A number of security loopholes in the applications listed on the Mac App Store allow users to download paid applications for free and repackage bootleg programs with malicious code.
Security oversights by Mac developers and Apple allow users
to pirate or modify applications downloaded from the Mac App Store, several
users reported on Jan. 6.
Less than 24 hours after Apple unveiled the Mac
App Store for the Mac OS X
, reports emerged on various user forums,
including Pastebin and Daring Fireball, that some paid apps do not properly
validate App Store receipts, making it easy to obtain those programs for free.
Users can copy the App Store receipt from any legitimate Mac
App Store download-free or paid-and paste it to validate other paid
applications, according to the posted instructions.
"This isn't true for all paid Mac App Store apps,"
wrote John Gruber of Daring Fireball, but only for those applications with
which developers were lax about applying Apple's recommendations on validating
store receipts. The app checks to ensure there is a valid receipt, but it doesn't
check that the ID listed on the receipt belongs to the app.
Just how many developers and apps didn't implement receipt
validation correctly is unclear at this time, but the popular Angry Birds game
happens to be one of them.
The lack of proper receipt validation makes it easier for
users to pirate Mac App Store applications, and it seems inevitable that they
will become readily available. "Someone who claims to provide you with
paid applications for free may not simply give you a free program, they may
give you an unwanted infection," said Sophos security researcher Chester
Wisniewski on the Naked Security
While this means Apple and Mac App Store developers miss out
on legitimate revenue because of piracy, what's more worrying is the fact that
many validations appear to have been skipped, said Wisniewski. Other than
receipt checking, some developers neglected to perform other checks that open
their apps to the possibility of being modified, he said.
Wisniewski found that some applications could be modified to
include other executables, tricking users into running something other than
what they expected. In his video example, Wisniewski showed how easily he could
swap out the Angry Birds executable with the Firefox code. From the user's
standpoint, it looked like Angry Birds, and the OS thought it was running Angry
Birds. But when executed, it opened up Firefox.
"It wouldn't surprise me to see a surge in markets for
pirated applications that might just be booby-trapped to include unexpected
surprises," Wisniewski said.
Every program in the Mac App Store is reviewed by Apple and
must pass a series of tests before it is accepted in the store. Gruber said it is
surprising that Apple hadn't tested for something as basic as receipt
validation before approving the apps.
Apple said that there were more than 1 million downloads from
the Mac App Store on its first day. It was not clear what the breakdown was for
paid and free apps.
If that isn't enough to give Apple a headache, Gizmodo
reports that a group known as Hackulous
has developed a program called Kickback, which claims to break the protection
on any Mac App Store application, but that it will not release it until next
month. "We're not going to release Kickback until well after the store's
been established, well after developers have gotten their applications
up," the group's spokesperson, "Dissident," told Gizmodo.
Hackulous has previously cracked the iPhone and iPad.