[IP] Re: iPhone can phone home and kill apps? - says yes

[David Farber <dave@farber.net>]

________________________________________
From: Jon Adams [n7uv.jon@gmail.com]
Sent: Thursday, August 07, 2008 10:09 PM
To: David Farber
Cc: ip
Subject: Re: [IP] Re: iPhone can phone home and kill apps? - says yes

There is a cellular-operator-led group called OMTP (Open Mobile
Terminal Platform) Alliance (www.omtp.org). This group has a strong
interest to establish an environment in the handset that is conducive
to being "open" to run new, standardized applications, not installed
at buildtime, that are "compatible" with the operator's network,
marketing needs and customer base, yet to be able to quickly to
sequester applications when they are found to be incompatible
according to the operator's interpretation.

From my point of view as a cellular platform security architect, this
is an important tool to prevent the handset from becoming the next
playground for malware/phishware/pharmware. It's been demonstrated in
the past that aggregations of cellphones that are not playing nice
with the network have a strong potential to take down the network and
that there's real potential for that cellphone to become an e-wallet
and carry vital financial information. Cellular networks in general
are sparse, sometimes operating close to failure under peak
conditions. Minor hacks to that network delivered via a few cellphones
can do some impressive inconvenience.

This tool allows the operator (or potentially manufacturer) to
remotely enable and disable functionality, potentially get an idea of
exactly what software apps are on the phone, and to be able to execute
as necessary a blacklisting of applications deemed to be incompatible.
This decision is not one where you as a consumer will likely have much
of a say except to walk away from that carrier. But from the carrier's
PoV, it's a necessary tool to protect network resources and to ensure
that others customers are impacted as little as possible. However,
like all things, it may be used in ways according to other
motivations.

Cheers - Jon


On Thu, Aug 7, 2008 at 9:45 AM, David Farber <dave@farber.net> wrote:
> Nor to the best of my knowledge in S60
> ________________________________________
> From: Lauren Weinstein [lauren@vortex.com]
> Sent: Thursday, August 07, 2008 11:34 AM
> To: David Farber
> Cc: lauren@vortex.com
> Subject: Re: [IP] Re: iPhone can phone home and kill apps? - says yes
>
>> > https://iphone-services.apple.com/clbl/unauthorizedApps
>
> And that's with the assumption that this URL (seems bizarre to make
> it so easily identifiable) is what it appears to be.  If so, it
> should be possible to block in various ways (but are there hidden
> alternative paths?), though if the phone can't reach that URL for too
> long an interval maybe it "bricks" itself eventually.
>
> And what happens to an "unauthorized app"?  Does this vary based on
> severity as determined by the phone's remote regal masters at
> Apple?  Put up a warning message?  Block program execution?  Delete
> the program?  Melt the phone?  Or maybe just a voice announcement
> ("You have attempted to execute a program not authorized by Apple,
> Inc.  Please stay where you are until authorities arrive at your GPS
> determined location.")
>
> As far as I know anyway, nothing like this has ever appeared in the
> Microsoft mobile platforms (e.g. WM5 at least).
>
> --Lauren--
> Lauren Weinstein
> lauren@vortex.com or lauren@pfir.org
> Tel: +1 (818) 225-2800
> http://www.pfir.org/lauren
> Co-Founder, PFIR
>   - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, NNSquad
>   - Network Neutrality Squad - http://www.nnsquad.org
> Founder, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
>
>  - - -
>
>> Ot is interesting -- when Microsoft was suspected of being able to do the same type of thing, that is disable apps that it considered improper or damaging, t
>> here was a yell that was heard around the world. Apple , with it shiny armor, gets mild noice. Hmm. djf
>> ________________________________________
>> From: ed.well.com@googlemail.com [ed.well.com@googlemail.com] On Behalf Of Edward S. Rustin [ed@well.com]
>> Sent: Thursday, August 07, 2008 2:43 AM
>> To: David Farber
>> Subject: Re: [IP] iPhone can phone home and kill apps? - says yes
>>
>> To take the other side of the argument - just because Apple =can=
>> blacklist applications doesn't mean it =will= blacklist applications.
>>
>> Surely it should not be a surprise that it's possible for applications
>> to be blacklisted, but I would be very surprised if the mechanism
>> exists (and that's assuming that it really does exist, rather than
>> this just being an unused setting tucked away in the code - has
>> anybody actually seen an iPhone/iPod Touch access this URL?) for any
>> purpose other than to kill a malicious application which somehow made
>> it through the Apple review process.
>>
>> We've already seen that applications can be pulled from the App Store
>> without affecting any of the existing installations - NetShare and
>> Aurora Feint for example, so it doesn't look like Apple is interested
>> in blacklisting an application just because it retroactively failed
>> their review process.
>>
>> Now take the example of an iPhone worm, or an application which had a
>> flaw that caused it to interfere with cell phone traffic, or a Trojan
>> Horse, say a game which also just happened to send your personal data
>> back to a server somewhere. In those cases would you not expect Apple
>> to be able to remotely kill the Application, or should they just leave
>> it be and hope that every iPhone user can just be persuaded to
>> uninstall it?
>>
>> On Thu, Aug 7, 2008 at 1:24 AM, David Farber <dave@farber.net> wrote:
>> >
>> > http://www.iphoneatlas.com/
>> >
>> > ççiPhone can phone home and kill apps?
>> >
>> > Posted 6 August 2008 @ 11am in News
>> >
>> > Apple has apparently included a blacklisting mechanism in iPhone OS 2.x via
>> > which the device can phone home, check for unauthorized applications, and
>> > disable them. The OS includes a URL that points to a page containing a list
>> > of unauthorized applications, specifically:
>> >
>> > https://iphone-services.apple.com/clbl/unauthorizedApps
>> >
>> > Per Jonathan Zdziarski, author of the book iPhone Open Application
>> > Development and an iPhone Forensics manual:
>> >
>> > "This suggests that the iPhone calls home once in a while to find out what
>> > applications it should turn off. At the moment, no apps have been
>> > blacklisted, but by all appearances, this has been added to disable
>> > applications that the user has already downloaded and paid for, if Apple so
>> > chooses to shut them down.
>> >
>> > "I discovered this doing a forensic examination of an iPhone 3G. It appears
>> > to be tucked away in a configuration file deep inside CoreLocation."
>> >
>> > Posted 6 August 2008 @ 11am in News
>> >
>> > Apple has apparently included a blacklisting mechanism in iPhone OS 2.x via
>> > which the device can phone home, check for unauthorized applications, and
>> > disable them. The OS includes a URL that points to a page containing a list
>> > of unauthorized applications, specifically:
>> >
>> > https://iphone-services.apple.com/clbl/unauthorizedApps
>> >
>> > Per Jonathan Zdziarski, author of the book iPhone Open Application
>> > Development and an iPhone Forensics manual:
>> >
>> > "This suggests that the iPhone calls home once in a while to find out what
>> > applications it should turn off. At the moment, no apps have been
>> > blacklisted, but by all appearances, this has been added to disable
>> > applications that the user has already downloaded and paid for, if Apple so
>> > chooses to shut them down.
>> >
>> > "I discovered this doing a forensic examination of an iPhone 3G. It appears
>> > to be tucked away in a configuration file deep inside CoreLocation."
>> >
>> > ________________________________
>> > Archives
>>
>>
>>
>> -------------------------------------------
>>
>
>
>
> -------------------------------------------
>



-------------------------------------------