Forgot your password?
typodupeerror
Crime Apple

More Trouble In Apple's App Store 186

Posted by kdawson
from the phish-travel-in-squools dept.
quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.
This discussion has been archived. No new comments can be posted.

More Trouble In Apple's App Store

Comments Filter:
  • by bradgoodman (964302) on Tuesday July 06, 2010 @03:47PM (#32816040) Homepage
    ...oh, like the antenna issue?!
  • by Kohenkatz (1166461) on Tuesday July 06, 2010 @03:48PM (#32816072) Homepage Journal
    Wait, wasn't this the whole reason Apple wanted to approve apps - so they could keep the garbage out?!
    • by emag (4640) <slashdot@@@gurski...org> on Tuesday July 06, 2010 @03:59PM (#32816302) Homepage

      No, the apps that compete with theirs. Otherwise, there'd never be all the fart apps and such...

    • Re: (Score:2, Informative)

      I'd say over 75% of the apps on the app store are either cookie cutter, functionally useless, don't work as advertised or completely ignore Apples HIG. Apple doesn't mind this, however, because they enjoy putting out press releases touting they now however many hundreds of thousands of apps in the App Store.
  • by WankersRevenge (452399) on Tuesday July 06, 2010 @03:51PM (#32816128)
    Problems or not, these apple stories are starting to feel like the slashdot version of Orwell's two minutes of hate [wikipedia.org].
    • by Anonymous Coward on Tuesday July 06, 2010 @04:03PM (#32816378)

      Apple gets tons of coverage when they do something good, so they will likewise get tons of coverage when they do something bad.

      You can't have your cake (pervasive marketing and mindshare) and eat it too (bad stories swept under the rug).

    • Re: (Score:3, Insightful)

      by h4rr4r (612664)

      So slashdot should stop reporting on them?

      I think slashdot has done a good job avoiding that on the main page, or else they would have more stories about the antenna issues and supposed fix.

      • by WankersRevenge (452399) on Tuesday July 06, 2010 @04:26PM (#32816766)

        I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

        My point: Fuck apple ... I don't care about their rep ... it's this blind parroting that makes for a shitty discussion. If I wanted that ... I'd head over to Digg.

        • I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

          When you get your moment of fame, be prepared for a pie in the face - these things always go hand in hand.

          Similarly, I think that the sheer scale of those attacks is good news for Apple in a sense that it is a great testament to their success in the market. This kind of fraud primarily targets platforms with large overall user count, most of whom don't have a clue as to how the tech actually works - like, you know, Windows. Looks like iOS has joined that club.

        • by Elbereth (58257) on Tuesday July 06, 2010 @05:23PM (#32817692) Journal

          I think you're actually on to something here, and you've hit the nail on the head as to why I can't stand reading slashdot for an extended period of time.

          If I ever needed to raise up an army of brainwashed minions who think they're impervious to brainwashing, I'd use slashdot.

          • by steelfood (895457)

            Let's play spot the troll!

            *points*

            Look ma, I found one!

            Actually, reality probably lies somewhere in between.

            Slashdot is an interesting place. It's a gathering of some of the most brilliant and free-thinking minds in the world and all of their groupies. What's more interesting is that both characterizations apply equally to each person here. We're geeks (or geeks-to-be). Our knowledge is specialized, focused, and usually at our level, obscure. Collectively, we know everything about everything, but no individ

        • by mean pun (717227)

          I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

          And that's not even the worst:

          The painful torture of logic reasoning: Apple are evil because they are arrogant because they don't admit there is a serious problem which is serious because at least ten bloggers have said there is a problem. Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications. Oh, and curating doesn't work because it doesn't block each and every app that Joe Blogger thinks shouldn't be in the stor

          • by copponex (13876) on Tuesday July 06, 2010 @06:15PM (#32818344) Homepage

            Listen, when your marketing literally states that you are "changing the world" with your phone, and apparently you didn't properly engineer the antenna, your customers are going to complain bitterly. And then everyone who realizes that Apple is just Microsoft with better industrial designers and better marketing are going to laugh at the brand loyalists who got bitten again because Apple favors form over function.

