Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Security Apple

Mac App Store Apps Already Hacked 148

Stoobalou writes "The Mac App Store has only been open for 24 hours but methods for circumventing Apple's DRM are already hitting the Web."
This discussion has been archived. No new comments can be posted.

Mac App Store Apps Already Hacked

Comments Filter:
  • Sweet (Score:1, Funny)

    by KiwiCanuck ( 1075767 )
    it's about time hackers switched to apple. Leave use PC guys alone.
    • Re:Sweet (Score:5, Insightful)

      by Anonymous Coward on Friday January 07, 2011 @10:00AM (#34790800)

      Not PC guys, windows users. Linux and BSD users are quite happy with their PCs.

      • BSD? PC? (Score:3, Informative)

        by mschaffer ( 97223 )

        Well, The Mac is just an expensive PCs and OS X is based on BSD. So, what's your point?

        • How is this flamebait? How are current Intel Macs any different from other PCs? And OS X is based on BSD.

          • How are they different?

            On a hardware level: the Embedded Controller chip which stores the OSX encryption keys.

            On a software level: the pretty GUI, covered in chrome :)

            But seriously, I borrowed one (via VNC) the other day, and I'm starting to want a Mac.. and I'm a dyed-in-the-wool PC user (Linux, thankfully).

            • On a hardware level: the Embedded Controller chip which stores the OSX encryption keys.

              So it's a laptop with a TPM chip? That's not really Mac specific, is it?

              On a software level: the pretty GUI, covered in chrome :)

              That doesn't change that fact that it's a PC, that happens to come with a specific OS. Technically, you could install it on any other PC.

          • How are current Intel Macs any different from other PCs?

            Traditionally, "PC" is short for IBM PC compatible, meaning not just x86, but also BIOS.

            Granted nowadays PC is used as a colloquialism for "Windows computer", so maybe as EFI becomes more popular the original definition will cease to be true.

          • How are current Intel Macs any different from other PCs?

            Reality Distortion Field. Duh.

      • we dont have "linux PCs", you insentive clod. we have a linux BOXES.

        • AHEM.

          We call them Linux boxen because that's what it's akin to hurding!

          • Re: (Score:2, Funny)

            by Anonymous Coward

            I thought we called them boxen to prevent the spread of virii

        • Think about giving credit for the quote you use in your sig to the ever-famous Alfred E. Neuman [wikipedia.org] of MAD Magazine fame. MAD had been my go-to source for commentary re politics and culture (go figure) for quite a while.

          He's also been known to be a write-in candidate for various political offices.
    • ...because Apple doesn't make personal computers? Or did you mean, "us Windows users?"
      • Re: (Score:2, Funny)

        by Anonymous Coward

        Exactly, Apple does not make 'personal' computers. The machines are actually owned by Steve Jobs for all eternity, along with your soul if you ever decide to buy one. :P

      • ...because Apple doesn't make personal computers?

        Blame Apple marketing... "I'm a PC"

      • Pfft, you use Personal Computers?

        I prefer impersonal computers. My computer won't allow me to even use my name as a logon. I have to use user names like "Guy" or "Bloke", and themes are disabled.

    • Re:Sweet (Score:5, Informative)

      by beelsebob ( 529313 ) on Friday January 07, 2011 @10:34AM (#34791310)

      Don't worry, the article just has an inflamatory headline. It's not not apple's security that's been broken, it's the security of apps that haven't followed apple's documented method of verifying that they're installed in a valid way.

      • by Dexy ( 1751176 )

        Inflammatory headlines? In my /. ?

        It's more likely than you think.

      • So it's like early third-party Steam apps that didn't integrate with the Steam DRM so you could copy the game folder right out of the SteamApps\common dir and it would still work.
  • by Anonymous Coward on Friday January 07, 2011 @09:58AM (#34790778)

    Hate to link to the reg but their article is actually a bit more detailed:
    http://www.theregister.co.uk/2011/01/07/app_store_receipt_fail/ [theregister.co.uk]
    Note that this only works if developers ignored Apple's recommendations on validating receipts.

    • Exactly. Partly, I'm sure, that's because Apple's recommendations involve writing decidely non-Cocoa-ish code that's a little hard to understand if you've never done any crypto before, and they don't (for obvious reasons of security) provide sample "here it's all done for you, just copy and paste" code but describe the process and tell you to do it yourself in your own unique way. My guess, having looked at the quality of some of the apps on there, that a bunch of these apps were either a) written in a hu

      • Partly, I'm sure, that's because Apple's recommendations involve writing decidely non-Cocoa-ish code that's a little hard to understand if you've never done any crypto before, and they don't (for obvious reasons of security) provide sample "here it's all done for you, just copy and paste" code

        You mean, the obvious reason that they believe that obscurity adds significantly to security in spite of the massive evidence to the contrary?

