Forgot your password?
typodupeerror
Cellphones Businesses Apple

iPhone Application Key Leaked 247

Posted by kdawson
from the sign-early-and-often dept.
HighWizard writes with word from Engadget that the iPhone SDK Key has been leaked early. "We're not exactly sure how this all went down, but we trust Erica Sadun over at TUAW when she says that it appears that the iPhone's SDK key — which will probably be required by all 'official' third-party apps — has been leaked. Two different sites currently have the key posted, but it's all just for show until next month, when the SDK hits for real — and the code is undoubtedly changed."
This discussion has been archived. No new comments can be posted.

iPhone Application Key Leaked

Comments Filter:
  • Bummer :-( (Score:5, Insightful)

    by Whiney Mac Fanboy (963289) * <whineymacfanboy@gmail.com> on Monday January 28, 2008 @11:55PM (#22217584) Homepage Journal
    If you find something like this, you sit on it until after release. Now, Apple will probably update the release version of the SDK with a tighter authorisation system.

    Regardless, it's fruitless for Apple to try & stop free third party apps. If enough people are interested, there will always be someone able & willing to crack Apple's DRM.

    Oh, and here's a special message for any Apple Fanboi's in the house [188458a6d1...d43774.com]. (not my site)
    • by SpeedyDX (1014595) <speedyphoenix@NoSpAM.gmail.com> on Tuesday January 29, 2008 @12:01AM (#22217636)

      Regardless, it's fruitless for Apple to try & stop free third party apps.
      Yeah, the core of the problem is locking-in the SDK in the first place. They should adopt a less rotten attitude and just open it up for any developer to contribute free apps to the platform.

      OK, I'm done. Ready to take the karma beating.
    • Re:Bummer :-( (Score:4, Interesting)

      by webmaster404 (1148909) on Tuesday January 29, 2008 @12:02AM (#22217638)
      Exactly, just look at game consoles. Just a few days ago they managed to find a way to run homebrew code on the Wii without a modchip. All DRM is quickly broken if there is enough interest. I still don't get why they do it, if I get a computer, I should be able to run whatever program I want on it, change the OS, overclock it ETC.
      • Re:Bummer :-( (Score:4, Insightful)

        by Jeff DeMaagd (2015) on Tuesday January 29, 2008 @12:50AM (#22217980) Homepage Journal
        Game consoles aren't sold as general purpose computers. The hardware is purely a means to an end, what they're really trying to sell is the games. With the Wii, they're still hard enough to get in many places, I don't think they want to sell them to people that aren't going to be buying the games. With the other two consoles, they're sold at a loss with the intent that it will be made up for in licence fees, so it's not necessarily in their best interest to let you do just anything with them.
        • by dissy (172727)
          Why is that my problem?
          Sounds to me like they fucked up in pricing on the console, as well as the games.

          But who the hell are you and me to tell large companys how to do their thing?

          They wanna sell it for $400? Ok, ill buy it for that. Now quitchurbitchin bout what i do with my own property, plzktnx.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Just a few days ago they managed to find a way to run homebrew code on the Wii without a modchip. All DRM is quickly broken if there is enough interest.
        You must have a different definition of "quickly" than me. The Wii has been out for well over a year.
      • Re: (Score:2, Insightful)

        by enoz (1181117)

        if I get a computer, I should be able to run whatever program I want on it, change the OS, overclock it ETC.
        You mean like you can do with your cellphone, GPS, microwave, digital watch, and PlayStation 1?

        I do however agree with your sentiment in relation to general purpose personal computers, I dislike having TrustedComputing forced onto us as much as the next nerd.

      • Re: (Score:3, Insightful)

        by LKM (227954)
        This is kind of a hard problem. In principle, I agree. I bought the damn machine, now let me do whatever the hell I want with it. It's kind of insane that I have a PS3 sitting next to my sofa and pretty much all I can do with it is play games. I could install Linux, but then I'd have to cope with the hypervisor... It would be great if I could just run unlicensed third-party apps inside the normal PS3 interface. Stuff like VLC would be really useful on something like the PS3.

