Mac Apps already cracked and pirated, malware likely to follow

Mac Apps already cracked and pirated, malware likely to follow

Summary: It seems that it only took hackers a few hours to figure out how to circumvent the protection mechanisms used by Apple to protect applications from piracy. It seems that the Mac App Store could be very transformation, just not in the way Apple had expected.

SHARE:
TOPICS: Apple, Apps, Hardware, Malware
110

It seems that it only took hackers a few hours to figure out how to circumvent the protection mechanisms used by Apple to protect applications from piracy. It seems that the Mac App Store could be very transformation, just not in the way Apple had expected.

How easy is it to pirate apps? This easy:

So what does it take in order to pirate an app from the Mac App Store? All you have to do is find the .dmg file hosted online somewhere. Sure, you can’t readily download premium apps without paying for them, from the App Store, but that’s never stopped files from ending up on pirate websites before. Once you’ve found the app, all you have to do is install it as you would any other application and then copy over 3 files (and/or folders) from any legitimate download that you’ve made in the App Store — even if it’s a free download (Twitter, for instance).

This method bypasses the app protection mechanism called "Receipt Checking" which is supposed to link Apps purchased to a specific Apple ID. 

It's not clear whether this vulnerability affects all Mac App Store apps, or only some. I have confirmation that it works for Angry Birds and plenty of reports to back up the suggestion that other apps are vulnerable to this technique.

Sean Christmann of Craftymind blames Apple for the mess:

So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.

He goes on to offer a partial solution to Mac App Developers:

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.

But he also injects some realism into the debate:

At the end of the day, if your app is popular enough it’s going to end up on a pirated site, but for the time being, by following the instructions above, you can avoid having your app easily cracked with TextEdit.

Security experts worry that this mechanism could be exploited by hackers to spread malware to Mac systems. Here's what Chester Wisniewski of Sophos has to say:

Will the App Store lead to the same problem? No doubt some Mac users, also too cheap thrifty to pay, will succumb to the temptation of Googling to acquire these cool apps/games/utilities at no cost.

Unfortunately, as I demonstrate below, some applications downloaded from the App Store can easily be modified to include any sort of executable code you wish. It wouldn't surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises.

So a double-whammy security black eye for Apple on the first day of throwing open the doors to the Mac App Store.

Bad news for Mac App developers, potentially bad news for Mac users ... overall not a good start for Apple.

Topics: Apple, Apps, Hardware, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

110 comments
Log in or register to join the discussion
  • Ok

    Software is piratable. Pirate software can contain malware.

    Got it. Is this restricted to Apples App Store?
    Richard Flude
    • Just for clarification ...

      Are lazy programmers restricted to Apple's App Store, too? You know, the ones who do things like not verifying the app's identifier strings during the app identifier string verification?
      RationalGuy
      • RE: Mac Apps already cracked and pirated, malware likely to follow

        @RationalGuy... Well, they <i>are</i> "verifying" the app's identifier string. The problem is that Angry Birds developers only used 2 of the 5 steps to properly validate their application. They only went as far as validating the CFBundleIdentifier and CFBundleShortVersionString stored in the applications Info.plist against the receipt's Info.plist. The problem with this is that in both instances, you can simply right-click and select "Show Package Contents" (on the application or receipt) and change them. In this instance, you'd change the CFBundleIdentifier and CFBundleShortVersionString in the application's Info.plist to point to and match a free App Store application's receipt like Twitter. Then your paid-for-app validates against Twitter instead of properly validating against its own receipt, and tells the App store, "Yup, I'm valid. Yessir. All valid here, and anybody can use me."<br><br>But you might run into problems using both Twitter and your paid-for-app at the same time, as both applications would be competing for and writing over each other's preference file.<br><br>[edit]<br><br>But, as the one commentor suggested, if you hardcode it in your application rather than relying on the Info.plist, you can help mitigate this problem.
        WarhavenSC
      • RE: Mac Apps already cracked and pirated, malware likely to follow

        @RationalGuy
        I like to do some system testing of your software some time. :)

        Unless you're a project manager because they always assume programs should be bug free from the get go and everything is easy to do.
        rengek
      • If you only follow 2 of the required 5 steps to do a thing ...

        @WarhavenSC

        ... then you are not doing that thing. Thanks for describing exactly how lazy these programmers were.
        RationalGuy
      • Are you trying to justify the lazy programming?

        @rengek

        I'm not sure what you're getting at with your post. When I write code, I test it myself and don't give it to anyone until I know it works. No code bugs are acceptable, but the only ones that should make it into a release should be ones that fall into unusual use cases, or unforeseeable circumstances.

        In this case, a programmer considered comparing two external unencrypted text files as being a reasonable application verification mechanism. Clearly, this person is either lazy or incredibly stupid. I chose to assume the best.
        RationalGuy
    • A higher standard was expected

      @Richard Flude
      Apple is shooting their own profits in the foot, not just those of developers.