            It's really not more complicated than that.

            • by mean pun (717227)
              This is exactly the kind of content-free critique I was trying satirize, but it seems you're much better at it. In particular the 'Apple favors form over function' is classical, classical.
          • Because at least ten bloggers have said there is a problem.

            Actually, there's a class action lawsuit about the antenna problem. That suggests it's more than ten bloggers, but hey, don't let facts get in the way of your "satire."

            Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications.

            Actually, the argument, as I understand it, goes that if Apple were doing a good job curating, why are there so many useless apps? It seems

        • by LodCrappo (705968)

          for the most part i agree its pointless, but the troll/haters do give you some measure on the "word on the street". a couple years ago, the tone was fairly pro Apple here and on some other sites I frequent. The Apple haters were the oddballs. Now, it seems the oddballs are the folks defending Apple, and the haters have become a majority. It's a trend that seems to be growing over the past year and seems to be ever increasing.

          So.. I do see some value in all this as a metric on Apple's place in the heart

        • by wall0159 (881759)

          While I agree there are plenty of examples of herd-thinking on /. I also think there are some legitimate criticisms of Apple being made (albeit repeatedly). I think criticism of the "walled-garden" is legitimate, for example. You will also find many people talking about MacOS as the best/most-secure OS out there too -- as another poster said, it cuts both ways.

    • by something_wicked_thi (918168) on Tuesday July 06, 2010 @04:26PM (#32816770)

      Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.

      Let's count the ways that Apple is just like Emmanuel Goldstein.

      Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.

      Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.

      Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.

      Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.

      Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.

    • Re: (Score:2, Insightful)

      by yuriyg (926419)
      More like O'Brien [wikipedia.org]. At first glance, he's an anti-establishment agent, determined to break down the oppressive system. But once he lures you in, you'll experience psychological pressure like never before and you will be assimilated!
    • The Two Minute Hate was mandated by The Party. Something tells me that Apple isn't the one organising bad publicity, other than by being completely inept.
  • by Mark19960 (539856) <Mark@[ ]equest.net ['fre' in gap]> on Tuesday July 06, 2010 @03:51PM (#32816134) Homepage Journal

    What happened there?
    They won't allow flash or 'widgety' apps yet allow apps that do noting but get the developer points.
    A developer with almost 5,000 apps?
    So much for that 200,000 apps in the apple store.... perhaps half are fake?

    • by Dishevel (1105119)
      I would like Apple to tell us how many developers have over 500 apps.
  • Quick anecdote (Score:5, Interesting)

    by Anonymous Coward on Tuesday July 06, 2010 @03:53PM (#32816176)

    I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

    Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

    • Re:Quick anecdote (Score:5, Informative)

      by mlts (1038732) * on Tuesday July 06, 2010 @04:10PM (#32816508)

      This is probably another quick and anonymous method of checking the validity of a stolen card. Before, credit card thieves would run cards through gas station card readers. This worked until the readers started prompting for the ZIP code of the cardholder.

      My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

      • Re: (Score:3, Interesting)

        by Kitkoan (1719118)

        Consider either using iTunes gift cards.

        Gift cards like those worry me and I refuse to buy them for ANY company. I've seen too many people buy gift cards (that just use a number string) try to get the credit from the card after buying them to only be told that the number has already been used by someone else (they use them by using a Random Key Generator). And since it's just about impossible to prove that you were the first and only owner of it, your typically SOL.

