Pirates Make Off With Mac App Store Booty
The Mac App Store's smooth operations have been marred by a gang of pirates who found a way to manipulate receipts. "The problem highlights the importance of having strong processes as apps become more granular and have the opportunity of developing a broad usage base through app stores," said Al Hilwa, a program director at IDC.
Jan 7, 2011 11:55 AM PT
Within hours of Apple's unveiling of the Mac App Store on Thursday, hackers announced they had found a way to pirate apps on the site.
The hack took advantage of the fact that some apps don't validate receipts properly.
The first app hacked was the "Angry Birds" game.
Someone later claimed in a tweet to have hacked the game "The Incident."
The problem only affects apps on the Mac App Store, Sean Christmann, who blogged about one possible solution to the problem, told MacNewsWorld.
Yo Ho Ho and a Bottle of Rum!
A hacker using that old standby nom de plume "Anonymous" posted instructions on how to hack the "Angry Birds" game Thursday afternoon -- only hours after Apple had opened the Mac App Store.
The hack basically involves copying receipts from the Applications folder in the latest version of Snow Leopard into any app downloaded from the Mac App Store. The latest version of Snow Leopard, 10.6.6, includes the Mac App Store.
This technique apparently works because "Angry Birds" doesn't validate receipts correctly, according to Daring Fireball blogger John Gruber.
While "Angry Birds" checks for a valid receipt, it doesn't check to see that the bundle ID for the receipt matches its own bundle ID, Gruber said.
"The problem highlights the importance of having strong processes as apps become more granular and have the opportunity of developing a broad usage base through app stores," Al Hilwa, a program director at IDC, told MacNewsWorld.
Apple did not respond to MacNewsWorld's requests for comment by press time.
Goodness Can Lead to Pain
The root of the problem lies in digital rights management (DRM).
First, Apple put the DRM process for Mac App Store apps in developers' hands, Christmann said. Second, Apple tried to simplify things for developers.
One reason for putting DRM in developers' hands was to enable people who offer free apps to push their products, noted Christmann.
"If someone creates a free app he may want people to distribute it freely, so he may not want DRM," he explained. "There's a lot of free apps developers who don't want any DRM at all to touch their code."
Another reason may have been, ironically, to improve security.
"If Apple implemented full end-to-end DRM itself, that would be a single point of failure for a hacker to make an automated tool that could crack security," Christmann pointed out. "But, if developers each do their own receipt validation on their own, there's no single point of failure, so hackers can't create an automated tool to attack security."
What Simon Says May not Work
Finally, Apple was trying to make it easier for developers to follow its DRM rules.
"Most developers don't know this sort of stuff, so their inclination is to do what they're told or to find code and copy it into their apps," Christmann elaborated.
Apple's documentation on DRM is "very complex," he said, so the vendor tried to simplify things by suggesting developers read identifiers for apps from their Info P list.
However, the Info P list is an XML file that can easily be read and modified with a text editor, and that's what let the pirates in, noted Christmann.
Where the Buck Stops
Developers need to learn how to implement security and DRM, Christmann suggested.
"There's nothing broken in Apple's implementation, although they could update the language in their documentation and perhaps test this attack vector when people upload their apps to the Mac App Store," he said.
"The flaw is in the developer's implementation and the fix is entirely on the developer's side," Christmann added.
"It appears that at least some of the affected developers didn't follow Apple's explicit directions, which consist of five steps, so the company could rightfully claim that it isn't entirely to blame," Charles King, principal at Pund-IT, told MacNewsWorld.
Perhaps developers should hard-code their identifiers and version numbers instead of reading them off the P list, Christmann said.
The Mac App Store's newness could be partly to blame for its vulnerability to piracy, IDC's Hilwa suggested.
"Teething pains are par for the course for a new venture like this," he pointed out. "I'm sure Apple will lick this problem in the end."
However, solving the problem may cost more than seems worthwhile, at least in the short run.
"The problem is how to combine effective validation and due diligence in a way that isn't onerous for developers and is cost-effective for Apple," said King. "That's a significant challenge when you're dealing with products that sell for a few bucks a copy."