        On the other hand, you can't have
        • by Bert64 (520050)
          Well, piracy can also make a platform...
          The original xbox got a lot of sales from people who modded them, a console where you can throw in a large HD and copy games to it is far more useful than juggling physical media, and projects like xbmc attracted users too...
          A lot of Amiga users bought the system because it was easy to copy the games onto blank floppies..
          PC gaming owes a lot of it's success to piracy too.
          • by LKM (227954)
            There are cases where piracy is good for a platform, but your examples don't show that. piracy on the original Xbox was not widespread, so attach rate remained high, and the Xbox wasn't exactly a success, anyway. Piracy on the Amiga was really bad for the system; it's one of the reasons why a lot of games moved from the Amiga to the Genesis and SNES, which - in part - eventually killed the Amiga. The same applies to PC gaming. Piracy on the PC is bad for PC gaming, not good; see PC sale numbers of games lik
            • by Bert64 (520050)
              Piracy never killed the Amiga, that was merely an excuse...
              Commodore's incompetence killed the Amiga.
              I knew a lot of Amiga owners, of varying age ranges... Of those, typically the adults had a lot of legit games, while the kids (who couldn't afford many games anyway) had a few legit games, and tons of copies they got from school friends. The ability to trade games with people at school was quite often the deciding factor for buying an Amiga, and later became a significant factor for buying a PC.

              And as you p
      • Actually, it seems like game consoles are DRM's greatest success story. While the PC game industry founders thanks to the people who say "You can't, like, own intellectual property, man," game console makers continue to sell games and turn a profit. Why is this? Well:
        1. There are no third-party console makers, so you can only buy your console from Microsoft/Sony/Nintendo. There are no grey-market companies selling consoles minus restrictions, as there are for DVD players. The closest you can get is a modchip:
      • That's why the 360 isn't cracked wide open already. Lack of interest. And why the PS3 is even less cracked - no interest. Sure. Yea.
    • Re:Bummer :-( (Score:5, Insightful)

      by TubeSteak (669689) on Tuesday January 29, 2008 @12:02AM (#22217642) Journal

      Now, Apple will probably update the release version of the SDK with a tighter authorisation system.
      What makes you think that crackers got the key from the SDK's "authorization system" and not from an Apple insider?
    • by tgd (2822)
      And even worse for anyone who's had to go through the (very painful) process of jailbreaking 1.3, it means likely having to do it AGAIN.
    • Re:Bummer :-( (Score:5, Informative)

      by Admiral Ag (829695) on Tuesday January 29, 2008 @12:25AM (#22217816)
      Forgive me if I misunderstand you, but where does it say that Apple is not going to allow free app downloads?

      I can see why they would want an authorization system, because they have already expressed their worries about iPhone malware. Moreover, Apple was going to have to distribute the apps anyway, because most people use iTunes to manage their iPhones. The hackers among us will find a way around it, but the idea seems to be to protect ordinary users, not frustrate the uber leet among us (of which I am not one).

      I'd be surprised if there weren't free downloads anyway along with the pay stuff. It may well be in the interest of some developers to offer free apps that complement their pay offerings or web services. The kind of small widgets that people will make are free anyway (and Dashboard widgets tend to be free). Podcasts are free, so it's not like iTunes doesn't already offer free content. Hell, they offer free DRMed songs every week.

      In any case, even if the apps do start off on a pay basis, I'm guessing that pressure from developers will lead to free apps being offered.
      • Re: (Score:3, Insightful)

        Forgive me if I misunderstand you, but where does it say that Apple is not going to allow free app downloads?

        It's not that Apple not going to allow free app downloads - the issue is how much Apple will charge to sign your app.

        If the charge is anything other than $0, it becomes impractical for third party developers to offer their apps for free.
        • by cybereal (621599)

          Forgive me if I misunderstand you, but where does it say that Apple is not going to allow free app downloads?

          It's not that Apple not going to allow free app downloads - the issue is how much Apple will charge to sign your app.

          If the charge is anything other than $0, it becomes impractical for third party developers to offer their apps for free.

          Apple could easily take the route of S60v3, and allow the conscientious user to disable the security requirement. Furthemore, if they were to copy UIQ3.x then the signing would only matter if you wanted core device access to automated usage of trusted components.

          For example, if a malicious app writer could get you to install their app on your phone, they could use it to call 1-900 dialers or spread a virus right from your phone. They could benefit in no way and it wouldn't stop malware authors. Many w

          • Re:Bummer :-( (Score:4, Informative)

            by Mr2001 (90979) on Tuesday January 29, 2008 @04:07AM (#22218914) Homepage Journal

            Apple could easily take the route of S60v3, and allow the conscientious user to disable the security requirement.
            They could, but is there any reason to believe they will? Has Apple ever passed up an opportunity to take advantage of platform lock-in?

