Sophos: Mac App Store applications can be pirated

Applications within Apple's Mac App Store can be pirated if developers do not code specific receipt validation systems into their products, researchers have found

Applications within the Mac App Store can be pirated, a security firm has reported.

Developers that do not incorporate receipt validation into their application risk their application being pirated, Sophos said on Friday.

"Unfortunately, many of the applications in the App Store can be pirated without payment," Sophos senior security advisor Chester Wisniewski wrote in a blog post. "Developers of applications like Angry Birds appear to have ignored Apple's advice on validating App Store receipts before launching."

Applications within the Mac App Store can be pirated, a security firm has reported

Applications within the Mac App Store can be pirated, security firm Sophos has reported. Screenshot: Charles McLellan

If developers have not included a receipt validation mechanism, then it is possible to reconfigure a paid-for application to run on other people's Apple IDs, without them needing to purchase the application, Wisniewski wrote.

On Thursday, alongside the launch of the Mac App Store, Apple issued a note to developers advising them to make sure their apps included receipt validation codes "to prevent unauthorised copies of your application from running".

"Receipt validation requires an understanding of cryptography and a variety of secure coding techniques," Apple wrote.

The Mac App Store opened to consumers on Wednesday, but developers have been able to submit apps into the store since 5 November.

Security risks
The same technique used to spoof the Apple ID system could be used to embed "any sort of executable code" into pirated Mac App Store applications, Wisniewski wrote.

He believes there could be "a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises".

To protect their operating system, Mac OS X users should be cautious about downloading programs from sources they are unfamiliar with, Wisniewski said. "You should always be cautious of getting something for nothing," he added.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Show Comments