Mac app store hacked, how developers can better protect themselves

Crude instructions have started showing up online with ways to circumvent Apples Mac App store receipt validation. By simply copying receipt and info.plist data from a free app and pasting it into a paid app, you can run apps copied from friends computers or bittorrent. I myself have a copy of a paid app (not angry birds, but one with stronger protection) running on my system that was purchased by a friend. This is a massive failure in the implementation of Apples receipt system.

So why are all of the app store developers in this position? Apples current documentation on how to validate receipts is fairly complex, but the sample code and Apple own instructions ask developers to validate against data that is entirely external to the binary itself. Worse yet, it instructs developers to validate against plain text data easily editable with any text editor.

If you are an app store developer and you are using apples default security logic, you need to review these validation steps in your code

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier in the Info.plist file. If they do not match, verification fails.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString in the Info.plist file. If they do not match, verification fails.

And change them to be more in line with this

  • Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
  • Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.

At the end of the day, if your app is popular enough it’s going to end up on a pirated site, but for the time being, by following the instructions above, you can avoid having your app easily cracked with TextEdit. For those interested, Angry Birds only implemented 2 of Apples suggested validation steps, so the pastebin instructions will only work for Angry Birds, you need to do a little bit more for apps that handle all 5 validation steps.

Update, if you are using roddi’s receipt checking code from github, here are the offending lines you need to change.

BOOL validateReceiptAtPath(NSString * path)
{
	...
	bundleVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
	bundleIdentifer = [[NSBundle mainBundle] bundleIdentifier];
	...
}

22 thoughts on “Mac app store hacked, how developers can better protect themselves”

  1. What if they didn’t change those value in the Info.plist file? It would make those checks useless.

  2. Wouldn’t be better to use the hash of the CFBundleIdentifier? Or maybe store the hash of the concatenated CFBundleShortVersionString and CFBundleIdentifier.

    Hash the values in the receipt, and check if the hash is the same.

  3. Hi Sean, hi everyone!

    thanks for bringing this to my attention! I fixed it this minute! Developers please update your code.

    Roddi

  4. Thanks for your work roddi, I suspect a lot of developers are using your code, so it’s good to have everyone responding so quickly to this. I myself have to implement your code this weekend.

Comments are closed.