Seems perfectly reasonable to me. I don't want apps broadcasting my location without permission.
... and then they built the supercollider.
The whole speculation on Core Location comes simply from the URL having clbl in it, which supposedly stands for Core Location Black List. There is no other evidence provided that this is only what it does, nor does it mean that Apple can't use it in some other form or that they're not working on a set of black listed applications they can retrospectively turn off. Apple have already shown how developer friendly they are by pulling applications from their store without warning.
Personally, I find a black list like this an exceptionally stupid and blunt way to deal with access to Core Location.
Couple of hours before this story got onto the /. front page, Engadget had this scoop:
http://www.engadget.com/2008/08/11/jobs-60-million-iphone-apps-downloaded-confirms-kill-switch/
Steve Jobs has confirmed the kill-switch, and defends it as a "responsible" way to make sure they can deal with it if a malicious app finds its way into the App Store.
Get with the times, editors!
sig:- (wit >= sarcasm)
Wouldnt an app just jailbreak the phone, edit /etc/hosts to remap this to somewhere else (or see another way to disable it)? That would stop the app from being blacklisted on that phone (and all the others that would come after it).
Sure you have to get perms but if you can get a user to install malware that can be blocked its probably not that hard to get them to also enable it (or find an automated way around the "permission request").
Would that not mean its a trivial thing to make this whole concept of blacklisting moot? And if malware can disable it quickly and easily, would this not just be a wasted effort on apples part?
I own nothing by Apple, but I kind of disagree with you here.
Nobody can say they bought an iPhone, at this point, and didn't know what they were signing up for. Apple's attitude is well known, and only an idiot I wouldn't feel sorry for will have gone into an agreement with them without being aware of what kind of company Apple is. Clearly, people like Apple despite their flaws (just like people like Google despite theirs, and Linux, and Microsoft -- all are flawed but Jesus they have annoying fanboys). Apple fans just don't care about the same stuff you do.
I use Linux almost exclusively on my home PC, but none of my friends do; they want to play games or don't want to learn to use a new OS or whatever. It's not that they've drank the MS kool-aid. They just don't have the same outlook as I do.
That said, I don't like the idea of a device that I've paid for talking to a third party and deciding which programs (that I've paid for) to run. So I guess I won't be getting an iPhone (not like it was ever in consideration in the first place).
I trust Amazon with my credit card number and address. I wouldn't trust Scammy Viagra Co with either.
Of course it's within the realms of possibility that Amazon may misuse it, but the benefit I get in a wide access to cheap books outweighs my risk.
On the other hand I'd expect Scammy Viagra Co to misuse it.
It's perfectly reasonable to accord different companies with different levels of trust. And giving out your credit card number is a far more significant trust level than allowing a company to prevent selected apps from accessing your current location.
I do trust Apple to use it responsibly. I wouldn't trust Microsoft to. And there's absolutely nothing wrong with that. All companies are not the same. Microsoft's evil misdeeds negatively affect their trustworthiness, but they don't affect all other companies too.
How is this practically any different?
You know it's really sad when a poster doesn't even RTFA or read the RTFT(thread). Engadget, and now Slashdot.. Are people on the internet really that illiterate now and just follow the leader? After MANY posts (many by me and many by others) on Engadget, people STILL insist "APPLE IS GETTING SUED!" or "Ha! What are you fanboys going to say to this?" and the best one "Haha Same as the Microsoft WGA". Anyways I've already made too many posts and feel redundant, but rumors and speculation to get THIS far is simply sickening.
"ethical standpoint"?
How is there anything wrong with offering a useless piece of overpriced tat?
You don't have to be amoral to do this.
Hell I wish I'd come up with something this easy and effective.
It wasn't misrepresented, it wasn't claimed to do anything it didn't.
Where is the problem?
Yeah, Apple products are more closed and restrictive, but they work for me. And until I get burnt by them bad enough to consider switching, I have no problem with them
Has it occurred to you that the people spouting 'philosophical issues' are the ones who have already been burnt by locked-down products? Great for you if you haven't - come back when you have and we'll talk about those philosophical issues.
I am TheRaven on Soylent News
you are taking advantage of other's stupidity
Is Prada taking advantage of other's stupidity? Some people just have a lot of money and want to flash it. If anything, you are taking advantage of other's vanity - not stupidity.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
So you either have to blindly trust companies or live like a hermit?
Speaking about false dichotomies(and nuts too).
Knowledge is power. Knowledge shared is power lost.
The diamond business is somewhat more odd though, the rocks do indeed not "do" anything but are presumed to be "rare" and thus "valuable".
However, the fact remains that diamonds are in fact not very rare at all, barring the very largest specimens, they are intentionally stockpiled and kept rare by controlling the rate at which they enter the market.
You want rare? get a proper red ruby!
Why is this relevant? because apple prices it's product like a luxury company prices it's jewelry (which, for the record can be upwards of a 500% profit margin from my experience in working in the high-end jewelry business) the price is based on:
-brand name prestige
-design
the brand name prestige equates in the consumer's eye to "rarity" but a device like the iphone is of course not rare at all, apple can produce a near infinite amount of them quite readily.
I don't really have a point i guess... other than "people are very silly" =/
Machine9dotNet
if you want news, please go to CNN.com. Ah, damned, they don't want their stories being diluted by facts either...
You're absolutely right. People should go to Fox News instead.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Working in I.T. as long as I have, I, too, like to feel "in control" of the devices I use.
I work in the same field.
But the problem comes in because none of us have time (or even the ability) to audit the source code for each program we install. We have to go on faith that apps do what they say, most of the time.
Mostly correct. Which is why I am highly careful on what I do install, and even LESS likely to let someone else have the decision on removing something.
All fine and good, but I'd counter-argue that if YOU can't comprehend why it's potentially very BENEFICIAL for a carrier to be able to globally "kill off" some new app that turns out to be a trojan horse, leaking out your private information everywhere ... then I don't know what to tell you, really?
And if I could trust that that is the ONLY way that Apple would ever use this... they I *might* consider it a feature.
But come on, seriously. You know precisely what comes up with this. Any freeware program that competes with something Apple might want to make pay software for, will instantly be on the blacklist. This isn't a tool for "protecting people from malicious software". If it was, it would be 100% optional anyways. No, this particular setup is a compulsory setup designed for Apple to be able to kill off the competition.