        • by am 2k ( 217885 )

          You mean, the obvious reason that they believe that obscurity adds significantly to security in spite of the massive evidence to the contrary?

          Since it's a form of DRM, doing it "right" doesn't work, since there is no right way.

          btw, I'm someone who actually has implemented the recommended way of verifying those receipts. It took only four days and probably chopped off a few years until my first heart attack, so I can't really blame the devs who chose to skip the work.

  • by pyite ( 140350 ) on Friday January 07, 2011 @10:03AM (#34790852)

    The Mac App Store wasn't hacked. Developers aren't properly checking licenses when the app is run, so of course using any arbitrary license file will work. Complete FUD.

    • by Stoobalou ( 1774024 ) on Friday January 07, 2011 @10:05AM (#34790890)
      It doesn't say 'Mac App Store Hacked'... it says 'Mac App Store *APPS* Hacked', which is quite clear in my book.
      • by getNewNickName ( 980625 ) on Friday January 07, 2011 @10:33AM (#34791304)
        But it implies that all apps can be hacked, which is clearly misleading. Saying "Some Mac App Store Apps Already Hacked" would be more accurate, but much less sensational.
        • by jwietelmann ( 1220240 ) on Friday January 07, 2011 @10:44AM (#34791504)
          This headline is stellar by Slashdot standards. Count your blessings.
          • I come to Slashdot to debunk sensational headlines. I value any comments that bring clarity to the issue, not those that just parrot the sensationalism.
        • To be fair .... the headline isn't "All Mac App Store Apps Already Hacked"

          You were the one who assumed a totality. Which rarely exists [ notice I didn't say never ;-) ]

        • But it implies that all apps can be hacked, which is clearly misleading. Saying "Some Mac App Store Apps Already Hacked" would be more accurate, but much less sensational.

          The way you are reading it, it should say "All Mac App Store Apps Already Hacked" but they never said all. The way it is written only implies that Mac apps in the store have been hacked, which is correct.

      • by pyite ( 140350 )

        It doesn't say 'Mac App Store Hacked'... it says 'Mac App Store *APPS* Hacked', which is quite clear in my book.

        They're not even hacked! Since when does not implementing something count as being hacked?

        • by Tarlus ( 1000874 )

          The terms "hacking" and "hacker" have been carelessly misused for a very long time. When something as blatantly simple as manipulating a file in a package is considered to be an act of hacking, it makes me twitch, too. Kind of like the way that all the script kiddies in the world are referred to and feared as "hackers."

          • This reminds of a few days ago I saw on Sourceforge that stupid DDOS script kiddy program made for and by channers and half the comments were about 0wnz1ng people and the other half were people saying "it has a virus!" because mommys computer's Norton install started to freak out when it checked the signature of a known hacker utility

      • by stewbacca ( 1033764 ) on Friday January 07, 2011 @11:21AM (#34791998)

        But the summary says Apple's DRM has been circumvented.

        DRM isn't mentioned in the article, and it is clear from reading TFA that this has nothing to do with Apple's DRM scheme (that is not mentioned in the article), but a way to trick the Rovio app.

        Complete waste-of-time non-issue FUD.

    • They must have forgotten that a real Mac is a general purpose computer and not a walled garden like the iThings are.

      • Not for long. The iOS app store is a runaway success and has now been adapted for the desktop.

        It would surprise me Apple staff were not beavering away to retrofit most of the OS X APIs to their iOS counterparts, supplementing the new platform where necessary. Any obscure 'legacy' NeXTSTEP/OSX API will become deprecated. One API, one platform for iPod, iPhone, iPad, iMac.

        Want to run apps outside the walled garden? Install iOS Professional through their developer program or volume license iOS Enterprise.

  • by seanalltogether ( 1071602 ) on Friday January 07, 2011 @10:04AM (#34790872)
    Developers need to change their validation routine to better check that the receipt really belongs to them. http://www.craftymind.com/2011/01/06/mac-app-store-hacked-how-developers-can-better-protect-themselves/ [craftymind.com]
    • by hsmith ( 818216 )
      No it isn't. 90% of /. thinks all software should be free and piracy is awesome - but they themselves get paid outstanding salaries.
      • by bazmail ( 764941 )
        90%? Outstanding salaries? All slashdotters are hypocritical developers? Where did you get this information?
        • For the record, as a long-term Slashdot reader, my income for the last 3 years has been $0.00. And I'm not even dodging tax: I have to earn something to do that. I'm living off debt.
  • horrible title (Score:4, Informative)

    by I8TheWorm ( 645702 ) * on Friday January 07, 2011 @10:14AM (#34790998) Journal

    Did the poster read the article? Angry Birds can be copied freely by switching out a file used for Twitter because Angry Birds didn't use Apple's recommended security.

