
New services bypass Apple DRM to allow pirated installs without jailbreaking - kmfrk
http://thenextweb.com/apple/2013/01/01/low-down-dirty-iphone-app-pirates/?fromcat=all
======
saurik
I think it should be made very clear, in the context of Hacker News, that one
of the primary reasons that these sites have been operating as long as they
have is because of support from Stripe, who handled their payment processing.

The developer of this program keeps opening PayPal accounts, and PayPal keeps
shutting them down. In just December, this developer got two PayPal accounts
shut down; the latest one was only used for four days before it was whacked.

Dec 24: "PayPal is back online for <http://zeusmos.com> and
<http://uhelios.com> – Happy Holidays everybody!" --
<https://twitter.com/uhelios/status/283260362919395328>

Dec 28: "I'm absolutely done with PayPal. This is ridiculous." --
<https://twitter.com/uhelios/status/284654128339243009>

However, despite careful and detailed explanations to Stripe--and despite them
saying they would look into the matter--this website has been operating and
taking payments using their payment processing system for months.

Also, while the developer of Zeusmos claims in the "update" to the article
that his application was never supposed to encourage piracy, it came by
default with its search results coming from a website called AppTrackr, a
large repository of cracked applications.

In the last few months, the developer decided he wanted to "stray away from
AppTrackr", but the result was not to move further from piracy: it was to
become less reliant on that one piracy site and instead use another one called
AppCake.

Meanwhile, the developer has often compared his service to Installous, saying
on his Twitter account that "its somewhat like Installous, but better"[1] and
that it "has many features that Installous does not excel at very well"[2].

[1]: <https://twitter.com/uhelios/status/274859392812318720>

[2]: <https://twitter.com/uhelios/status/239863143793324032>

~~~
nathanhammond
With your rather unique experience of running the Cydia Store on jailbroken
iOS devices can you provide more information on the process loopholes these
approaches (Zeusmos and Kuaiyong) are exploiting?

~~~
saurik
In order to deploy code (without jailbreaking), you need to have it signed by
a certificate that is valid for the device you are using. With a normal
developer account, you can provision certificates for up to 100 devices.
Signing an application is fairly simple (I implement most of the intricate
pieces in an open-source program called ldid, but do not do the official
signature parts).

Putting this together: you simply get paid developer accounts from Apple (you
will need to keep getting more of these, as you will run up against the 100
device limit), ignore the part of the contract you sign that states that you
are not allowed to redistribute the certificates they give you, and instead
automate a process to log in to Apple's portal, add a UDID to your account,
and download an updated provisioning certificate.

Connect this up with a payment processor that is willing to look the other way
and an app that is capable of doing the signature process for apps locally for
the user, and you are done. The device is already capable of installing
certificates and applications that are signed by them from websites (see Test
Flight for a commonly-used legitimate example), so the final steps are easy.

(With an Enterprise account, you don't have to worry about the number of
devices; however, the contract terms are much stricter, the system has more
mechanisms for Apple to turn you off, and Apple will probably care more if you
attempt to abuse it. In essence, an app signed by an Enterprise certificate
can be installed on any device, anywhere, at any time until the certificate's
three-year expiration date hits.)

~~~
gizmo686
Given that developer accounts cost money, and paying requires giving
personally identifiable information, what keeps Apple from seeing that you are
buying multiple accounts?

~~~
saurik
So, first off: I really do not believe that this service (Zeusmos) was _that_
popular; I mean, when you hear about the number of people who were using
Installous (omg too many ;P), the number of people using Zeusmos would be this
tiny _tiny_ speck in comparison.

Once you are only talking about hundreds or even in the low thousands of
devices (as opposed to tens of millions), you can satisfy the demand by
getting a bunch of friends from your high-school class (the developer of
Zeusmos was 15) to register for individual developer accounts and then
contribute their Apple ID and passwords to a pool.

Based on what it says in the article ( _edit_ : which a friend of mine is
telling me might be wrong, so maybe these people are doing something more
complex), the other product (Kuaiyong) was using a single Apple Enterprise
certificate: you only need one of these to satisfy an infinite number of
devices, and they probably were signing the stuff on their server rather than
on the client (so not redistributing the certificate).

That said, the rules on how you can use an enterprise distribution certificate
are quite strict: you can sign applications used only by 1) employees of your
company; 2) customers of your company who are physically present at your
company's place of business; or 3) customers of your company who are being
physically supervised by an employee of your company while at another
location.

------
mikeash
It makes me sad that these get used for piracy. They could be extremely useful
by allowing widespread installation of apps that Apple won't accept in their
store, but instead we get another lame piracy service that people will point
to as evidence that Apple's walled garden approach is a good thing.

~~~
duairc
But piracy is a _feature_. It's good thing. Paying for stuff sucks. From a
user's point of view, if Apple's walled garden approach prevents piracy, then
that's just another reason their walled garden approach is bad.

Edit: I'm not even playing devil's advocate here, this is just honestly what I
think, and I think what most people honestly think. Stuff is better when you
don't have to pay for it.

~~~
pkulak
Stuff sucks when you don't have to pay for it. That's why Android apps have
never really held a candle to their iOS counterparts; piracy has been easier
on Android. As an Android user, I'm just hoping this causes developers to not
automatically develop for iOS first and then Android as an afterthought, if at
all.

~~~
Karunamon
>That's why Android apps have never really held a candle to their iOS
counterparts; piracy has been easier on Android.

Bullshit. Both on Android apps "not holding a candle to iOS counterparts" and
your assertion that this has anything to do with piracy.

~~~
pkulak
Even if piracy isn't easier, there is the perception that it is, and that's
all you need to keep people off the platform.