            And as a truly responsible geek, you really should go out and look at the pre-existing signed application schemes before you continue this nonsensical panic. Even if you only look at the ones I've referenced here today (Nokia's S60v3+ and Sony Ericsson's UIQ3.x)
            Well, let's add Qualcomm's BREW to that list as an example of why the "panic" is appropriate.

            Ask any of the tens of millions of customers affected by BREW in the US about the last time they installed a free app on their phone, and if you're lucky, they'll describe a trial version of a game that disabled itself after 15 minutes. If not, they'll just laugh at the absurd concept of putting software on their phone without paying a monthly subscription or a hefty up-front charge.
            • by LKM (227954)

              Has Apple ever passed up an opportunity to take advantage of platform lock-in?

              Yes. Although they usually do it if they think it improves usability.

        • OK. I see what you mean. But I would point out that Apple already offers links from their OS X Downloads page to thousands of apps for OS X. Presumably, they try out these apps to make sure that they aren't malicious before they link to them, because it would be a major PR bummer if they were distributing malware from their own site (insert joke about MS Office demo here). Similarly, Apple vets podcasts to make sure that "Bob's Super Live Porno with Chickens" doesn't make it in to iTunes (thereby disappoint
        • by Aladrin (926209)

          If the charge is anything other than $0, it becomes impractical for third party developers to offer their apps for free.

          Does it? I'd gladly pay $1 to release -anything- I wrote for the iPhone. I'd pay $10 to release anything worthwhile. And I'd pay $25 to release anything awesome that I wrote.

          Beyond that, if it's -really- that amazing, it's not hard to stick a PayPal "Donate" button on your site and collect funds towards release. If others thing your app is worthwhile as well, you could easily get up to $200 in donations towards its release, even if people only donated $1 each.

          People will really be upset at Apple for it

    • Re: (Score:2, Interesting)

      by amsr (125191)
      Who says apple is going to prevent "free" applications. Just because they want to sign apps that go on the phone, doesn't mean you have to pay for them. They likely want to protect the network. In any case, very high quality freeware/shareware are a large part of the value of the mac and have been since its inception. I seriously doubt they would stand in the way of this on the iphone. Time will tell..
    • by oman_ (147713)
      It seems likely to me that the key is going to be tied to the 1.1.3 firmware and not the SDK in particular.
      If the key is NOT on the phone side it has to be on the iTunes/PC side which is easy to crack.

      If I were to design the security system to keep unauthorized applications off of the phone I'd put the final security check on the phone itself. This would prevent anyone from just making their own application for uploading software to the phone. If the key is phone side then this isn't possible.

      If the key I
  • by Anonymous Coward on Monday January 28, 2008 @11:58PM (#22217620)


         
  • by clambake (37702) on Tuesday January 29, 2008 @12:04AM (#22217654) Homepage
    ... when the SDK hits for real -- and the code is undoubtedly changed. ... and re-leaked.
    • Re: (Score:3, Interesting)

      by BitZtream (692029)
      Not likely, where I work, we use public/private key pairs to sign all code the goes out the door. Each developer has their own key pair for doing internal work on components which must be signed to work in our system, and only myself (I'm the lead developer/buildmaster) and the CEO have the password to the master certificate. One of our developers COULD leak their key. At which point I would promptly point to the part of their contract which stipulates doing so is grounds for immediate termination.

      Consid
    • by Shivetya (243324)
      all for show and a great way to keep up the interest on techie sites.

      All the little leaks do amount to keeping nerds talking about it, some slowly convincing themselves that once the SDK is out they can "now" buy one
  • by Mr. Ksoft (975875) on Tuesday January 29, 2008 @12:09AM (#22217706) Homepage
    09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0?
  • I like the iPhone because it's fun but why are we fighting so hard just to make it run programs that we want? Does anyone see something totally wrong with this? Sure DRM will always get broken but Apple also has a history of screwing users who do. I'm in the market for an iPhone but this constant back and forth is giving me pause. I don't Apple to nickel and dime me for every little thing that I put on the iPhone, especially since I would be stuck for 2 years with it.


    • I like the iPhone because it's fun but why are we fighting so hard just to make it run programs that we want?

