Software piracy may not be quite as disruptive as the high seas kind, but it’s certainly more widespread. With this week’s launch of the Mac App Store, it was only a matter of time before the something-for-nothing crowd figured out a way to bypass Apple’s restrictions. But is the so-called hack currently making the rounds really a flaw in the system, or just human error?
Sign your receipt
Apple provides a system for developers to prevent piracy of their applications: When an app is launched, it checks to see that it’s authorized do so on the computer—if not, the user will then be prompted to enter the Apple ID and password that were used to buy the app. This process is called ‘receipt validation’ and it works much as security does in a brick-and-mortar retail store, by checking to make sure you have a receipt before you walk out the door with merchandise.
The problem is, while Apple has created this system, it’s incumbent upon the developers to remember to implement it in their own application. Some developers don’t, and that’s where the risk of piracy comes in.
According to the supposed hack, you can get applications purchased by other users to run on your Mac by deleting certain files inside the application’s package and replacing them with files from an app that you’ve legitimately downloaded—it doesn’t even have to be a paid app. The example that’s making the rounds uses the files from Twitter, a free download, and inserts them into the application package for the popular game Angry Birds, a $5 purchase.
According to Daring Fireball’s John Gruber, Angry Birds checks for a valid receipt—but doesn’t check to make sure that receipt matches Angry Birds itself. Think of it as the equivalent of hopping theaters at the local multiplex: you may have a genuine ticket, but it may not be for the movie you’re about to see—it just depends on how closely the usher looks at it.
Is there a concern, then? Not unless app developers don’t take the time to make sure that they’re properly validating those receipts.
I gave the hack a try myself. Upon launching my colleague Roman Loyola’s copy of Angry Birds, I was prompted for the password for Roman’s Apple ID (logging in with my own ID gets me nowhere, of course). Following the instructions for the hack, I replaced the specified files and sure enough: Angry Birds launched and I was able to play. (Note that while this worked on Angry Birds 1.0; the 1.0.1 version released on Friday seems to have fixed this flaw.)
However, Angry Birds isn’t alone in failing to properly implementing receipt validation—or even implementing it at all. A free app I copied from a colleague also fell prey to the hack above. And another paid application I copied didn’t even require me to replace the files: I double-clicked it and it ran, without ever asking for an Apple ID.
Other apps I tested seemed to have used the validation system correctly, and wouldn’t run on my Mac despite attempts at swapping out some files and altering others.
While Apple has placed the burden of validation on the developer, it would probably be to the advantage of both Apple and developers if the company tested apps’ implementation of the process during the approval process.
Kick back, but don’t relax
As it is, this purported hack seems to rely more on the oversight of developers than on any nefarious schemes. But it’s not the only threat to Mac apps. A hacking group named Hackulous announced earlier this week that they’ve devised a scheme that will allow pirates to unlock any app from the Mac App Store. They also took the rather bizarre stance of saying that they won’t release the hack until the Mac App Store had become more established.
That such an exploit would exist isn’t exactly surprising—despite Apple’s attempts to lock down its iOS devices, pirated copies of popular iOS apps are available to those who know where to look. But it seems that plenty of customers are still willing to legitimately pay for applications on their iOS devices, too; there’s no reason to think that the same won’t be true on the Mac.
Piracy is never going to go away—there’s no such thing as uncrackable security system and, as my cardinal rule of technology says, never bet against the hackers. There will always be those users who want to get something for free. But as Apple demonstrated with the iTunes Store, the majority of people will tend to fork over money if the process is easy and painless. As for those on the fence, the inclusion of a reasonable anti-piracy system will likely provide the necessary deterrent, and that’s what Apple has provided. Now it’s up to developers to make sure that they’re using those tools correctly.