Researcher discovers targeted iPhone app "kill switch"
A mobile development author has discovered a mechanism in Apple's iPhone software that would allow the company to blacklist and remotely deactivate installed apps that have been purchased and installed by users.
The kill switch would offer Apple a more targeted weapon to snuff out offending apps than its existing capacity to revoke a developer's signing certificate, an action that could ultimately be used to shut down every application being distributed by a developer. The more accurate aim of the new system may leave the company less hesitant to use it in rooting out apps it finds undesirable.Â*
Jonathan Zdziarksi's iPhone Open Application Development indicates that the CoreLocation framework in the iPhone 2.0 (as well as the updated iPod touch firmware) points to a secure website that appears to contain at least placeholder code for a list of "unauthorized" apps.Â*
While it's unclear as to whether or not the operating system consults this site often or at all, its existence hints to Zdziarski the possibility of a kill switch that would give Apple final say over an app's ability to run, effectively putting all of the handheld devices under watch as long as they have an Internet connection.
"This suggests that the iPhone calls home once in a while to find out what applications it should turn off," he says. "At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down."Â*
The finding expands upon Apple's previously recognized capability to revoke developer's certificates in order to prevent execution of their apps, a power also held by other platforms that have the capacity for mandatory certificate signing, including the Symbian OS 9.1 or greater in use by Nokia as well as RIM's BlackBerry OS.Â*
As part of the security architecture for its mobile WiFi platform, as outlined by Apple chief Steve Jobs in October of last year, the iPhone SDK requires that each app that is made available through the App Store be signed by a security certificate, issued by Apple and unique to the developer.Â*The iPhone refuses to run unsigned apps unless its security system has been defeated by jailbreaking.
The most obvious purpose of requiring that all iPhone apps be signed is that it allows Apple to selectively approve developers and the apps that are distributed through the Apps Store. However, as the iPhone's certificate signing authority, Apple has always had the option of retroactively revoking certificates at any stage and rendering programs unusable. In order for this to happen, the iPhone would only need to consult Apple's servers to gain an updated list of revoked certificates. Once a developer's certificate was revoked, none of their signed apps would run, just as is the case with unsigned apps.
That type of control over third party apps has stirred controversy on other platforms before, as it demands full and complete trust in the company managing the certificate authority to behave fairly and in the interests of users. Apple, RIM, and others could theoretically abuse their control to revoke rights for competitors' apps, or to punish developers for arbitrary reasons.Â*Microsoft's Palladium project, which hoped to convert the PC into a similarly secured platform, failed because the industry as a whole did not trust Microsoft to exercise the vast power it would gain over the entire PC hardware market.
Apple has described its certificate signing program as a means of securing iPhones and iPods against viruses, spyware, malware, and material determined to be indecent. However, since the Apps Store opened nearly a month ago, the company has also pulled a few apps from the store, such as Nullrivers' NetShare, either without stating any reason or because those apps were found in violation of Apple's policies. In the case of NetShare, it appears Apple removed the app from the store in order to appease AT&T, which does not support Internet sharing tethering on the iPhone data plan.
While Apple has pulled apps from the store, it has not yet revoked any known developer's certificate, a move that would kill all their apps and could potentially prevent them from running on mobile devices after their purchase and installation. Certificate revocation would likely only be used by Apple in an emergency case, where signed apps in the wild were found to be malicious after the fact.
However, Zdziarski's findings suggest that Apple could use a more targeted blacklist site as a kill switch to disable specific apps. This mechanism could similarly be used to stop malicious malware, disabling viral apps before they have an opportunity to spread out of control.Â*It could also be used by Apple to give IT managers the ability to remotely disable apps from their employees' phones. Apple has already outlined plans for delivering custom corporate app deployment through a local version of the iTunes App Store. Being able to both remotely install and remove apps from mobile devices would be a highly desirable feature for IT managers in high security environments.
Apple has so far not exercised any of its revocation powers. Despite having removed apps from sale in the store, the company has yet to disable any apps that have been installed by users. A test item on the unauthorized apps listÂ*Zdziarski discovered is described as "malicious," suggesting that the Cupertino-based company behind the list is at least currently interested more in stamping out threats to its customers than it is policing the software on users' phones.