        • by Phroggy (441)

          I could be mistaken, but I believe iTunes gift cards are activated at time of purchase, which should prevent that from happening. Also, unlike other gift cards which are often used for multiple purchases, iTunes gift cards are used to apply a one-time credit to your existing iTunes account, so if it works the first time, you know nobody can steal it because the card is already worthless. Finally, I would expect that Apple should have the ability to track the activation and use of a given iTunes gift card

      • Re:Quick anecdote (Score:4, Interesting)

        by pseudorand (603231) on Tuesday July 06, 2010 @05:08PM (#32817448)

        > My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

        TFA agrees with you ("Remove your iTunes card details and consider using gift cards where possible."), but using a gift card is a really bad idea. The article also says to "try prevent any iTunes purchases from clearing." These suggestions show a misunderstanding of the legal protections afforded consumers when we use credit cards.

        Under the law, you have 60 days to dispute credit card transactions. You can do this if the transaction has cleared (which is typically less than 24 hours). You can do this even if you've already paid your credit card bill. Your credit card company is required to refund the amount to your account until the dispute is resolved and help you in the dispute resolution process. The law has some antiquated restrictions about transactions occurring more than 50 miles from your home and technically gives you a liability of $50, and doesn't cover debit cards. However, both Visa and Mastercard have policies of zero liability that cover both credit and non-PIN-based debit transactions independent of how far from your home they occur. I've disputed numerous charges for various reason, including having someone make a copy of my card in Mexico (I still had the card but the bank said it was a card-present transaction). Disputes have always been resolved quickly and in my favor. In short, using a credit cards is the safest way to buy stuff. Always use a credit card for any purchase.

        Think if you'd used a gift card. Gift cards are like cash. If the purchase was fraudulent, you only lose the value of the gift card, but you have no way to get it back. I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.

        • I use a very low limit card for on-line purchases, and for travel.
          Active limit is < $800, nominal limit is $10,000 if I go on-line to my bank's website and increase it.
          I've had to re-issue that card number only twice, once for a lost wallet, once for on-line fraud.
          -nB

          • by DJRumpy (1345787)

            It's far easier to just use a PayPal account which can be limited to exactly the amount needed for a purchase.

            If you don't want to go that far, just remove your card info all together and put it in as needed for purchases.

        • Losing 20$ cash value is more palatable to me than dealing with the aftermath of fraud on my credit card, protections or no.
      • Some banks / credit cards allow you to generate temporary credit card numbers with a limit that you specify. The ones I've seen in use also tie themselves to the first vendor they are used with. So if first used on iTunes by you then cloned cards will not work elsewhere.
      • by Trillan (597339)

        Wait, what? How would me using an iTunes gift card prevent someone from buying stuff using my credit card number, if they have it? If the iTunes purchase is a test of a credit card number, it's clear that they're not getting in through the iTunes store. iTunes store doesn't show the numbers of credit cards registered with it. It's not like you can do a test purchase of a song and then buy jewelry!

    • by swb (14022)

      Any small purchase can be used to "test" to make sure the card info is correct. For physical cards it's often a gas station, but that doesn't work when the fraud is 100% electronic (ie, no fake plastic) so any system where you can make small, but, verifiable purchases before maxing the card out on a larger purchase is desirable.

      iTunes is great for that, but I've gotten calls about other small charges from my credit card company when they've flagged a questionable transaction.

    • Re:Quick anecdote (Score:5, Informative)

      by tlhIngan (30335) <slashdot AT worf DOT net> on Tuesday July 06, 2010 @05:05PM (#32817414)

      I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

      Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

      The iTunes thing is a credit card test.

      If you think about it, if you steal a bunch of credit cards (e.g., hack a payment processor), the easiest way to test them is to run up a charage against something that has most people thinking is a normal charge.

      E.g., a lot of people have iTunes accounts, so get iTunes to do run a charge and see if it goes through - you'll see this as a $0.99 billing mostly. The goal is to hide that 99 cent charge amongst hopefully other iTunes charges.

      Earlier this year, a payment processor was hacked (one used by one of my favorite stores) - it's unusual because the store itself doesn't store credit card data (they can't), but a bunch of people who used that store noticed the iTunes charges, while others noticed and saw the strange charges as well (too late).

