Forgot your password?
typodupeerror
Portables (Apple) Businesses Cellphones Hardware Apple

Apple Can Remotely Disable iPhone Apps 550

Posted by Soulskill
from the they're-making-a-list dept.
mikesd81 writes "Engadget reports Apple has readied a blacklisting system which allows the company to remotely disable applications on your device. It seems the new 2.x firmware contains a URL which points to a page containing a list of 'unauthorized' apps — a move which suggests that the device makes occasional contact with Apple's servers to see if anything is amiss on your phone. Jonathan Zdziarski, the man who discovered this, explains, 'This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down. I discovered this doing a forensic examination of an iPhone 3G. It appears to be tucked away in a configuration file deep inside CoreLocation.'" Update: 08/11 13:07 GMT by T : Reader gadgetopia writes with a small story at IT Wire, citing an interview in the Wall Street Journal, in which this remote kill-switch is "confirmed by Steve Jobs himself."
This discussion has been archived. No new comments can be posted.

Apple Can Remotely Disable iPhone Apps

Comments Filter:
  • Refunds (Score:4, Informative)

    by Anonymous Coward on Monday August 11, 2008 @05:05AM (#24553123)

    I Am Rich app, anyone?

    • Re:Refunds (Score:5, Insightful)

      by HungryHobo (1314109) on Monday August 11, 2008 @05:29AM (#24553263)

      I still don't get why it was pulled.
      Let rich idiots throw their money away on tat.

    • Re:Refunds (Score:5, Insightful)

      by CountBrass (590228) on Monday August 11, 2008 @06:37AM (#24553601)

      I Am Rich app, anyone?

      I always enjoy old adages being proved right. In this case "A fool and his money are soon parted."

      I just wish I'd been the one to think of marketing an app to the terminally stupid.

  • by Tarraq (183622) on Monday August 11, 2008 @05:09AM (#24553155) Homepage

    It's better than having a lot of malicious programs out there, using data or sending personal information, with no way of recalling them.
    Shouldn't be used unless it's deemed "dangerous".
    "I am rich" for instance is a legitimate app, although without much purpose. But let's be honest, a lot of apps in the app store has little or no purpose. A 12$ flash light, anyone?

    • by iminplaya (723125) <iminplaya.gmail@com> on Monday August 11, 2008 @05:19AM (#24553213) Journal

      A 12$ flash light, anyone?

      Don't you mean a 512 dollar flash light?

    • Re: (Score:3, Insightful)

      Especially when you consider that it's possible to write a program that tells someone exactly where you are.

    • by muffen (321442) on Monday August 11, 2008 @06:18AM (#24553503)

      Shouldn't be used unless it's deemed "dangerous".

      Who decides what's dangerous? Are pirated apps going to be deemed dangerous? If you bypass certain security measures, is that dangerous? I don't like control being taken away from me (where "me" in this case is any end-user).

      Even if the intent is to only blacklist malware, does apple have a research lab to determine whats malicious and what isnt? Will they tell us how they decide on malware? What if you release an app that is infected with malware, the app is still legit whereas the malware part of the code is not. What happen if that app gets blacklisted, can it be revoked? If the iPhone contacts a webpage every now and then, will apple pay the bill for the connection?

      I don't like this, at the moment I don't like it because they did it without saying they are doing it. Going forward, they should say what they intend to block and give the enduser and option of either using the "service" or not... especially since the end-user is the one paying the bill for the datatransfer, the amount of money is imho completely irrelevant.

      • by rsmith-mac (639075) on Monday August 11, 2008 @07:05AM (#24553753)

        Based on what Apple has told developers since the start of the program, revocation appears to be certificate based; Apple is revoking the developer's certificate for that program, which breaks the authentication chain and prevents the application from running. As for what they can block, it does not look like this would be effective against a jailbroken kernel, since much of the authentication chain is patched out anyhow; in other words they wouldn't be able to revoke: the jailbreak, applications for it, and perhaps even regular applications once the jailbroken kernel is installed.

