IPhone feature could enable Apple to kill apps remotely
11:10 am EDT August 8, 2008 - Another technical writer has disagreed with author Jonathan Zdziarski's and the media's initial suppositions about the whether the list he discovered on his 3G iPhone truly is a blacklist-in-waiting.
John Gruber of Daring Fireball points out that its a Core Location blacklist, and that the "clbl" in the called URL stands for exactly that. Applications who use that portion of the iPhone code must follow some very strict rules for privacy reasons.
Core Location handles the iPhone's built-in GPS functionality. Applications can use this to become location-aware, and there would be obvious reasons why Apple may object to use the built-in GPS, especially if it is used improperly. "There may well be some sort of kill switch that Apple can deploy to remotely disable an app that's already installed. But this list is not it," Gruber wrote.
11:49 am EDT August 7, 2008 - A developer has discovered code within the iPhone 2.0.x firmware that appears to allow Apple to blacklist apps, which could result in their removal from the iPhone without user interaction.
Developer and iPhone book author Jonathan Zdziarski revealed via iPhone Atlas methods by which Apple still maintains tight control over what is on the iPhone. The code lies in the CoreLocation portion of the software, and points to a URL, https://iphone-services.apple.com/clbl/unauthorizedApps, which appears to contain a blacklist.
Going to that address triggers the loading of code that lists apps by name, the date of entry into the list, and a description. Only one entry appears there now, though it could be some type of placeholder.
"This suggests that the iPhone calls home once in a while to find out what applications it should turn off. At the moment, no apps have been blacklisted, but by all appearances, this has been added to disable applications that the user has already downloaded and paid for, if Apple so chooses to shut them down," Zdziarski said.
Assuming Zdziarski's theory is correct, just how often the iPhone calls back to Apple to check this list is unknown. However, such a feature would expand upon another iPhone capability to prevent application execution through certificate revocation.
There, Apple can revoke the certificate in order to prevent the application from executing. Other mobile operating systems include such functionality as well, including Symbian and the BlackBerry OS. "Jailbroken" iPhones bypass this requirement, enabling the execution of applications not approved through Apple's own process.
While Apple defends its right to do so for security reasons, no doubt, such a practice rubs some the wrong way.
But at least one person says that the positives outweigh the negatives. "Is this something to be outraged about? Yes, it's creepy that iPhone can phone home and deactivate your apps, but the risk-reward is clearly in Apple's favor," Larry Dignan writes for ZDNet this morning.
Dignan points out that while the deletion of apps may annoy customers, on the upside, Apple gains some credibility in the enterprise sector for its remote wiping, it has some control over security, and it also has more control over its reputation -- something the company protects vigorously.
So far, Apple has used neither the certificate revocation nor this alleged blacklist for any application. While it has removed items from the App Store's catalog, those items continue to operate on phones on which they're already installed.