      Given that Apple wholly owns, operates and developed the Mac App store, and takes a 30% cut of your sales, you'd expect security to be a little better documented, and that security measures beyond simple string matches to external sources would be a requirement for submission.
      Unless something changes, Apple has basically guaranteed that the Mac App store will not be as profitable as it should be, a serious mis-step from a company prized for its focus on quality control; simply put, they're getting sloppy, and it shows.
      dzdrazil
      • RE: Mac Apps already cracked and pirated, malware likely to follow

        @dzdrazil
        Apple dosen't take a single cent of your sales. You as a developer set the price you want for your product, add 30% mark up for Apple to do all your selling, distribution, cash flow, credit control and hosting. You just sit back and watch the money roll in. Its so easy.

        Get a Mac, get a hefty bank balance.
        Martin Kelly
      • Haha, only in Apple RDF land!

        @dzdrazil
        [i]Get a Mac, get a hefty bank balance.[/i]

        The average iOS app earns the developer approximately $1 a day. Apple likes to tout the couple exceptions as "proof" that their application storefront earns developers a lot of money but the truth is that you are better off playing the lottery.
        NonZealot
      • RE: Mac Apps already cracked and pirated, malware likely to follow

        @Zealot... Because at your fictional $1 a day, companies can apparently afford to pay their iOS developers the very real $86,000/year in Portland, OR, or $83,000/year in Cleveland, OH, based on average earning reports to simplyhired.com.

        [edit]

        Oh, and apparently the lottery also pays out more than $1 a day. F*ck me. Why haven't I been supplementing my income with a a ton of lottery tickets. According to Zealot, playing the lottery is practically a license to print money.
        WarhavenSC
      • @War: LOL! You really didn't think this one through

        [i]Because at your fictional $1 a day, companies can apparently afford to pay their iOS developers the very real $86,000/year in Portland, OR, or $83,000/year in Cleveland, OH, based on average earning reports to simplyhired.com.[/i]

        And unless that average company has some other revenue generating business, they will soon go bankrupt. But you knew that.
        communities-dominate.blogs.com/brands/2010/06/full-analysis-of-iphone-economics-its-bad-news-and-then-it-gets-worse.html

        There are a few massive success stories that Apple like to hype but the rest will [b]lose[/b] a [b]ton[/b] of money.

        [i]Oh, and apparently the lottery also pays out more than $1 a day.[/i]

        Yes, playing the lottery will absolutely give you revenue. The question is: how much does it cost you to earn that revenue? In the case of both the lottery and Apple's application storefront, a tiny minority will make a profit. The vast majority, however, will end up paying [b]far[/b] more than they will receive.
        NonZealot
      • Does nonzealot works for government

        Doesn't surprise. But those of us in the very competitive real world accept the challenges this represents. There's no guarantee a product will sell. <br><br>Apple has eliminated many barriers of entry into the software business. Many of us congratulate them for it and the diversity this produces. The government employee looks to controlled markets. <br><br>In a competitive market not everyone wins. Apple has given the greatest opportunity to anyone to at least participate. The quality of their offering and it's reception in the market determining the outcome. <br><br>Foreign concepts to the public servant, a lifestyle funded from the stealing from others.
        Richard Flude
      • That's not what Martin Kelly said.

        @Richard Flude: [i]Doesn't surprise. But those of us in the very competitive real world accept the challenges this represents. There's no guarantee a product will sell.[/i]

        Martin Kelly said:

        [i]Get a Mac, get a hefty bank balance.[/i]

        That was the point NonZealot was addressing.
        ye
      • Martin Kelly, that doesn't make any sense

        If someone marks up their software 30% to cover Apple's costs, a few things come to mind:

        1) will people buy a 299.99 dollar software package now that it costs 389.99 because you raised the price 30%?
        2) If they're willing to do so, why not sell it for 389.99 and keep all the money?
        AllKnowingAllSeeing
      • So no one was participating before?

        @Richard Flude
        It really does sound like you're telling us that nobody's ever competed before?

        Pretty massive software ecosystem out there right now, not counting "app stores".

        How was that possible?
        AllKnowingAllSeeing
      • Anyone that has sold software will recognize the advantage

        For the small developer in the App Store model and the opportunities it represents.

        It wasnt impossible before, just significantly harder.

        The ecosystem has become massive with the move.
        Richard Flude
  • AKH you should tell the whole truth not just part of it

    About a minute into the video, Chester says "Unfortunately Rovio did not use the best practices Apple setup for Mac apps".
    He then goes on to show how he could replace the Angry Birds executable for a Firefox webpage.
    Not exactly the way you tell.
    MG537-23482538203179240121698430309828
    • RE: Mac Apps already cracked and pirated, malware likely to follow

      @MG537
      Rovio not following best practices and being arrogant? They are by far the worst set of developers.
      Loverock Davidson
      • RE: Mac Apps already cracked and pirated, malware likely to follow

        @Loverock Davidson
        Arrogant is your middle name.
        choyongpil
  • malware

    downloading mac apps from pirate sites is dangerous. they can contain trojans. that has been the case since the dawn of times. nothing new here. just another phony click baiting hit piece with the word "apple" in the headline.
    banned from zdnet