------
chubs
Sounds like they haven't really broken apple's DRM - Zeusmos relies on getting
a developer profile for your phone's UDID and re-signing the apps under that
dev profile, which means the apps will expire in a year or so. And Kuaiyong
relies on an enterprise profile by the looks of it, and i believe apple can
remotely nuke enterprise profiles.

~~~
pudquick
> Sounds like they haven't really broken apple's DRM

Yes and no.

No, in the sense that they are abusing the pay-for Apple developer services in
order to get the software pushed to non-jailbroken devices. As such, they are
still playing within the DRM system.

But in the case of Zeusmos, yes, Apple's DRM (FairPlay) is broken in that "re-
signing" involves signing a copy of the (App Store published) commercial app
that had its original DRM removed.

See here: <https://github.com/stefanesser/dumpdecrypted>

These techniques were how tools like Crackulous worked, which allowed for the
stealing of iOS App Store apps in the first place.

------
contingencies
Background: 1\. Loads of people have iDevices in China. 2\. It's hard to get a
credit card in China.

~~~
cynix
> It's hard to get a credit card in China.

Are you sure? A lot of "credit cards" in China are actually debit cards, where
you must deposit money in your account up-front before you can spend. I don't
see any reason why banks would make it hard for people to get these, since
there's virtually no risk of bad debt.

~~~
contingencies
It's probably largely just historical inertia.

However, there are also potentially strong reasons to avoid it.

1\. China dissuades capital exodus. (They actually have a whole government
bureau for this, the Foreign Exchange Management Bureau or 'waihuiguanliju')
2\. My recent travels about Southeast Asia suggest that the government-run
centralized interbank settlement network 'China Union Pay', is being supported
by the government as a regional alternative to the de-facto global defaults
Cirrus/Maestro (Mastercard) and Visa (Bank of America).

Anyway, the why doesn't matter. It's really the situation.

------
kgarten
Sorry, but am I the only one who dislikes the picture they used for the post.
The flag of the pirate party has nothing to do with iPhone software piracy
websites ...

~~~
Semaphor
Random stock image for an article that calls piracy stealing. They do know how
to lower the expections for their article.

------
beedogs
DRM is such an utter and absolute waste of effort and money. Think of the
millions of man-hours that have so far been misallocated on trying to "secure"
digital content. It's just sad.

~~~
ig1
It's pretty hard to argue that DRM doesn't reduce piracy. The overwhelming
evidence from the last several decades (everything from the piracy rate on
Commodore Amigas vs DRM'd consoles to modern ebook DRM) is that DRM has a
significant impact on reducing the amount of piracy that occurs.

Most of the arguments against DRM aren't about it's ineffectiveness in
reducing piracy, but rather its implication for privacy and ownership rights.

~~~
mikeash
The trouble is that piracy reduction is the wrong end of the stick. What
content creators benefit from is _increased purchases_ , which does not
necessarily follow from reduced piracy. I would agree that it's fairly clear
that DRM reduces piracy, but it's not at all clear that this then results in
increased sales.

------
Benferhat
As predicted, the Hackulo.us shutdown simply spurred the adoption of more
effective software piracy tools. Between Aptoide on Android, which somehow is
available via the official app store and also doesn't require
rooting/jailbreaking [1], and these new iPhone piracy services, I wonder if
we'll start to see changes in the way we approach software monetization.
Requiring in-app purchases, for example, is quite effective.

[1]
[https://play.google.com/store/apps/details?id=com.bazaar.ins...](https://play.google.com/store/apps/details?id=com.bazaar.installer)

~~~
ihuman
Zeusmos has been around before the shutdown, but articles like this are just
giving them publicity and pushing them into the light. Zeusmos runs on the
apptrackr API, which has also been shutdown, so the shutdown also hurts them.

~~~
Benferhat
Thanks for the clarity, I'll update my post.

------
robryan
For the most part, it seems to be people going to a lot of trouble to save a
dollar or 2 on app purchases, the type of people that were unlikely to buy
anyway.

People still aren't able to make arbitrary in app purchases for free? If that
is the case piracy might end up making the developer more in the long run.

~~~
ben1040
>the type of people that were unlikely to buy anyway.

As someone whose Android app has wound up on some pirate sites, it's not so
much the lost revenue I'm worried about. It's the possibility that the version
of my app on some Chinese pirate site has been repacked with malware.

~~~
geofft
Is it time to go back to the early-'90s-shareware model of annoy screens?
Release two versions of your app to the app store, one free with a ten second
long "you're a bad person" loading screen, and one that costs a bit.

~~~
Dove
As a consumer, I prefer this style of monetization to in-app purchasing. At
least I know what I'm getting and what the reviews mean. Oddly, though, the
market doesn't seem to agree with me. Demo/shareware apps just don't seem to
do well.

Obviously the average consumer and I just don't see eye to eye about
something. I have no idea what, though.

------
seanalltogether
Maybe its time Apple and Google start providing receipts that devs can
validate themselves. Apple already provides this on OSX and it makes it hard
to mass pirate all apps.

------
fabm
The Zeusmos site is "currently undergoing some maintenance".

Looks like someone is getting shut down.

------
Permit
Wow, it's certainly interesting to see how the consensus on Piracy changes on
HackerNews when it's iOS apps and not music/media that's being downloaded. The
article even goes so far as to call it stealing and not one person has piped
up to point out that they're merely copying bytes, not removing utility from
anyone else.

The PirateBay receives a lot of support when it's mentioned here. I imagine if
I opened a "PirateBayForApps" on which I carried both legitimately free apps
and pirated apps, I might not receive the same support.

------
chj
On one hand this could be a great alternative distribution channel, on the
other hand developers get nothing and another risk is Apple can shut their
accounts down at any time.

