Mac Apps already cracked and pirated, malware likely to follow

It seems that it only took hackers a few hours to figure out how to circumvent the protection mechanisms used by Apple to protect applications from piracy. It seems that the Mac App Store could be very transformation, just not in the way Apple had expected.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

It seems that it only took hackers a few hours to figure out how to circumvent the protection mechanisms used by Apple to protect applications from piracy. It seems that the Mac App Store could be very transformation, just not in the way Apple had expected.

How easy is it to pirate apps? This easy:

So what does it take in order to pirate an app from the Mac App Store? All you have to do is find the .dmg file hosted online somewhere. Sure, you can’t readily download premium apps without paying for them, from the App Store, but that’s never stopped files from ending up on pirate websites before. Once you’ve found the app, all you have to do is install it as you would any other application and then copy over 3 files (and/or folders) from any legitimate download that you’ve made in the App Store — even if it’s a free download (Twitter, for instance).

This method bypasses the app protection mechanism called "Receipt Checking" which is supposed to link Apps purchased to a specific Apple ID. 

It's not clear whether this vulnerability affects all Mac App Store apps, or only some. I have confirmation that it works for Angry Birds and plenty of reports to back up the suggestion that other apps are vulnerable to this technique.

Sean Christmann of Craftymind blames Apple for the mess:

So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.

He goes on to offer a partial solution to Mac App Developers:

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.

But he also injects some realism into the debate:

At the end of the day, if your app is popular enough it’s going to end up on a pirated site, but for the time being, by following the instructions above, you can avoid having your app easily cracked with TextEdit.

Security experts worry that this mechanism could be exploited by hackers to spread malware to Mac systems. Here's what Chester Wisniewski of Sophos has to say:

Will the App Store lead to the same problem? No doubt some Mac users, also too cheap thrifty to pay, will succumb to the temptation of Googling to acquire these cool apps/games/utilities at no cost.

Unfortunately, as I demonstrate below, some applications downloaded from the App Store can easily be modified to include any sort of executable code you wish. It wouldn't surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises.

So a double-whammy security black eye for Apple on the first day of throwing open the doors to the Mac App Store.

Bad news for Mac App developers, potentially bad news for Mac users ... overall not a good start for Apple.

Editorial standards