Pirate raid on Mac App Store raises security concerns

Less than 24 hours after Apple launched the Mac App Store, hackers have found a simple way to pirate applications from the store.

Applications from the Mac App Store that skimp on digital rights management (DRM) features can be easily validated as genuine with a few clicks when they are downloaded from third-party websites. But security firm Sophos says the exploit not only leads to piracy, but also to malware.

The exploit to validate paid Mac App Store apps downloaded free from the Web as genuine downloads from the store is relatively simple. The process requires just a few steps and has been detailed here.

However, only apps that have not been properly secured by developers are affected by this exploit. One of these apps is Angry Birds, the game made popular on iPhones and iPads.

Related story – Stop DRM from becoming a “privacy nightmare”

Another group of hackers, Hacklous, announced that they cracked the DRM in the Mac App Store via a piece of software called Kickback that allows users to circumvent the DRM in all apps sold in the store. Hackulous said though that it wouldn’t release the tool until more (than the current 1000) apps are available in the Mac App Store.

As with every hack, there are downsides. Chester Wisniewski of security firm Sophos warned that some applications downloaded from the Mac App Store can be modified to include malicious code: “It wouldn’t surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises,” he says.

“While users who are willing to pay for their Apps are likely to remain relatively safe, those who are prepared to run pirated software expose themselves to downloading fake or maliciously modified apps,” adds in another blog post Sophos’ Rich Baldry.

Virus and malware threats on Mac are relatively low, so if you download apps only from the Mac App Store, which Apple validates, then you should be safe for the time being.

However, according to a report on Apple Insider, it took a matter of hours for pirates to figure out how to install and run unauthorised versions of paid-for apps.

By exchanging the receipt and signature files for certain paid-for apps – which can be downloaded from third-party websites, according to the report – with the receipt copied from a free app, you can in some instances get the unauthorised app to run.

Apparently, this is only possible with apps that haven’t followed Apple’s official app validation advice. John Gruber of Daring Fireball said: “It appears that many apps don’t perform any validation whatsoever, or do so incorrectly. Apple should test for this in the review process, and reject paid apps that are susceptible to this simple technique.”

A separate report on Gizmodo this week stated that a software packaged called Kickback – which won’t be released until next month – would make it possible to pirate any application in the Mac App Store.

Kickback is apparently the work of Hackulous, and more details of how it works can be found on the Gadgets DNA website. Hackulous is the group that cracked Apple’s DRM (digital rights management) system for iOS.

If the reports are correct, they add to a growing list of concerns about the Mac App Store. Developers have already expressed doubts about pricing, a lack of consumer choice and technical support “disasters”, as Macworld reported earlier this week.

Share on LinkedIn Share with Google+