      I don't think there's any credit card information being stolen from Apple (no app can get at it unless it key logs - at worst they'll get your iTunes account information as your credit card isn't transmitted to Apple at all - Apple looks up your stored credit card info).

      As for enabling the activity, I think it's because iTunes is quite popular - a good chunk of those doing online shopping have probably bought something from iTunes, thus the change of burying a charge is greater, and there's probably some API that was hacked in order to rapidly test credit cards. Also, Apple delays charging for a week or so (to avoid multiple 99 cent charges, they'd rather do a batch charge) but iTunes does do a reservation for each charge to ensure credit is available.

    • by DdJ (10790)

      Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

      Yes. The purchases are just like iTunes music purchases. They require an iTunes account. They're not bound to specific devices at all, they're bound to iTunes accounts. Even if you don't have an iOS device, nothing would stop you from going out and buying an app right now. If you ever did sync an iOS device to your iTunes library, the app would then install on that device (if you haven't deleted it from your library in the intervening time). Even if it's a hardware model and OS version that didn't exi

    • by cusco (717999)
      I personally think it's an Apple insider, actually. A couple of years ago anyone who had access to the store's database management tools had essentially free access to everything. People could literally dump a backup of the db to a USB hard drive and walk out the door with it. I'm sure they've tightened it up since then (well, moderately sure), so it would be interesting to see if the accounts getting attacked include new accounts or only accounts that have been around for a while.

      A laid-off developer
  • by shidarin'ou (762483) on Tuesday July 06, 2010 @03:54PM (#32816212) Homepage

    The hackers attempted to order a macbook pro. I called Apple support- who kept asking what product I was having a problem with. One insisted that I was viewing the Apple website through a Mac, so therefore the problem was actually with the Mac.

    Apparently they have no technical support/hacking section for their website- account issues don't exist according to them. I was finally able to reach level 2 tech support after faking a problem with my Macbook; where the account was flagged and order canceled.

  • by DevConcepts (1194347) on Tuesday July 06, 2010 @03:57PM (#32816268)

    Apple Farming?

  • New Credit Cards? (Score:5, Interesting)

    by fluch (126140) on Tuesday July 06, 2010 @04:14PM (#32816592)

    Wait, so they suggest customers to get new credit cards? Well, one thing I do not understand is this: the credit card information is with Apple, but I thought only Apple has access to this stored information. There should be no way for the bad guys to obtain my credit card information from there. If they have the credentials to my apple account they can make Apple charge my credit card without my authorisation. But in this case Apple would have to give me back this money as I did not authorise it etc. And as soon as I have changed my password ... the problem should stop (as long as they don't get my new password somehow)...

    Or what am I missing here?

    • Re: (Score:3, Interesting)

      by cusco (717999)
      Or what am I missing here?

      Stolen database backup? It's incredibly easy, and extremely embarrassing. Most companies don't want to admit, "Well, the intern that we foisted the backup jobs on gave the tapes to some guy in an Iron Mountain shirt and now we don't know where your data is." I know it's happened locally at least twice, and neither company fessed up to its customers.
    • There's no clear information on what is happening in the article only speculation. Lots of charges were passed through Apple. There are a number of possibilities:

      1. Apple iTunes was hacked and account information was accessed.
      2. User's account information was phished/obtained/guessed and Apple iTunes is being used to ring up lots of charges.

      If it was #1, Apple is not being very forth coming. If it was #2, then the user has to get new passwords.

  • Approved apps? (Score:5, Interesting)

    by fluch (126140) on Tuesday July 06, 2010 @04:21PM (#32816694)

    Just wondering: So if harm is done with apps approved by Apple ... isn't Apple then also liable for the fraud done by them?

    • Re:Approved apps? (Score:5, Insightful)

      by billy8988 (1049032) on Tuesday July 06, 2010 @04:34PM (#32816918)

      Nah...that's MS yardstick. If a rogue developer hijacks IE then it's a MS problem. If a rogue developer does something to Appstore then it is that damn rogue developer.