The kill switch would offer Apple a more targeted weapon to snuff out offending apps than its existing capacity to revoke a developer's signing certificate, an action that could ultimately be used to shut down every application being distributed by a developer. The more accurate aim of the new system may leave the company less hesitant to use it in rooting out apps it finds undesirable.Â*
Jonathan Zdziarksi's iPhone Open Application Development indicates that the CoreLocation framework in the iPhone 2.0 (as well as the updated iPod touch firmware) points to a secure website that appears to contain at least placeholder code for a list of "unauthorized" apps.Â*
While it's unclear as to whether or not the operating system consults this site often or at all, its existence hints to Zdziarski the possibility of a kill switch that would give Apple final say over an app's ability to run, effectively putting all of the handheld devices under watch as long as they have an Internet connection.
"This suggests that the iPhone calls home once in a while to find out what applications it should turn off," he says. "At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down."Â*
The finding expands upon Apple's previously recognized capability to revoke developer's certificates in order to prevent execution of their apps, a power also held by other platforms that have the capacity for mandatory certificate signing, including the Symbian OS 9.1 or greater in use by Nokia as well as RIM's BlackBerry OS.Â*
As part of the security architecture for its mobile WiFi platform, as outlined by Apple chief Steve Jobs in October of last year, the iPhone SDK requires that each app that is made available through the App Store be signed by a security certificate, issued by Apple and unique to the developer.Â*The iPhone refuses to run unsigned apps unless its security system has been defeated by jailbreaking.
The most obvious purpose of requiring that all iPhone apps be signed is that it allows Apple to selectively approve developers and the apps that are distributed through the Apps Store. However, as the iPhone's certificate signing authority, Apple has always had the option of retroactively revoking certificates at any stage and rendering programs unusable. In order for this to happen, the iPhone would only need to consult Apple's servers to gain an updated list of revoked certificates. Once a developer's certificate was revoked, none of their signed apps would run, just as is the case with unsigned apps.
That type of control over third party apps has stirred controversy on other platforms before, as it demands full and complete trust in the company managing the certificate authority to behave fairly and in the interests of users. Apple, RIM, and others could theoretically abuse their control to revoke rights for competitors' apps, or to punish developers for arbitrary reasons.Â*Microsoft's Palladium project, which hoped to convert the PC into a similarly secured platform, failed because the industry as a whole did not trust Microsoft to exercise the vast power it would gain over the entire PC hardware market.
Apple has described its certificate signing program as a means of securing iPhones and iPods against viruses, spyware, malware, and material determined to be indecent. However, since the Apps Store opened nearly a month ago, the company has also pulled a few apps from the store, such as Nullrivers' NetShare, either without stating any reason or because those apps were found in violation of Apple's policies. In the case of NetShare, it appears Apple removed the app from the store in order to appease AT&T, which does not support Internet sharing tethering on the iPhone data plan.
While Apple has pulled apps from the store, it has not yet revoked any known developer's certificate, a move that would kill all their apps and could potentially prevent them from running on mobile devices after their purchase and installation. Certificate revocation would likely only be used by Apple in an emergency case, where signed apps in the wild were found to be malicious after the fact.
However, Zdziarski's findings suggest that Apple could use a more targeted blacklist site as a kill switch to disable specific apps. This mechanism could similarly be used to stop malicious malware, disabling viral apps before they have an opportunity to spread out of control.Â*It could also be used by Apple to give IT managers the ability to remotely disable apps from their employees' phones. Apple has already outlined plans for delivering custom corporate app deployment through a local version of the iTunes App Store. Being able to both remotely install and remove apps from mobile devices would be a highly desirable feature for IT managers in high security environments.
Apple has so far not exercised any of its revocation powers. Despite having removed apps from sale in the store, the company has yet to disable any apps that have been installed by users. A test item on the unauthorized apps listÂ*Zdziarski discovered is described as "malicious," suggesting that the Cupertino-based company behind the list is at least currently interested more in stamping out threats to its customers than it is policing the software on users' phones.
Comments
The application I Am Rich was pulled today also.
... thank God.
Trash like that was just going to drag the App Store down to an all-time low.
And this news isn't anything to worry about, as best I can imagine. Apple hasn't abused it, if this is indeed what it does (we don't know), and if it is what it does, it would be nice to know they have the ability to immediately solve a serious problem caused by an app from the App Store, rather than having to wait to address it with an update.
---
The finding ultimately confirms the existence of the complete app signing system promised by Apple chief Steve Jobs in October of last year and implemented with early versions of the iPhone SDK for outside developers.
I don't really see any indication this has anything to do with code signing? There's no signatures on that web page. I'm not sure why this is considered to confirm "the existence" of the app signing system - we've seen it in the iPhone SDK since the beginning...
It looks like they're using standard hierarchical naming pattern (i.e. com.mal.icious) which I'd guess is unique to each app.
As foo_bar said, what you're saying makes no sense and is plain incorrect! This has nothing at all to do with code signing.
