Last night, an anonymous tipster pointed us to this Austin Heap webpage that purportedly reveals the iPhone's secret Application SDK key. Another tipster, also anonymous, then tipped me to iPhone "Elite" developer Zibri's blog, that shows the same key. So what does this mean? Since all iPhone applications must be properly signed for iTunes to process them and for the iPhone to load them, this key suggests that hackers are closer to creating compliant IPA application bundles for home-brew iTunes distribution. With the proper key, developers can create and distribute applications that load through iTunes without Apple's blessing.
Reader Comments (Page 1 of 2)
1-28-2008 @ 3:39PM
FoundInTheFlood said...
sounds Hullabaloo !!!
Reply
1-28-2008 @ 3:52PM
Hecktic said...
o my i almost dropped my iphone when i read this, but wtf?
Why are we releasing/leaking everything when the SDK is not even out yet?
i soft updated my iphone to 1.1.3, and its not all that, went back to 1.1.2, so i defintly can wait till apple makes a move with the SDK puts some apps up and then we stick it to them, can anyone keep a secret these days?
im not trying to wait till 1.1.4 because everyone couldn't keep their mouths shut ( current drama between nate/dev team )
but i guess, "a secret between two people is only good when one of them is dead"
Reply
1-28-2008 @ 4:16PM
krye said...
Why does everyone have to ruin a good thing? Why can't people just leave well enough alone?
Reply
1-28-2008 @ 4:24PM
DistortedLoop said...
Yep, Apple's sure to change the key now.
Reply
1-28-2008 @ 4:33PM
Bender Bending Rodriguez said...
What kind of dumbass releases the key before the SDK is released. I say it's bogus.
1-28-2008 @ 4:28PM
Greg said...
And this is a good thing why? That's all I need, an authentication key available to anyone who wants to write malicious code for my iPhone.
Reply
1-28-2008 @ 4:40PM
DrWho said...
Good point
1-28-2008 @ 4:48PM
calvin said...
Wouldn't that require you installing an application from an untrusted source?
1-29-2008 @ 8:58AM
Jasarien said...
If you read the article, it says that the key would allow the app to be distributed through iTunes. Isn't iTunes considered a 'trusted' source?
1-28-2008 @ 4:39PM
stainboy said...
as a potential customer for third-party apps, i'd actually prefer purchasing and installing software through iTunes. i would presume there would be some sort of quality control involved before the software would be allowed in the store. sorry, but i have enough trouble getting a good AT&T signal, let alone deal with some malware or buggy application knocking my phone out of commission.
Reply
1-28-2008 @ 4:43PM
Zeke said...
This is not a good thing, unless you are OK opening up your iPhone to malware.
Obviously we want free application development on iPhone, but unless you want to compromise on security, the ball is in Apple's court to allow such a thing. Let's hope they do the right thing and make third party development both open and secure.
Leaked keys and the like might allow third party apps, but that's just the clean face of the technical reality - proof-of-concept code is already out there showing that malware can infect an iPhone, and continued hacked development that relies on leaked keys or security explots will leave this possible.
Reply
1-28-2008 @ 4:51PM
punkassjim said...
Are you not jailbroken? Because every single jailbroken phone is susceptible to malware. Blows my mind that, even given that fact, malware isn't a problem on jailbroken phones yet. I fully agree with you in this regard, but I also would like to be able to programs I'VE written onto my phone for free. Make sense?
I don't know if this is a real report, but I just don't understand blabbing it about. Makes no sense.
1-28-2008 @ 7:11PM
Zeke said...
punkassjim, I was jailbroken, but I decided to upgrade to 1.1.3 anyways and "virginize" it. I, too, want to put *my* programs on the phone, without any artificial restrictions. However, the jailbreaking method currently in place cannot protect your phone (more than patching an exploit). There may not be malware out there yet, but when there is, you will not have a way to protect yourself from it. For each one of "your" programs, you open up your iPhone to potential others.
Apple needs to be responsible and create an environment that is both open AND secure. I doubt it will happen, but I am unwilling to keep my iPhone vulnerable to exploits just so I can run third-party software.
1-28-2008 @ 5:03PM
James said...
Signing isn't a bad idea when you have a staff that can control and manage the signed binaries. I think most consumers don't have a staff period, so it just doesn't belong on a consumer device.
The worst case is, without signing the security of the iPhone is the same as the security of any computer running a general purpose OS. Considering the iPhone doesn't run Windows, we should have some hope that it's not about to be assaulted by an army of viruses.
Reply
1-28-2008 @ 5:12PM
Fritz Laurel said...
I'll wait for the SDK, but I'll keep this knowledge in case the SDK offering is less than stellar.
Reply
1-28-2008 @ 5:13PM
frogbat said...
mmm interesting. I hope to see lots of third party development especially for the touch (cos that's what i have :D) i'd love a voip client for the iphone would be great for work as we use an asterisk based pbs...
am i the only one that thinks apple underestimated both the power of their touch platforms and the demand for these devices to run more software?
Reply
1-28-2008 @ 5:18PM
The Brad said...
This is not good folks. Apple has slowly but surely listened to consumers almost every step of the way since the iPhone was launched: 3rd party apps? check. Compensation for early adopters after price drop? check. Multi SMS? check. GPS? kinda sorta check. Why antagonize them now?
Reply
1-28-2008 @ 6:26PM
TAK said...
I'm quite sorry, but one major problem people are having right now is the fact that Apple is simply NOT listening to their customer base. The limitations of the iPhone is an obvious example, the current version of Java in Tiger/Leopard is another.
They are only changing because their customer base is extremely frustrated and taking things into their own hands. They have no choice but to continue playing catchup (except the only difference is that they have all the proper tools to implement everything as it should have been in the first place)
1-28-2008 @ 5:32PM
SimpleSurvival said...
Don't worry too much about the fact that the key was leaked before the SDK. Apple prolly will change the key, but thats no big deal... They'd prolly change the key even after the SDK comes out once it got leaked...
If this key is legit, then its a proof of concept. Someone was able to get the key... When apple changes the key, they'll do it again, and every single other time until Apple comes up with a "more secure" way to keep you from running apps on your phone.
Reply
1-28-2008 @ 5:44PM
jnichols959 said...
i assumed the key was for the individual app developer, allowing apple to have individual accountability for things like, um, leaked keys? in theory it could also allow them to revoke the ability to publish through iTunes apps signed by a known bad key - like this one.
maybe it did come from apple and maybe they're watching it spread through whatever means knowing where it came from :) then again this was all an ass-umption on my part. having one global key like you all are implying certainly sounds ridiculous.
Reply