

Mac App Store DRM broken (Here's how) - blueben
http://pastebin.com/1eWf9LCg

======
bonaldi
This is a bug in Angry Birds, not the DRM. You're supposed to check the
receipt's bundle ID actually matches that of your app, and they didn't. If you
try this with other paid-for apps it will fail.

~~~
Skroob
I'm honestly surprised that some people are so desperate to not pay $5 for
Angry Birds. I mean, I sort of understand pirating $800 apps like Adobe's
suite, but $5 for a bird slingshot game?

For full disclosure's sake, I am an iOS and Mac developer, so I have some skin
in the game.

~~~
dangrossman
Considering hundreds of thousands, if not millions of people get the same game
for free on Android phones/tablets, there's some strangeness to paying for it
on other platforms.

~~~
wccrawford
I would gladly pay to play Angry Birds ad-free on Android.

Or at least, I would have while I was still playing it.

~~~
mishmash
> Or at least, I would have while I was still playing it.

Ohhh nice burn. ;)

~~~
wccrawford
Actually, it's not a burn. The game, like most others, only has so many
levels. I've gotten past all of them, and I don't find it fun to try to get 3
stars on them all. So until it updates with more levels, I don't feel any need
to play it.

------
Skroob
Most indie Mac developers will tell you they don't really concern themselves
with app piracy. This is the same thing; someone still has to upload the dmg
to some shady website, the pirate has to find it and remove the DRM files, and
then do it all over again when there's an update and hope it keeps working.
Or, just pay $3 and never worry about it again.

~~~
derefr
> Most indie Mac developers will tell you they don't really concern themselves
> with app piracy.

As someone who makes a hobby of cracking apps (I don't release anything, it's
just for fun), I can corroborate this. I've never been able to find a trace of
DRM in any Objective-C-based app. As far as I can tell, the state of the art
for indie Mac developers is to have a method "-(bool)isAppLicenceValid" and
another "-(bool)isAppLicenceOnBlacklist". Just hardwire YES and NO to those,
and you're good.

~~~
Skroob
That's basically the extent of the copy protection we use. The idea is that
pirates probably aren't going to buy your app anyway, and any significant time
you spend trying in vain to beat them is time taken away from fixing bugs,
writing new features, sales or support of actual customers. Since most of us
are one person shops, the tradeoff is pretty obvious.

------
seanalltogether
Just submitted the following link on how devs can protect themselves:
<http://news.ycombinator.com/item?id=2078103>

------
solipsist
John Gruber has the following to say on the topic:

    
    
      Copy the App Store receipt from any legit Mac App Store download — including from
      any free app — and paste it into a bootleg download of Angry Birds, and it’ll run.
    
      This isn’t true for all paid Mac App Store apps. For apps that follow Apple’s
      advice on validating App Store receipts, this simple technique will not work.
      But, alas, it appears that many apps don’t perform any validation whatsoever,
      or do so incorrectly, like Angry Birds. (Angry Birds checks for a valid
      receipt, but doesn’t check to see that the bundle ID for the receipt matches
      its own bundle ID.)
    
      Apple should test for this in the review process, and reject paid apps that are
      susceptible to this simple technique.

~~~
pieter

      Apple should test for this in the review process, and reject paid apps that are
      susceptible to this simple technique.
    

That part is just silly. Developers should decide themselves how much time to
spend on the validation. For example, the Twitter for Mac app doesn't have any
validation (you can run it just fine without having the app store), and it
doesn't need to as it's free anyway.

Adding proper validation takes a relative large amount of time, and sometimes
it's just not worth it. Hackers can still dynamically link against a custom
OpenSSL, or patch your app to not exit() if the code is 173, change Apple's CA
in the Keychain or a few other tricks that would work with a large amount of
the apps in the app store. You'll probably do better using your time to make
your app better than trying to fix the DRM.

~~~
mey
Simple obvious holes in their DRM solution, even if it is an implementors
fault, damage their branding and the perceived value of their app store to
businesses. My take on it is, even if it is the developers fault for failing
to program their system correctly, it is in Apples best interest to perform
some basic validation to prevent the DRM being perceived as useless (even
though that's not the case).

Lastly, if the DRM scheme is so dependent on a the 3rd party app to function
correctly, it seems like a failed system design.

------
Xuzz
So they didn't bother to try here or on iOS. Honestly, not particularly
surprising: any DRM will be broken eventually (even their own heavily-
obfuscated iTunes FairPlay DRM).

(Edit: apparently this is the fault of Angry Birds. I bet it's going to be
very simple to actually crack, though, so my point still stands.)

Without record labels forcing DRM, it's just a lot of effort for something
that _will_ be cracked, and only prevents the pirates who probably wouldn't
pay anyway from using the apps.

However, with this weak DRM, and expressly disallowing additional DRM, they
have shown that the Mac App Store is not about much of the existing Mac
software. You're never going to get Microsoft, Autodesk, or Adobe in that kind
environment, at least for their flagship products.

~~~
pornel
> You're never going to get Microsoft, Autodesk, or Adobe in that kind
> environment, at least for their flagship products.

Indeed, although it's maddening. Haven't MS/Adobe noticed that their flagship
products are on piratebay already, so there's no point forcing DRM on legal
users _only_?

~~~
jonhendry
There's also the 30% to Apple that is going to keep them out of the App Store.

~~~
pornel
What's the cut taken by Apple Stores? (brick'n'mortar and online one, both
stocking MS/Adobe products)

~~~
jonhendry
Probably similar to the cut taken by Best Buy or Amazon.

But MS/Adobe also sell directly, and they deal directly with large
institutional clients like big corporations and universities, cutting
discounted deals, site licenses, etc.

------
danest
Wouldn't Apple be able to check this and then just ban your Apple account?

~~~
jrockway
"We see that you've pirated an application. We're now going to block you from
buying it legally."

Sounds like a plan.

------
spekode_
Surprisingly unsatisfying. Bummer. :-(

------
gaiusparx
Guess version 2 of the game will be called Very Angry Birds with pirates as
targets. Or pirates are really pigs?

