

Mac app store hacked, how developers can better protect themselves - seanalltogether
http://www.craftymind.com/2011/01/06/mac-app-store-hacked-how-developers-can-better-protect-themselves/

======
jonhendry
Headline is a bit misleading. The Mac App Store wasn't hacked; that implies
some tampering with the servers.

What's happened is that some developers haven't fully implemented scrupulous
receipt checks, which weakens the DRM considerably.

------
TheCoreh
Hardcoding this stuff into your app doesn't make you invulnerable to the
attack. One could simply change it using a hex editor.

~~~
seanalltogether
Absolutely, but hunting and pecking for strings in hexedit is a bit different
then opening the info.plist in a text editor.

~~~
jonhendry
Especially if the hardcoded value isn't the strings themselves but a hash
derived from them.

~~~
bad_user
That would still be security by obscurity.

~~~
pmjordan
The only way to protect code running or content playing on an open system _is_
security by obscurity. As a developer, choose your trade-off on the scale
between inconvenient-but-quite-secure and simple-but-easy-to-copy and go with
it. Any protection will be broken in time. Adjust based on customer feedback
and the amount of cracking going on, but that's pretty much all you can do
from a technical perspective.

NB: at a low enough level, _all_ systems _in the hands of the attacker_ are
open. Hardware DRM is vulnerable to attack by equipment for scraping layers of
atoms from the silicon and inspecting it with an electron microscope.

~~~
bad_user
Not all systems, not if you're doing server authentication (itunes account?) /
code download every time the app starts (e.g. webapps).

That's why DRM is broken by design.

All it takes is one skilled individual to develop an easy-to-use method for
cracking the thing, start a torrent and that's it, millions of people have
access to it instantly.

~~~
pmjordan
Surely, if the system is server side, then it's not in the hands of the
attacker? For webapps, etc. it's not the client side code that's protected,
but the server code and data.

------
swivelmaster
I would argue that the target audience of the app store isn't tech-savvy
enough to do this anyway. Sure, it's easy to HN readers, but to the general
public it probably "sounds too hard."

~~~
w1ntermute
> I would argue that the target audience of the app store isn't tech-savvy
> enough to do this anyway.

That's what people said about piracy on the iPhone, but I know plenty of non-
tech savvy people who use Cydia or whatever to get free apps.

~~~
lukeschlather
The clunkiness of the iOS store has to play at least a part. Compared to using
a music player on your computer, Cydia is a pretty user-friendly and elegant
way to install applications.

~~~
meat-eater
I'm not sure if I misunderstood your comment. But as far as I know most iOS
users install apps using the app store built into the device. It's really not
much different, if not more polished than the cydia store.

I think the real reason for the popularity of cydia is that 1) it has a user
friendly UI 2) you can get apps on it that will not make it to the app store
and 3) some people are just too cheap to pay for some apps and use it to
pirate them

------
dholowiski
Wow, that's... Trivial. Does that really work? It's almost like apple wanted
to have this happen.

~~~
ptomato
It works on apps that haven't implemented the DRM correctly, yes. Not on most.