    I love to take jabs at Apple and the Cult of Steve, but this is a completely inappropriately titled article.

    • by nomadic ( 141991 )
      "Did the poster read the article? Angry Birds can be copied freely by switching out a file used for Twitter because Angry Birds didn't use Apple's recommended security." Angry Birds is an app. It was hacked. What's inappropriate about the title?
      • Re:horrible title (Score:5, Insightful)

        by jo_ham ( 604554 ) <joham999@gmail.cTIGERom minus cat> on Friday January 07, 2011 @10:21AM (#34791128)

        If that is what's passing for hacking these days, oh how far we have fallen.

        More accurate, but less sensational, would be "developers ignore security suggestion from Apple and are bitten by weak receipt checking". It's less catchy too, as a title.

        • by jedidiah ( 1196 )

          It's entirely possible that the revelant developers simply don't care that much.

          DRM is an end user annoyance that ultimately doesn't stop piracy. Perhaps someone decided it would be good to be less annoying.

          Or perhaps they just aren't that fixated.

          • The Mac App Store provides recipts/DRM, but there is no automatic checking. The developer needs to add a couple lines of code to check that 1. the receipt exists and 2. it's my receipt. Both steps are optional (yes, you can distribute DRM-free apps) so if they didn't care, they wouldn't do either. They did step 1 which looks a lot more like a bug or misreading of the DRM validation guidelines.
          • by jo_ham ( 604554 )

            Quite possibly - Rovio are already probably annoyed from all the paper cuts on their tongues from using forks made of money, so losing a little revenue to people copying the desktop version of Angry Birds is unlikely to worry them unduly. They're probably more focused with fixing the crash bug. The app is crashing on launch for a non-trivial number of users, resulting in a flurry of 1 star posts in their review section. Their priority will be to fix that.

            In general serial numbers and licences on the Mac pla

          • DRM is an end user annoyance that ultimately doesn't stop piracy. Perhaps someone decided it would be good to be less annoying.

            Here's what Apple does: If you download app X onto Macintosh Y then it comes with an unforgeable receipt that says "app X is allowed to run on Macintosh Y". Free apps do nothing if they don't care about being copied. If you care, you check: 1. Is there a receipt. 2. Is it a valid receipt. 3. Is it a valid receipt for this Macintosh. 4. Is it a valid receipt for this application. If one of these four steps fails then the app should exit.

            If an app ignores step 3. then obviously the app with the receipt can

        • Since when was taking advantage of gaping exploits in software not hacking, regardless of how sloppy the programmers were? Now if it had suggested the App Store was hacked I'd be with you, but saying that merely the app was hacked is entirely accurate, and if people jump from one conclusion to the other that's their misreading of the situation.
          • Read the title again...

            "Mac App Store Apps Already Hacked"

            So far, only one has. But the title suggests many, and as if it were a Mac App Store problem.

          • by jo_ham ( 604554 )

            I think it's a trivially accessed exploit rather than actual hacking. I'm not trying to downplay the error, just accurately categorise it.

            I'm sure it's the first thing that the actual hacker tried - what happens when you drop a certificate from a free app into a paid one and try to hit the server for a licence key.

            Everyone else doing it is hardly hacking though.

            It would be hacking if they reverse engineered the certificate algorithm and made a certificate generator, but that's not what they did - they just

          • Since when was taking advantage of gaping exploits in software not hacking...

            Since when is not implementing strict DRM an exploit? Quick OS X has a huge exploit and doesn't check for a valid serial number! Quick OpenOffice has a huge exploit, you can copy it without paying anyone!

            The level of DRM a developer wants to implement is up to them. If they decide not to check or to check only for any valid account, that's up to them. They might make such a decision because they want to get to market faster and don't want to code and test it or because they actually don't mind people copyi

  • Apps cracked and yet there is still no way to remove the DRM from iTunes Movies....

  • Who is surprised? (Score:5, Interesting)

    by mitchell_pgh ( 536538 ) on Friday January 07, 2011 @10:22AM (#34791148)

    I don't think the goal of the App Store was to provide an impervious DRM store solution. We have known for years (and many vendors will tell you) that is an unrealistic expectation. Apple simply wants a revenue stream where people can easily purchase and install licensed versions of software. As a store, they should try to disrupt all illegal sharing to the best of their ability. Don't be surprised if the 1.1 version of all the software requires a license check. I'm of the opinion that they are going to use the same "we'll annoy them to death" method they have used for the iTunes store which has proven to be a good business model. Sure, you can usually find cracked free stuff, but you must be willing to hack your system or jump through hoops to make it work normally... but it's always one update away from not working.

