Mac app store hacked, how developers can better protect themselves

Crude instructions have started showing up online with ways to circumvent Apples Mac App store receipt validation. By simply copying receipt and info.plist data from a free app and pasting it into a paid app, you can run apps copied from friends computers or bittorrent. I myself have a copy of a paid app (not angry birds, but one with stronger protection) running on my system that was purchased by a friend. This is a massive failure in the implementation of Apples receipt system.

So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.

If you are an app store developer and you are using apples default security logic, you need to review these validation steps in your code

Verify that the receipt bundle identifier matches the value for CFBundleIdentifier in the Info.plist file. If they do not match, verification fails.
Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString in the Info.plist file. If they do not match, verification fails.

And change them to be more in line with this

Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.

At the end of the day, if your app is popular enough it’s going to end up on a pirated site, but for the time being, by following the instructions above, you can avoid having your app easily cracked with TextEdit. For those interested, Angry Birds only implemented 2 of Apples suggested validation steps, so the pastebin instructions will only work for Angry Birds, you need to do a little bit more for apps that handle all 5 validation steps.

Update, if you are using roddi’s receipt checking code from github, here are the offending lines you need to change.

BOOL validateReceiptAtPath(NSString * path)
{
	...
	bundleVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
	bundleIdentifer = [[NSBundle mainBundle] bundleIdentifier];
	...
}

22 thoughts on “Mac app store hacked, how developers can better protect themselves”

Jonathan says:

January 6, 2011 at 10:11 pm

What if they didn’t change those value in the Info.plist file? It would make those checks useless.
Jon H says:

January 6, 2011 at 10:32 pm

Wouldn’t be better to use the hash of the CFBundleIdentifier? Or maybe store the hash of the concatenated CFBundleShortVersionString and CFBundleIdentifier.

Hash the values in the receipt, and check if the hash is the same.
Colin Barrett says:

January 6, 2011 at 10:57 pm

@Jon H: Won’t the code signing fail anyway if they modify the actual binary? Should be safe to leave them as strings then.
richtaur says:

January 7, 2011 at 2:51 am

Eep, we’re getting ready to submit our game, so this is very timely! Thanks for the info.
Roddi says:

January 7, 2011 at 12:20 pm

Hi Sean, hi everyone!

thanks for bringing this to my attention! I fixed it this minute! Developers please update your code.

Roddi
Sean Christmann says:

January 7, 2011 at 1:39 pm

Thanks for your work roddi, I suspect a lot of developers are using your code, so it’s good to have everyone responding so quickly to this. I myself have to implement your code this weekend.
Joe says:

January 7, 2011 at 4:23 pm

Thanks for posting this info, this is worth paying attention to.
Keep up the good work!
Joe