    • by socz (1057222)
      What do their ToS for buying, downloading, and installing apps on THEIR devices say?
    • Re: (Score:2, Insightful)

      You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

      BTW, who the hell is still visiting the crApp Store anyway? I froze my iTouch at 2.2.1 because I refuse to pay another $10 for the elusive Copy/Paste bug they failed to ship, or fix, in my rev. I downloaded all the free games, fart apps, tip computers, and two useful apps back in 2008 and never went back. Not all that impressed with the garden. In f

      • You can bet a dollar to a doughnut that they have some clever verbiage buried deep down in the EULA that removes their responsibility in some meaningful way.

        What company with an app store wouldn't?

    • Re: (Score:2, Funny)

      by agent_vee (1801664)
      Can't wait to see Steve Jobs e-mail reply to a user asking what Apple is going to do about this problem. "Just don't purchase those apps. -Steve"
    • by Trillan (597339)

      The apps themselves are harmless shit. There's no reason they shouldn't've been approved, unless Apple is going to reject apps for simply being lame.

      The problem is that someone (presumably the developer) has iTunes account names and passwords, and used them to buy the apps. There's conspiracy theories as to how, but the most likely possibility is shared or weak passwords. When you're talking less than 500 compromised accounts over 150,000,000 accounts, it seems possible these could just be the "password" ac

  • by ShopMgr (1639595) on Tuesday July 06, 2010 @04:32PM (#32816884)
    Yeah, there is an app for that...
  • From the article:

    One example is Brighthouse Labs with 4568 Apps, all virtually worthless.

    How does apple approve of 4578 apps from one developer? I thought each app was audited? Or is some of the auditing done through heavy automation. Such that if you got Pacman approved whereby each dot you ate gave you one point, then you could make another pacman that each dot gave you 2points, and the second version was automatically approved.

    • Re:4568 apps? (Score:5, Informative)

      by Bing Tsher E (943915) on Tuesday July 06, 2010 @05:08PM (#32817454) Journal

      The apps from that 'developer' are things like 'xxx Quotes' where there are quotes collections for many many different people. And slider puzzles where there are many different pictures. And recipie books.

      Basically the kind of 'stuff' where the actual codebase is a small container re-released over and over and over with different content.

      That's part of the problem in general with the 'little Apps' model Apple has developed. There are separate 'Web Radio Players' for each radio station, leading to thousands of different radio 'apps.'

  • How can a compromised developer account contain iTunes login information?

    Are the people who got hacked also developers on the App Store?

    How many accounts are known (publicly) to be hacked?

    Without more information, it's hard to take any of this as a serious breach... all of these actions could easily have been had by PC malware or Jailbroken phone malware, via the information black market.

  • I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.
    • by Aphoxema (1088507)

      I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.

      News for Apples, Stuff that Apples.

  • Is not requiring stupidly complex passwords to prevent brute force attacks on accounts. Even then however, if you give them out to a 3rd party, ITS YOUR OWN DAMNED FAULT!!

  • Does this say anything about Apple security?

  • by gig (78408) on Wednesday July 07, 2010 @12:56AM (#32821868)

    The servers weren't even hacked. 400 accounts with guessable passwords were accessed. That is why the users were asked to change their passwords, and everybody got their money back.

    How much hysteria does there have to be around Apple before it's enough?

  • by sjonke (457707) on Wednesday July 07, 2010 @09:18AM (#32825032) Journal
    This is yet another ludicrous attack on Apple. The problem here is not that "rogue apps" have stolen your itunes account and credit card number, it is that these rogue developers have stolen itunes accounts/credit cards or purchased same from some other source and are using these to purchase their apps and make money, both from the purchases and the rising up in the charts. So, please, please just stop with this. Why do you idiots want to kill Apple? If it's because they don't make a phone that you like, well, that is really f-ing pathetic.

The generation of random numbers is too important to be left to chance.

Working...