    The older I get, the less I like to jump.

    • by jo_ham ( 604554 )

      They already do - and the developers who have been burned by this simply didn't follow Apple's recommendation to have more rigorous checking in place.

    • The older I get, the less I like to jump.

      Sadly, I've found this true IRL as well.

    • Apple simply wants a revenue stream where people can easily purchase and install licensed versions of software.

      Like iTunes and the iPhone App Store, I suspect this is about selling hardware. Taking a 30% cut of app sales while providing the hosting and the credit card processing and while taking on the burden of hosting the lion's share of all the freeware in existence is unlikely to be a significant money maker. It certainly has not been on the IPhone. Rather, this is a way to make more people think Macs are easy to use by making getting apps easier, reducing crashes, and slightly mitigating security risks. The sto

  • Maybe this was intentional: first loads of people who don't normally buy games, will jump on this opportunity to get a free game. Then there will be a software update and when they unwittingly click "OK", the game will update and not work anymore. "But I love playing that game, and now it does not work anymore! Where's my credit card?"
    • Or the fact that they're working on Angry Birds 2 (someone behind the game was on the radio talking about it recently), the world and his dog who were interested in Angry Birds 1 already bought it, and as you say this is a great way to get the game out to people who wouldn't have bought it and to get everyone talking about Angry Birds just at the time the studio wants them talking about it. Of course, they could have given it away for free but that might eat some of their potential Birds 2 customers - as yo
  • DRM isn't mentioned in the article, nor is it even inferred.

    But hey, what better way to get a bunch of hyper-sensitive DRM haters to click a link!?

    • DRM isn't mentioned in the article, nor is it even inferred.

      But hey, what better way to get a bunch of hyper-sensitive DRM haters to click a link!?

      Line one of the article, in case you missed it (easy to do, it's in 15px and bold):

      The Mac App Store has only been open for 24 hours but methods for circumventing Apple's DRM are already hitting the Web.

      I agree this actually has nothing to do with DRM amd DRM is not mentioned in the original tutorial, but it's definitely mentioned in the article linked from the summary.

      • Oh yes, indeed, there it is. Proof that, in making everything BOLD, nothing stands out (page layout 101).

        Then it's not a bad slashdot summary, it's a bad article summary.

    • by dzfoo ( 772245 )

      To click on a link? No, not in Slashdot.

            -dZ.

  • Apple's recommended piracy checks consist of calling certain system routines to check the validity of the receipt. How hard do you think it's going to be to intercept those calls? I can see an automated cracking application appearing in three... two... one...
    That's why I personally did not even bother trying for my own brick game Colibricks. I just hope enough honest people are going to download it. If they can dig into an application bundle to replace a file, they will certainly be able to download the l
    • Yep, as someone just pointed out, Gizmodo has a story about "Kickback", an application that allows you to pirate any app in the app store, with or without protective system calls. It hasn't been released yet, for some reason they're waiting until February 20. I'm sure someone else will come along and release something similar well before then. (Three... two... one...)
  • Is this really any different from any other way of obtaining pirate commercial software? Sure there are extra steps app store developers could take to make it more difficult but there's plenty of commercial software that installs quite happily with just a serial number, and at any rate you can use all the DRM and copy protection in the world but all it takes is one hacker to post a cracked version on bittorrent and anyone can get hold of it just as easily.

  • Seriously, the whole story is that some apps aren't checking to see if the Mac in question has a receipt for that app. Most apps on OS X don't bother checking registration now. Heck, OS X doesn't even check to see if the user has a valid key. First, how is this news? Second, why the hell is apps not using DRM being spun on Slashdot as a BAD thing? Seriously, when did Slashdot become pro-DRM? Oh no apps are freely copyable and users can share them without DRM getting in the way, if the app developer made th

  • There is no DRM per se on programs sold on the Mac App Store. But Apple does advise developers to authenticate the receipts with the bundle IDs. Many programmers, like Rovio, apparently, either didn't bother or did it wrong. You can put in phony receipts, with the wrong numbers, and it works. Undoubtedly, there is a way to fake even real receipts, and that will be discovered in the future. Piracy is rather trivial on the Mac, in fact. A simple serial and a copy of Little Snitch will get you just about anyt

"Hello again, Peabody here..." -- Mister Peabody

Working...