
Handy Light: Tethering App Camouflaged as Flashlight - ajg1977
http://appshopper.com/blog/2010/07/20/handy-light-tethering-app-camouflaged-as-flashlight/
======
jrockway
I wonder how many other apps on Apple's "guaranteed-safe" App Store have
hidden behavior like this? Since I can't actually audit the app code that runs
on my device (like by compiling it myself), nor can I audit the OS, I guess I
now have to _assume_ that any application on my iPhone is compromised. (+)

Apple should include a warning on the box to that effect.

(+) I don't actually own an iPhone.

~~~
wallflower
Apps are sandboxed. They can send and receive data over http/https at will.
Location sharing is much more audited in iOS 4. Your calendar data and some
address book data is not well protected. Your pictures are only accessible
through the camera roll UI; apps can't slurp them.

~~~
ajg1977
Contacts (and in iOS 4, calendar data) are completely unprotected. Just create
an instance of an AddressBook and go to town. Your pictures are only
accessible through the camera roll UI... IF the developer is only using public
APIs.

Since we can assume that there are no public APIs that support tethering
setup, we can also assume that it's still possible for them to be used in
rogue apps and for developers to have access to private data.

~~~
bombs
It's possible to create a tethering app using public APIs. The APIs for
HTTP/HTTPS connectivity and WiFi connectivity are public.

Apple rejects apps that use private APIs.

~~~
tomjen3
How does Apple actually scan for private APIs?

Couldn't you write the instructions necessary to make the private API call on
the stack at runtime and then simply execute an assembly jump instruction?

------
wallflower
I wonder why this guy thought sacrificing his iPhone developer status was a
good idea. If it gets 'remote killed', it was all for naught. Maybe he's going
Droid.

EDIT: He's just a kid

> Hi, I'm Nick Lee, an aspiring 15-year-old web designer and programmer. I
> consider ...

~~~
alextgordon
His app just hit the front pages of multiple high-traffic websites. It could
well have been an excellent idea.

~~~
glhaynes
Why? Does he have something else to sell? Assuming he doesn't, he's just put
his effort into learning what could be a valuable skill, but now can't work on
the platform (ever again?).

~~~
lsc
> Does he have something else to sell?

himself.

If he wants to get a regular job later /or/ if he wants to launch a product
later, having his name in the headlines helps quite a lot.

i don't want to say "there is no such thing as bad publicity" because there
is, but in this case, enough people, I think, will feel that a tethering
application is 'not evil' and that this was overall a good thing to make it a
net win for the programmer.

Even if apple blocks him forever (I don't know their history... would they
really say "no, f-ck you" five years from now?) and even if the apple platform
remains dominant (I will be very surprised if apple continues its dominance
after Jobs runs out of spare parts.) there are plenty of companies that make
iphone apps that I'm sure would be happy to hire the kid.

And there are plenty of other platforms out there to work on, too.

~~~
waterlesscloud
Just ask RTM.

~~~
lsc
Who or what is RTM? Remember The Milk?

~~~
thaumaturgy
<http://news.ycombinator.com/user?id=rtm>

aka Robert Tappan Morris. That's a name you should recognize. :-)

~~~
jpcx01
Nope. Give us the gist of it

~~~
davidw
<http://en.wikipedia.org/wiki/Robert_Tappan_Morris,_Jr>.

------
DenisM
I wish he'd release the source, then those of us with dev accounts would be
able to use it.

~~~
gmurphy
Here's the source to one that doesn't require flashlight shenanegans:
<http://wiki.github.com/tcurdt/iProxy/>

~~~
gojomo
Indeed -- any iOS developer ($100/year) can install this on their own phone,
_and_ give it to friends (by using one of the limited number of test-device
registrations), without jailbreaking.

~~~
pmjordan
It's rather annoying to give to your friends though, as you have to re-sign
the code once a month and dish out binaries to everyone again. Plus, you'll
run out of device codes quickly if you use your dev account to build apps for
clients (whose devices you need to register too).

~~~
ROFISH
You just need to give a new mobileprovision file every three months, no need
to update the app unless necessary.

