Mac app store hacked, how developers can better protect themselves

By Sean Christmann | Posted January 6th, 2011 | Cocoa

Crude instructions have started showing up online with ways to circumvent Apples Mac App store receipt validation. By simply copying receipt and info.plist data from a free app and pasting it into a paid app, you can run apps copied from friends computers or bittorrent. I myself have a copy of a paid app (not angry birds, but one with stronger protection) running on my system that was purchased by a friend. This is a massive failure in the implementation of Apples receipt system.

So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.

If you are an app store developer and you are using apples default security logic, you need to review these validation steps in your code

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier in the Info.plist file. If they do not match, verification fails.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString in the Info.plist file. If they do not match, verification fails.

And change them to be more in line with this

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.

At the end of the day, if your app is popular enough it’s going to end up on a pirated site, but for the time being, by following the instructions above, you can avoid having your app easily cracked with TextEdit. For those interested, Angry Birds only implemented 2 of Apples suggested validation steps, so the pastebin instructions will only work for Angry Birds, you need to do a little bit more for apps that handle all 5 validation steps.

Update, if you are using roddi’s receipt checking code from github, here are the offending lines you need to change.

BOOL validateReceiptAtPath(NSString * path)
{
	...
	bundleVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
	bundleIdentifer = [[NSBundle mainBundle] bundleIdentifier];
	...
}

Reader Comments (22) Leave a Comment

  1. Jonathan | January 6, 2011 at 10:11 pm | permalink

    What if they didn’t change those value in the Info.plist file? It would make those checks useless.

  2. Jon H | January 6, 2011 at 10:32 pm | permalink

    Wouldn’t be better to use the hash of the CFBundleIdentifier? Or maybe store the hash of the concatenated CFBundleShortVersionString and CFBundleIdentifier.

    Hash the values in the receipt, and check if the hash is the same.

  3. Colin Barrett | January 6, 2011 at 10:57 pm | permalink

    @Jon H: Won’t the code signing fail anyway if they modify the actual binary? Should be safe to leave them as strings then.

  4. [...] if you are a developer, you may have to look at the security logic of your paid app. CraftyMind has some instructions on how you can do it. It basically involves hardcoding the identifiers into [...]

  5. richtaur | January 7, 2011 at 2:51 am | permalink

    Eep, we’re getting ready to submit our game, so this is very timely! Thanks for the info.

  6. [...] Sean Christmann of Craftymind blames Apple for the mess: So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor. [...]

  7. [...] But another observer, Sean Christmann, also laid some blame on Apple. Although Angry Birds developers followed only two of the five steps Apple recommends for verifying the software is authorized to run, Apple’s instructions are flawed, Christmann said in a blog post. [...]

  8. Roddi | January 7, 2011 at 12:20 pm | permalink

    Hi Sean, hi everyone!

    thanks for bringing this to my attention! I fixed it this minute! Developers please update your code.

    Roddi

  9. Sean Christmann | January 7, 2011 at 1:39 pm | permalink

    Thanks for your work roddi, I suspect a lot of developers are using your code, so it’s good to have everyone responding so quickly to this. I myself have to implement your code this weekend.

  10. Joe | January 7, 2011 at 4:23 pm | permalink

    Thanks for posting this info, this is worth paying attention to.
    Keep up the good work!
    Joe

  11. [...] Christmann points out that the guidelines call for apps to validate receipts against plaintext data external to the binary itself, located in the Info.plist file. A much better approach, Christmann suggests, would be to validate [...]

  12. [...] Christmann points out that the guidelines call for apps to validate receipts against plaintext data external to the binary itself, located in the Info.plist file. A much better approach, Christmann suggests, would be to validate [...]

  13. [...] Christmann points out that the guidelines call for apps to validate receipts against plaintext data external to the binary itself, located in the Info.plist file. A much better approach, Christmann suggests, would be to validate [...]

  14. Latest Software news « LatestIT | January 9, 2011 at 11:27 pm | permalink

    [...] But another observer, Sean Christmann, also laid some blame on Apple. Although Angry Birds developers followed only two of the five steps Apple recommends for verifying the software is authorized to run, Apple’s instructions are flawed, Christmann said in a blog post. [...]

  15. [...] Windows file sharing (SMB), and improved graphics drivers. No word on if v10.6.7 patches the Mac App Store vulnerability that allows anyone to download and play games on their computer. The simple exploit became [...]

  16. [...] App stores move to the desktop with Apples Mac AppStore but not without teething problems. [...]

  17. Mac App Store allerede hacket | Hot Cocoa | January 29, 2011 at 8:02 am | permalink

    [...] hvor programmerne kan hentes.Sean Christmann, har skrevet en artikel som er værd at læse for udviklere hvis de gerne vil beskytte deres programmer bedre.Læs også:Så er der åbnet for Mac App [...]

  18. [...] che non seguono le raccomandazioni di sicurezza dell’azienda di Jobs. Gli sviluppatori possono sistemare facilmente la situazione, tuttavia sarà necessario ricominciare tutto il processo di approvazione [...]

  19. [...] Windows file sharing (SMB), and improved graphics drivers. No word on if v10.6.7 patches the Mac App Store vulnerability that allows anyone to download and play games on their computer. The simple exploit became [...]

  20. [...] Craftymind (Quelle) [...]

  21. [...] Link to iOS Icons on the Mac App Store: http://itunes.apple.com/us/app/ios-icons/id413612688?mt=12# [...]

  22. [...] CRAFTYMIND (ajouté au [...]