More Trouble In Apple's App Store

quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.

Re:So much for app review

[Mark19960]

I have seen 'fake' apps in the Android store so this is not isolated to just Apple.
If you see an app in the market with virtually no rating then you know to pass it by.
The one thing that the Android market lacks is filters.

Re:Quick anecdote

[mlts]

This is probably another quick and anonymous method of checking the validity of a stolen card. Before, credit card thieves would run cards through gas station card readers. This worked until the readers started prompting for the ZIP code of the cardholder.

My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

Re:But they were approved!

[Missing.Matter]

I'd say over 75% of the apps on the app store are either cookie cutter, functionally useless, don't work as advertised or completely ignore Apples HIG. Apple doesn't mind this, however, because they enjoy putting out press releases touting they now however many hundreds of thousands of apps in the App Store.

Re:But they were approved!

[ergo98]

The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly.

Apple didn't catch him. The "apps" in question were absolute trash (along with the 300+ iFart apps), making a mockery of any illusions that it's a curated garden.

However just to be clear, we already know that the Android market can do precisely the same thing, forcefully reaching out and removing rogue content. Instead of any ridiculous notions of curation, however, Android relies upon a permissions system that makes a user aware of the potential reach of any given application. It is far from perfect, yet despite some ignorant criticism directed at it recently it beats the hell out of anything on the iPhone.

Not really sure why we're talking about the phones though. The exploit in this case didn't necessarily have much to do with the actual handsets themselves.

Re:Quick anecdote

[tlhIngan]

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

The iTunes thing is a credit card test.

If you think about it, if you steal a bunch of credit cards (e.g., hack a payment processor), the easiest way to test them is to run up a charage against something that has most people thinking is a normal charge.

E.g., a lot of people have iTunes accounts, so get iTunes to do run a charge and see if it goes through - you'll see this as a $0.99 billing mostly. The goal is to hide that 99 cent charge amongst hopefully other iTunes charges.

Earlier this year, a payment processor was hacked (one used by one of my favorite stores) - it's unusual because the store itself doesn't store credit card data (they can't), but a bunch of people who used that store noticed the iTunes charges, while others noticed and saw the strange charges as well (too late).

I don't think there's any credit card information being stolen from Apple (no app can get at it unless it key logs - at worst they'll get your iTunes account information as your credit card isn't transmitted to Apple at all - Apple looks up your stored credit card info).

As for enabling the activity, I think it's because iTunes is quite popular - a good chunk of those doing online shopping have probably bought something from iTunes, thus the change of burying a charge is greater, and there's probably some API that was hacked in order to rapidly test credit cards. Also, Apple delays charging for a week or so (to avoid multiple 99 cent charges, they'd rather do a batch charge) but iTunes does do a reservation for each charge to ensure credit is available.

Re:4568 apps?

[Bing Tsher E]

The apps from that 'developer' are things like 'xxx Quotes' where there are quotes collections for many many different people. And slider puzzles where there are many different pictures. And recipie books.

Basically the kind of 'stuff' where the actual codebase is a small container re-released over and over and over with different content.

That's part of the problem in general with the 'little Apps' model Apple has developed. There are separate 'Web Radio Players' for each radio station, leading to thousands of different radio 'apps.'

Re:But they were approved!

[tibit]

Methinks that stupid/useless apps are not an issue. There's a lot of crappy books in every bookstore, and I have no problem with that. But the issue is that people's iTunes credentials got stolen, and I don't think it was Apple's fault unless the exploits were running on OS X...

Apple isn't arrogant?

[copponex]

Listen, when your marketing literally states that you are "changing the world" with your phone, and apparently you didn't properly engineer the antenna, your customers are going to complain bitterly. And then everyone who realizes that Apple is just Microsoft with better industrial designers and better marketing are going to laugh at the brand loyalists who got bitten again because Apple favors form over function.

It's really not more complicated than that.

Re:But they were approved!

[Stupendoussteve]

I haven't seen anything saying a program itself did anything without a password. Most likely scenario is developer got password through some other means, put up all these random apps, and began purchasing them.

Re:But they were approved!

[ergo98]

User privacy is why they curate their market?

Yeah, guy, Steve Jobs said it at D8. Feel free to do a search.

I believe the privacy angle you're referring is in

NO IT ISN'T.

Listen, I realize you might have a problem with threaded conversation, and you seem to be trying to mesh every comment with the submission, but that just isn't how it works. See, I was replying to someone who made a command, and this thread carried on from there.

Judging from your statements, it appears you didn't read the article

Are you new to Slashdot? You understand the conversational nature? You might want to get acquainted with theads and conversations.

The article is about hacked iTunes accounts with a stored credit card and the fact that hackers used them to purchase apps.

Fascinating. So you have inside knowledge on what happens? No, I don't think you do.