Now, say Apple kills a paid for app, will they also refund the purchase price to the consumer? I would think it would be unfair for Apple to let apps slip through their security system, yet still keep people's money, should a problem arise.
On the subject of Netshare -- yeah, I'd rather it be on the App Store, but really, what did we expect -- we all know how carriers have behaved in the past. Hopefully the app shows up through Installer.app or something at some point. I do feel for the developer and the loss of potential revenue though.
The application I Am Rich was pulled today also.
I hadn't heard of it, Gizmodo does have a story on it. That's just a twisted stupid program.
I don't know if anyone has mentioned the 22 tip calculators in the app store. I most of them are a waste of an icon, though there is one that's a basically mini-reference that covers international tipping customs, not that I expect to need that any time soon.
My first thought is is it legal? Do they have the right to tell me I can't have an app on my phone? If I legally bought it and installed it on my phone, what right do they have? I am not leasing the phone from them.
Did you check the terms of service that you previously agreed to? Did you perhaps agree that Apple can change the terms of service without notice?
Did you check the terms of service that you previously agreed to? Did you perhaps agree that Apple can change the terms of service without notice?
Why would anyone read the terms of service when it's just so much better to bitch about rights and Apple's abuse of such than to acknowledge what you already agreed to.
Why would anyone read the terms of service when it's just so much better to bitch about rights and Apple's abuse of such than to acknowledge what you already agreed to.
I think what everyone is seeing is Apple showing it's true colors here.
It's obviously not about putting out a superior product anymore.
2.0 - Buggy and unstable as is 2.01
Mobile Me - Advertised as True Push and can't deliver
20x More countries this month - Cha Ching for Steve
3g Coverage in the USA - AT&T poor coverage, they went to Verizon first & they cover most of the USA.
App Store - Give me a break, if an app like "I am Rich" can make the list for $999.99 and is 1 screen. Hello... Wake up Apple, you look Stupid for even allowing this to pass your rigourous QC check to make the store with the other 237 tip calculators.
GPS - Why put it on the phone if you are going to make someone pay for Turn by Turn directions.
Voice Dialing - On the cheapest phones and a safety hazard without it.
I could go on but I'm upset I paid for a plastic piece of crap that is going to crack with lousy coverage and voice quality.
I'm amazed this phone is even considered in the category of "Smart Phones". Because out of the Box it's really DUMB!
One last note. Give us fricking Video and not QuickTime and YouTube. Flash, Windows Media, Real Networks.
It's a joke I have a full browser and can't view 50% of the web pages because they aren't built like Apple wants.
Get rid of the Square and give the phone some video viewing capability and I'm not talking Video Conferencing, I'm talking viewing web pages. I'm tired of looking at that dumb square that says "I can't play your video becuase I'm not smart enough".
If you bought and paid for malware that Apple didn't realize was Malware until later, would you still want it or would you want this kill switch?
That's an either-or fallacy. The phone could just as easily inform you that Apple thinks one of your apps is malware or compromised, suspend the app, but allow you to remove the suspension yourself. That's what they would do if their primary concern was the customer's wellbeing.
==========
We are all together on ONE network when we use a mobile phone. No longer can we just disconnect from the internet at home or at work to isolate our computer or, in this case, our mobile phone.
Should we trust Apple to do the right thing or should we trust EVERY user, worldwide, on the mobile network?
How do we prevent all the potential terrorists, pranksters, and unknowing, unskilled users from screwing things up?
Obviously, we can focus on Apple, and, since Apple is working for itself and the greater good, I would prefer Apple to have this control.
we should get rid of elections and congress and get us a dictator he will work in the best interest of the common good.
That was just a really poor argument, and a dangerous one...
we can't trust everyone so take freedoms away from everyone so I can feel a little more secure(weather or not you actually are more secure is debatable)
- We have nasty nit-pickers posting under assumed names about writing mistakes and then posting three more times about how their posts have been removed (hint, this is almost entirely irrelevant to the thrust of the article.)
- We have the usual collection of selfish fools, whose first thoughts concern whether Apple is going to pay them for this (perceived) slight. (again, extreme irrelevance)
- We have paranoid conspiracy nuts who believe that evidence of a list of possible bad apps on a managed portable device is so "unusual" that it must be evidence of a giant conspiracy. (this kind of thinking denies the facts completely and isn't worth considering in terms of relevance)
In short, a complete mis-representation of what's actually going on (and not much is actually going on here at all), and uniformly negative, with the exception of those willing to just trust Apple because they are "good."
Or something.
.