        As for what they'll revoke, that's the bigger question. Apple has not shown to be particularly hostile towards the jailbreak community in the past; even if they could revoke it, I don't believe they will. The real test on this policy would be the NetShare application, it's an application Apple has ceased to allow post-release and if the revocation system were to be abused it would be the prime target. So far Apple has not revoked it, even though they've had ample time to do so.

        That leaves us with malware. I don't find this to be something hard to define, but perhaps other Slashdot readers do. If the application is legit but has a problem (backdoor for exploiting the Mobile account, for example) I'd assume Apple will revoke the certificate for the bad application and let the author issue an updated version as long as they didn't intentionally create a problem (which is grounds for being expelled from the AppStore program). If it's outright malware that somehow passed Apple's QC, then they'll still revoke it, will not issue further certificates to the guilty party, and since they had to sign up for the program, track the guilty party down and sue them for computer crimes in some form.

        I'm not too worried about this (I consider blocking malware from running a good thing) but I can see why other people here would be worried. In either case it's a well thought-out system that seems to cover every contingency, so there shouldn't be any "friendly fire" of applications being unintentionally revoked.

    • by Trogre (513942) on Monday August 11, 2008 @06:47AM (#24553645) Homepage

      Wow. Just... wow

      Let's change the players a bit:
      "Engadget reports Microsoft has readied a blacklisting system which allows the company to remotely disable applications on your Vista PC."

      Do we still feel warm and protected?

      • by eclectro (227083) on Monday August 11, 2008 @07:26AM (#24553857)

        which allows the company to remotely disable applications

        You mean like what complete strangers currently do now on a windows pc?

      • by BasilBrush (643681) on Monday August 11, 2008 @07:39AM (#24553929)

        I trust Amazon with my credit card number and address. I wouldn't trust Scammy Viagra Co with either.

        Of course it's within the realms of possibility that Amazon may misuse it, but the benefit I get in a wide access to cheap books outweighs my risk.

        On the other hand I'd expect Scammy Viagra Co to misuse it.

        It's perfectly reasonable to accord different companies with different levels of trust. And giving out your credit card number is a far more significant trust level than allowing a company to prevent selected apps from accessing your current location.

        I do trust Apple to use it responsibly. I wouldn't trust Microsoft to. And there's absolutely nothing wrong with that. All companies are not the same. Microsoft's evil misdeeds negatively affect their trustworthiness, but they don't affect all other companies too.

        • Re: (Score:3, Insightful)

          by SerpentMage (13390)

          >I do trust Apple to use it responsibly. I wouldn't trust Microsoft to. And there's absolutely nothing wrong with that. All companies are not the same. Microsoft's evil misdeeds negatively affect their trustworthiness, but they don't affect all other companies too.

          Well you are a fool... Both are corporations and both have profit motives. I trust neither!

      • by pdbaby (609052) on Monday August 11, 2008 @07:40AM (#24553933)

        This is actually a few days old; it did the rounds on the Apple rumour sites and was debunked: it's a blacklist that can prevent applications using Core Location to determine a users' position (so if an app is abusing it & logging everywhere a user goes, they can be prevented from doing that while still allowing the app to function).

        The hint was in the filename (and the library that references it): clbl - Core Location BlackList

  • Security Risk? (Score:5, Interesting)

    by Anonymous Coward on Monday August 11, 2008 @05:10AM (#24553161)

    Given the unpatched Kaminsky DNS stuff on desktop OS X, or even just spoofed ips, doesn't this mean that a malicious attacker might be able to spoof the apple "ban list" and disable core functionality? How long until this can be exploited with a list of the core os x daemons thus "bricking" the phone until ?

    • Re: (Score:3, Insightful)

      by rsmith-mac (639075)

      In theory? Sure, why not. In practice, it would be one of the greatest screwup in all history if this could be done. Presumably Apple is signing the list (via private/public keypairs) just like they do iPhone firmware updates; you sign this kind of stuff exactly so that hackers can't do stuff like this.

