iPhone Atlas is reporting that Apple has a way to blacklist and remotely remove applications from your iPhone. According to the post, the iPhone will remotely "phone home" and check a posted blacklist of bad applications. These speculations are based on a URL found on Apple's site with references for a blacklisting mechanism: https://iphone-services.apple.com/clbl/unauthorizedApps
Jonathan Zdziarski, an iPhone hacker, says nothing has been blacklisted as of yet. However, the mechanism is there, and the iPhone could call in on occasion to see what has been blacklisted. Zdziarski says that Apple could have the ability to shut down applications you've purchased from the App Store.
While this may sound like a privacy violation, our sources tell us that Apple has put this tool into place as a security measure to shut down rogue apps if needed, and it could simply be a proof of concept that hasn't yet been implemented for actual takedowns. We're not convinced that this is new, considering that the only entry in the unauthorizedApps list is dated "2004" and is clearly a test entry.
[via Engadget & Macrumors]
Reader Comments (Page 1 of 2)
8-07-2008 @ 11:36AM
Unregistered said...
mmm, mal.licio.us sounds like a great URL!
Reply
8-07-2008 @ 1:32PM
Jason Hung said...
Haha, indeed it does.
Anyway, I think a simple workaround is if you've jailbroken your phone and you want to use an illegal app, you'd just edit /etc/hosts and for iphone-services.apple.com route to 127.0.0.1 until a patch is worked around.
8-07-2008 @ 3:24PM
punkassjim said...
Kudos to Jason for the suggested workaround, but here are my thoughts:
iPhone Atlas isn't linking directly to Zdziarski's original comments, but I'm seeing all over Google that he found this URL string deep within the CoreLocation framework.
Um...isn't anyone even entertaining the notion that this "blacklist" is set up specifically to disallow rogue applications from using CoreLocation? Kinda stands to reason, eh? The truth of the matter is, there's a LOT of potential for location-aware applications to do Bad Things without much—if any—indication to the end-user (meaning, Apple could inadvertently allow malware into AppStore). I see no evidence at all that this is linked to "remotely deleting your applications."
I just think people are jumping to some really quick conclusions, and there's enough shadow of doubt that I'm not inclined to point the "insidious" finger yet.
8-07-2008 @ 11:43AM
Eckofish said...
Do you think developers should get together and sign a M.A.D. petition to neuter Apples power?
Just a silly thought :)
Reply
8-07-2008 @ 11:49AM
Chris said...
"Description" = "Being really bad!"; "App Name" = "Malicious"
Lol
Reply
8-07-2008 @ 11:50AM
Ryan said...
Holy crap, could you imagine if MS did this for the same reasons and still had it as a proof of concept as you believe. The backlash would be huge.
These past few months I have been liking Apple a little less everyday :-|
Reply
8-07-2008 @ 3:42PM
icehawk said...
They do. Their CRL is at http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl
Windows grabs it on startup.
8-07-2008 @ 4:10PM
Ryan said...
What are you talking about? Do you even know what a CRL is? It has nothing to do with what we are taking about, Microsoft is only going to sign MS applications - not some random 3rd party. On top of that you can disable the CRL checking if you don't care.
Look, I don't use MS products so I'm not shilling for them and Apple puts the dinner on my plate so I certainly am a fan, but if I bought a piece of hardware, I don't want anyone else's hands messing around inside of it. It's mine, stay the F**k out.
8-07-2008 @ 11:53AM
Richie said...
I really can't say I care, I don't think cydia or installer will magically dissapear as long as they don't support pirated iPhone apps. Blacklist any dev from the repository allowance that throws up pirated apps, they are going to ruin it for everyone. :(
Reply
8-07-2008 @ 11:56AM
Hawkman said...
Of course, the real question here is how Malicious got through their rigourous initial vetting, if it's "really bad"? :)
Reply
8-07-2008 @ 11:58AM
Rich said...
You obviously haven't seen some of the available apps...
8-07-2008 @ 12:03PM
mrt2 said...
To the commenter in post #4, MS does this... it's called Genuine Advantage
Reply
8-07-2008 @ 12:13PM
Ryan said...
No, WGA does not disable third party applications. Having the ability to kill your own pirated software is one thing (of which we are not arguing here), killing third-party apps is another.
8-07-2008 @ 12:04PM
mrt2 said...
At #4, MS already does this... it's called Genuine Advantage
Reply
8-07-2008 @ 12:05PM
Roger Mudd said...
"... a security measure to shut down rogue apps if needed."
Why would this be needed? Surely Apple scrutinizes all the applications that it distributes via the locked-down App Store. Rogue apps shouldn't even make it to the marketplace under the current model.
Reply
8-07-2008 @ 12:37PM
ars_workerbee said...
There's no possible way the cows can escape the pasture. We don't need any plans to get them back if they do.
Oh hey, a tornado took out the fence. Guess we're screwed.
Same flawed logic. Look at the privacy issues we've already run into, with Aurora Feint, and the SMS spam from Loopt. Apple doesn't get the source to submitted apps, they get compiled binaries. If someone wanted to be truly malicious, they could cleverly hide something and set it off later.
8-07-2008 @ 12:15PM
Max said...
As long as it's not abused (eg, used to kill apps like NetShare), this is definitely a good thing.
Reply
8-07-2008 @ 12:34PM
massimo.berta said...
I can't see where privecy is involved here, Apple just know which apps you've downloaded, plus, the iPhone just search for a mactch on your apps list and blacklist... now if this is privacy don tell anyone your name!
Reply
8-07-2008 @ 12:42PM
Anon said...
I of course expect Apple to be a company of honour and offer refunds to any user who has an application bought legitimately through the App Store removed remotely.
Reply
8-07-2008 @ 12:46PM
Josh Freeman said...
This was pretty clearly stated in the Apple keynote, where they talked about enterprises having the ability to disable apps and wipe info to protect confidentiality. Couldn't sell the iPhone to large corporations or the military without that capability.
Reply