      The main reason Apple wants to control 3rd-party apps on the phone is because they've got a commitment to AT&T not to allow users to circumvent their traditional cell phone profit centers. This is: Ringtones, SMS, and cell phone minutes. If the thing were an open platform, the first thing people would install would be a VOIP client and an SMS app that uses email addresses instead of SMS phone
    • Re: (Score:3, Insightful)

      by pimpimpim (811140)
      That's why I, who never ever buys first generation hardware, bought the EEE the day it came out here in Europe. They made a few mistakes in the beginning, concerning making the source available, a "warranty void" sticker on the RAM lid, but immediately improved in this. Mine had just a neutral "eeepc sticker" on the RAM lid and the source is available on the front page of their eee service site.

      The idea is simple, buy this machine and do with it what you want. They support only their part, but the rest is

  • Meh (Score:5, Insightful)

    by MrCopilot (871878) on Tuesday January 29, 2008 @12:40AM (#22217912) Homepage Journal
    I wish I cared, I tried extra hard but still nothing.

    If I want a phone I can modify I should buy a phone that allows it.

    Is the iPhone sleek and sexy? Of course, but so are a host of supermodels that I would not want to get into a 2 hour conversation with let alone a 2 yr relationship.

    I feel the same way about the iPhone, I'd like to play with one for a little while, but thats about it.

  • by enoz (1181117) on Tuesday January 29, 2008 @01:00AM (#22218034)

    We're not exactly sure how this all went down, but we trust Erica Sadun over at TUAW when she says that it appears that the iPhone's SDK key -- which will probably be required by all 'official' third-party apps -- has been leaked.
    Next month, when the SDK comes out, apparently this key may or may not work. Fantastic!

    Here's another SDK key that was apparently discovered on a blog so is probably true:
    47 6F 47 65 74 41 46 69 72 73 74 69 4C 69 66 65

    "It's true, a blog confirms it!"
  • by Myria (562655) on Tuesday January 29, 2008 @01:49AM (#22218356)
    The purported key is only 16 bytes. There is no current public-key algorithm capable of maintaining security at a 128-bit key size. If that's a legitimate key, it's definitely a symmetric key. Symmetric cryptography has the obvious problem that the device necessarily must have the key inside of it somewhere, meaning that a reverse engineer could find it.

    If Apple used a symmetric key to protect against unauthorized software, it would imply incompetence with cryptography. I highly doubt this is true. It's more likely that it's not.
    • by dgatwood (11270)

      Good. I was afraid I was the only one who noticed that. 128-bit RSA can be cracked in minutes on a typical computer... maybe an hour.... I'm not sure what those numbers are, but there's no way they are what these people are claiming.... That's probably short by at -least- an order of magnitude.

      • by Myria (562655)
        More like less than a second on 3 GHz P4 (although this only has minute granularity):

        (22:10) gp > p=nextprime(random(2^64))
        %1 = 6011673201679823947
        (22:11) gp > q=nextprime(random(2^64))
        %2 = 6987193563793194751
        (22:11) gp > factorint(p*q)
        %4 =
        [6011673201679823947 1]

        [6987193563793194751 1]
    • by BitZtream (692029) on Tuesday January 29, 2008 @02:42AM (#22218650)
      Its far more likely that its simply an md5 fingerprint or something silly. One of the blogs listed in the summary is for a guy who loves stringing people along in an extremely retarded way. Definately some attention issues. Either way, I'm not aware of any public/private key systems that would be considered very secure with a 128 bit key since you need a considerably larger key size with public/private key systems because large your limited to using prime numbers and stuff like that. While I'm not sure of the exact time involved, but since 1024bit certificates are considered 'weak' now days, I doubt cracking a 128 bit private key would be extremely difficult, especially with the possiblity of using distributed computing over the internet. Its either a hash or a symetrical encryption key used to obsfucate something to have the hax0rs waste some time, or a horrible implementation. You pick
  • by Kaenneth (82978) on Tuesday January 29, 2008 @02:30AM (#22218576) Homepage Journal

    The key I got from an Apple insider is: 01 02 03 04 05
  • Why should developers FIGHT against the hardware manufacturers? Independent developers are doing a huge favour providing interesting apps on a platform. If the manufacturers don't want that, why bother? There are tons of other open and interesing platforms out there, Android being only the latest...
  • Apple wants to sell hardware. They always have. The problem is, they can't distribute that hardware in the US and some other countries unless carriers will support it. Carriers want total control over what goes onto and comes off of your handset. They make crazy money on ringtones, mini java applications, and overcharging for text messages.

When Dexter's on the Internet, can Hell be far behind?"

Working...