      In other words no, I doubt this list can be exploited in that manner.

  • by timmarhy (659436) on Monday August 11, 2008 @05:12AM (#24553173)
    ok can we please just get all the apple fans make their excuses early on. the iphone is a fiasco but nothing will take their blinkers off, so lets just let them get it off their chest early.
    • by SoupIsGoodFood_42 (521389) on Monday August 11, 2008 @05:40AM (#24553309)

      How about we stop pretending that philosophical issues are the most important things when someone buys a product? Yeah, Apple products are more closed and restrictive, but they work for me. And until I get burnt by them bad enough to consider switching, I have no problem with them. I mean, they do behave pretty well for a Corporation. No need to spread FUD at the first sight of something that may not be ideal.

      • Re: (Score:3, Informative)

        by thermian (1267986)

        Ooh! How dare you take the reasoned intelligent approach! Don't you know where you are?

        Also, I agree. My friends bitch about my buying iPod, because its 'eeeevil Apple'. But they work well, I like the build quality, and I have never seen any compelling reason to buy any competing products.

      • Re: (Score:3, Interesting)

        by TheRaven64 (641858)

        Yeah, Apple products are more closed and restrictive, but they work for me. And until I get burnt by them bad enough to consider switching, I have no problem with them

        Has it occurred to you that the people spouting 'philosophical issues' are the ones who have already been burnt by locked-down products? Great for you if you haven't - come back when you have and we'll talk about those philosophical issues.

    • by Bender Unit 22 (216955) on Monday August 11, 2008 @06:09AM (#24553457) Journal

      I'll bet you think Linux is a good desktop solution for the average user.

    • Re: (Score:3, Insightful)

      by whisper_jeff (680366)
      the iphone is a fiasco...

      I think you're using that word without knowing what it means. I suspect most companies would like to have a "fiasco" like the iPhone n their product catalogue.
  • by Anonymous Coward on Monday August 11, 2008 @05:15AM (#24553195)
    http://daringfireball.net/2008/08/core_location_blacklist [daringfireball.net] : "An informed source at Apple confirmed to me that the âoeclblâ in the URL stands for âoeCore Location Blacklistâ, and that it does just that. It is not a blacklist for disabling apps completely, but rather specifically for preventing any listed apps from accessing Core Location â" an API which, for obvious privacy reasons, is covered by very strict rules in the iPhone SDK guidelines."
  • re: CoreLocation (Score:5, Informative)

    by akarnid (591191) on Monday August 11, 2008 @05:21AM (#24553229)
    Sorry guys. This is brouhaha over nothing. The blaclist in question does NOT disable apps remotely but instead disallows listed apps form accessing the CoreLocation framework. See http://daringfireball.net/2008/08/core_location_blacklist [daringfireball.net]
    • by bursch-X (458146) on Monday August 11, 2008 @05:31AM (#24553275)

      Oh, come on don't you spoil our neat little flamefest based on mere guesswork and Anti-Apple bias with your boring and irrelevant facts, please.

      I mean this if Slashdot, if you want news, please go to CNN.com. Ah, damned, they don't want their stories being diluted by facts either...

      • Oh, come on don't you spoil our neat little flamefest based on mere guesswork and Anti-Apple bias with your boring and irrelevant facts, please.

        I mean this if Slashdot, if you want news, please go to CNN.com. Ah, damned, they don't want their stories being diluted by facts either...

        Yeah! And another thing, I'm getting a kick out of negative Apple posts getting +5 and positive ones getting -1 !

        I'm going to church to today because I'd never thought I'd see this on Slashdot! There's all these wars and oil and food prices are through the roof. I think I saw this in a movie about the World coming to an end with that 'Growing Pains' kid all grown up. And my cat, it slept with a dog last night.

        The end is nigh!