I've always found it to be quite weird that the App Store is so closed, but a
person with a developer certificate and MobileProvision can install whatever
he wants and can do whatever he wants so long as the apps are codesigned.
$99/yr is less than a couple coffees a month (or a good sushi plate) and way
less than your phone bill, and is quite worth it for the bored hacker who
wants to keep the warranty.

------
markbao
God damn, it's been removed. Serious bummer to wait until iPhone 4 jailbreak
to get tethering.

------
geuis
I just attempted to buy this app. Its already been removed from the app store.
Bummer.

~~~
jonah
wow! :(

I attempted to buy it but it requires iOS 4. (I have a 2G...)

~~~
BRadmin
Tethering on Edge probably wouldn't be the best experience anyways. =)

------
evandavid
iPhone tethering is allowed on my carrier, but I got the app anyway because
setting up an ad-hoc WiFi network will allow me to tether my iPhone to my
iPad, as well as the fact that bluetooth tethering between Mac <\--> iPhone is
flaky as hell. Will be interesting to see if Apple kills it, and if they go as
far as to kill it outside of the US where tethering is allowed anyway.

------
Legion
SOCKS proxy isn't really "tethering".

~~~
brainsik
True, but if you are on OS X, most of the apps will use the System Preferences
proxy settings, so most of your apps will Just Work.

Of course, you'll have to get tricky to use SSH via the SOCKS proxy, but it
can be done.

~~~
wallflower
SSH through a SOCKS 4/5 proxy:

1\. Download and compile connect.c
(<http://www.taiyo.co.jp/~gotoh/ssh/connect.c> or
<http://www.meadowy.org/~gotoh/ssh/connect.c>).

gcc connect.c -o connect -lresolv

2\. sudo cp connect /usr/local/bin/connect-proxy

3\. cd ~/.ssh Add new config file as shown below (if existing, then be careful
- backup/modify)

File: ~/.ssh/config

Host *

ProxyCommand connect-proxy -R both -4 -S proxy:<proxy-port> %h %p

4\. Test ssh to one of your hosts

Note: If you're not using the proxy, you need to disable the global config
with a script or something to nuke it on demand.

------
fraXis
I was able to get this app before it was removed. I followed the directions
and it works perfectly on my Macbook Pro.

However, it only works with Safari. It does not work with Chrome, Firefox, or
any mail protocols (POP / IMAP / SMTP).

~~~
X-Istence
That is because Chrome and Firefox don't follow the system PROXY settings you
will have to change those individually.

Mail.app works over the global systems SOCKS proxy as such it works without
any issues what so ever.

------
donohoe
If true, I guarantee that Apple will use their “kill switch” to remove this
app from any iPhones that have it installed.

~~~
jmatt
I bought NetShare when it was briefly on the app store and it still works. Or
at least it did last time I was at my cabin a few months ago with my 3G.

If they were going to kill an app, I'd assume they would have killed that. And
they didn't. Or if they claimed to have killed it then they failed.

I bought this app. I'm more than willing to support the the Rebellion. I
haven't actually verified that this app works as demonstrated but for a dollar
it's worth the risk. I have no intentions of paying another $20 a month to
AT&T.

~~~
DLWormwood
> I bought this app. I'm more than willing to support the the Rebellion. I
> haven't actually verified that this app works as demonstrated but for a
> dollar it's worth the risk. I have no intentions of paying another $20 a
> month to AT&T.

As a current iOS developer, I’ve always wondered what the financial
repercussions of getting pulled from the App Store would be. I wouldn’t be
surprised if Apple refused to pay the kid his post-commission cut from what he
was able to sell due to this kind of hidden behavior.

~~~
bombs
The kid's under 18. You need to be 18 or over to sell apps in the App Store,
as per the agreement. They could choose to pull his apps, remove his account
and not pay him for that reason alone.

~~~
DLWormwood
That depends if the parent was involved in approving the agreement. When I
skimmed it last year when I first signed up, I remembered there being some
kind of “if the developer is under 18, have a representative of age read and
agree instead” clause, but it’s been awhile.

