Disruptive Telephony

Are people really surprised that Apple has a the ability to remotely kill applications?

Based on news reports about Steve Jobs statement that Apple does have a way to remotely remove/disable software on users' iPhones, there were a good number of blog posts diving into the issue. Several posts seemed to view this as a way for Apple to remotely disable your entire phone... but let's look at what was actually said:

But the real controversy started when Jonathan Zdziarski, author of the books iPhone Open Application Development and iPhone Forensics Manual, discovered a URL buried in Apple's firmware. That URL links to a file dubbed "unauthorizedApps" where malicious or simply bad apps might go once they disappear from the App Store.

So essentially they are providing the application equivalent of a "Certificate Revocation List" (CRL) used in SSL (a point I was glad to see made by one commenter on a post). If somehow an application gets through Apple's vetting process and is found to do "bad actions", Apple has a way to tell iPhone's they should disable that application.

This very much makes sense to me... Apple needs to protect the trust users have in their AppStore. If something goes wrong, they do need a way to have rogue apps get shut down. A CRL-type of mechanism makes logical sense to me. I do agree with the article, though, that it would have been nice if Apple had disclosed this capability a bit more in advance.

I do understand the concerns various bloggers raised, though, about the centralization of control / power in Apple's hands. It is, however, their platform and so if you want to deploy your application on their platform you have to go along with whatever rules they may put in place. As a security guy, I have other questions, such as:

• How is access to that list of unauthorized applications protected?
• Who has the power to add applications to that list?
• Could an attacker fake the site (via DNS poisoning or something) and shut down iPhone apps within an area?
• How often does the iPhone "phone home" to check this list? On some regular interval like daily? Or only on power-ups?

The existence of a CRL-like mechanism is a double-edged sword. The company can use it to protect the network/platform... but attackers could also use it to shut down apps. The question to me is not whether or not such a list should exist... but how well is access to that list protected. Those would be some interesting questions to have answered....

Technorati Tags: apple, iphone, appstore, applications

With the torrent of media hype about Apple's new iPhone, one of the things that has surprised me is the lack of discussion about one of the aspects of the device that I find truly disruptive... it will be running a full version of MacOS X.  Now, granted, with 15 million blogs and countless web sites commenting on the iPhone in the past few days, I'm sure I've missed some where people have discussed this aspect, but to me it's a key element.

Consider this... if you have the full capabilities of MacOS X (which we don't yet know for certain but all of the Apple info seems to indicate it will have full MacOS X) - and you also have WiFi support and/or Cingular EDGE support - why not simply run the Mac version of Skype or Gizmo?   Or Yahoo Messenger or AIM? Or anyone else's softphone that runs on MacOS X?

The phone then becomes an extension of your contact/buddy list and can provide that kind of connectivity wherever you can get a WiFi or EDGE connection.  That to me is one of the fascinating aspects of the whole play.  The phone as an application platform - with a "standard" commercial operating system.

I suppose I should note that first out "announcing their support" for the iPhone was the folks over at Jajah (from where I got the picture), but unless I'm missing something there's not a whole lot for them to do.   You go to a web page, enter in the number you want to call and Jajah calls you!  With that in mind, it could be said that any web-based "click-to-call" service will be "compatible with the iPhone".  I mean... you'll be able to start using Google's click-to-call right away as well.  Now, perhaps there is more to Jajah's "support" than just seizing the moment to ride the coattails of the iPhone announcement (they do, after all have a Jajah Mobile version of some type - I'd try it, but it won't work on my Blackberry from what I can see), but in any event it's a sign of the type of services that I can see being enabled as the iPhone rolls out.

Regardless, the iPhone will definitely be interesting as it allows Mac-based VoIP to be extended out to wherever the phone can have data coverage, be it WiFi or EDGE.

P.S. I'd definitely take one to try it out... oh, wait... that's right... Cingular doesn't offer service (or at least numbers) in Vermont!  I'll just have to live vicariously through others (or suck it up and get a number elsewhere and constantly be explaining to people in VT why I have a phone with a NY area code).

If you don't follow Jan Geirnaert's weblog, which he is now branding as www.skype-gadgets.com, it's worth checking out. He's a Belgian living in Malaysia and he mixes in commentary on Skype and VoIP hardware along with interesting notes about Malaysia, Hong Kong and that whole part of the world. Living on almost the other side of the globe from him, I find many of those posts quite interesting.

And he's often finding interesting news out about Skype... and pointing us to interesting gadgets. Take today's post on the "Cat-iq" phone from the ITU fair/trade show he's attending in Hong Kong. He has this picture and another, both of which you can click to see larger views. He doesn't yet provide more details or links... but it's interesting to see a glimpse into some of what people are coming up with over there. (And I'm guessing from the fact that it says "Wahlen" that this is perhaps from a German manufacturer.)

Anyway, do check out Jan's blog as he's often got interesting information.