      • Re: (Score:3, Interesting)

        by Alsee (515537)

        if you want news, please go to CNN.com. Ah, damned, they don't want their stories being diluted by facts either...

        You're absolutely right. People should go to Fox News [google.com] instead.

        -

    • The whole speculation on Core Location comes simply from the URL having clbl in it, which supposedly stands for Core Location Black List. There is no other evidence provided that this is only what it does, nor does it mean that Apple can't use it in some other form or that they're not working on a set of black listed applications they can retrospectively turn off. Apple have already shown how developer friendly they are by pulling applications from their store without warning.

      Personally, I find a black l
  • Net Share (Score:4, Interesting)

    by nmg196 (184961) * on Monday August 11, 2008 @05:29AM (#24553265)

    So how long before Net Share gets disabled?

    Unfortunately I missed this app when it was on the App Store and I've been looking for a way to install it, but I suspect now that even if I succeed, that it will get disabled by Apple in the coming weeks/months.

    iPhone newbie question:
    Is there a way to install apps which have been removed from the App Store by somehow getting the binary?

  • by dpbsmith (263124) on Monday August 11, 2008 @05:44AM (#24553319) Homepage

    This sort of problem is now years past the place where it can be solved by "voting with your dollars," or hoping that exposing the problem will create bad PR and shame the company into correcting it.

    I don't know what parts of our constitution are still operative today, but if we can't get the public interested in privacy rights, get Congress interested in passing appropriate legislation, making "phoning home" against the law--and getting those laws enforced--then Apple and Microsoft and Sony and everyone else will continue to do whatever is technologically feasible, convenient, and supportive of their corporate goals.

    It's naive to think that there are Good Companies and Evil Companies and that the answer is to put your faith in the Good Companies.

    Of course, I do hope that exposing the problem creates bad PR and shames Apple into fixing it.

  • by djkitsch (576853) on Monday August 11, 2008 @05:56AM (#24553395)
    Couple of hours before this story got onto the /. front page, Engadget had this scoop:

    http://www.engadget.com/2008/08/11/jobs-60-million-iphone-apps-downloaded-confirms-kill-switch/ [engadget.com]

    Steve Jobs has confirmed the kill-switch, and defends it as a "responsible" way to make sure they can deal with it if a malicious app finds its way into the App Store.

    Get with the times, editors!
    • Re: (Score:3, Insightful)

      by El_Muerte_TDS (592157)

      But the URL being talked about in this /. post is not a kill switch as reported in earlier replies.

      So, this means that there is still a hidden kill switch in the iPhone.

  • by Nycran (1282174) on Monday August 11, 2008 @06:09AM (#24553455)
    More and more it feels like every iPhone belongs to Steve - people are just leasing it from him. There's just *no way* a phone should contact another server without the user knowing it or expressly permitting it, and there's absolutely no way in hell it should disable an application which the user deliberately installed, period. The end.
    • by shmlco (594907) on Monday August 11, 2008 @06:51AM (#24553667) Homepage

      "There's just *no way* a phone should contact another server without the user knowing it..."

      Actually, when you stop to think about it, every cell phone in existence does just that, as all of 'em continually poll local cell towers to tell the servers that they're in that particular neighborhood. You might not have known it's doing that, but it does.

      Then there's the fact that the iPhone checks iTunes servers for application updates, does push/pull on various and sundry mail servers, handles SMS messaging, will shortly begin checking for push notifications, checks who knows what stock and weather servers....

  • by spottedkangaroo (451692) * on Monday August 11, 2008 @06:11AM (#24553461) Homepage

    Where can I sign up for the really expensive phone with no buttons, locked into a single provider, that I can't modify or enjoy in any way (except the approved ways I suppose).

    I'd really like one of those.

  • by fabs64 (657132) <beaufabry+slashdot,org&gmail,com> on Monday August 11, 2008 @08:11AM (#24554093)
    How is this practically any different?

Cobol programmers are down in the dumps.

Working...