

Pirated Apps in the App Store - jonlipsky
http://lipsky.me/blog/2013/7/2/pirated-apps-in-the-app-store

======
peterkelly
This happened to me recently, and it seems to be a very large scale problem on
the app store. In my case there were three different copies of my app (UX
Write) on the app store, under the names "Document Master", "Word Touch", and
"Word to Go".

The only reason I found out about them was that in all three cases, there had
been some extra resource files included for some unknown reason (likely from
another app), which for a very obscure reason were causing the app to crash. I
was receiving hundreds of emails containing crash logs and noticed that the
process name was different, which is what tipped me off. The fact that all
three had the same set of extra files (and all said "Document master" in the
modified documentation file) suggested it was either three developers working
together, or one developer with three separate accounts.

I found it _extremely_ difficult to get this problem addressed. I contacted
Apple and was asked to fill out a form on their website about the apps, and
then their legal team just sent an email to the other "developers" asking if
they owned copyright. None of the developers responded, and the legal team did
nothing. Several more phone calls to the developer relations team left the
problem unresolved.

I only managed to get the copies taken down eventually when I was at WWDC and
took the opportunity to meet in person with two representatives from the app
store team and show them the original & copies. They immediately recognised it
was a clear-cut case, and removed the infringing apps within a couple of days.

I think there are some very straightforward technical solutions to this - the
submission process could take hashes of all files in a new upload and check
them for matches in a database of hashes of all files from all apps, with any
matching apps flagged for further inspection. It amazes me this isn't done,
especially given the reputation the app store has for being strict about
political/sexual content etc. I've seen a ton of copied apps on the store;
it's just ridiculous.

~~~
dalore
If it was such a clear-cut then why did you need to meet them in person to
show them?

~~~
peterkelly
I think it was a matter of them not having actually checked the apps
themselves, and that their process was just to shovel everything off to the
legal dept.

Someone else made a comment here about Apple not wanting to get in the middle
of copyright disputes (particularly for cases that _aren 't_ so obvious). So
that's probably why they don't have a process in place to have someone
actually look at the apps. Developers have to chase it up themselves, which is
annoying.

------
mh-
Serve DMCA infringement notices on Apple for the offending apps. The apps will
certainly be removed. You shouldn't expect their legal department to respond
to non-legal correspondence.

edit: not to downplay the egregiousness here. just my advice if you want this
"fixed"

~~~
drewcrawford
I have _actually_ sent a DMCA notice to Apple.

While I would also suggest the DMCA route, I can tell you that you will
experience the exact same effect (no obvious response) observed by the OP.

~~~
gst
Shouldn't this be actually the better case (Apple not replying to a DMCA
notification?). IANAL, but it seems the safe harbor policy of the DMCA don't
apply if the service provider just ignores DMCA notification. Which means you
don't need to go after the person who actually put a copy of your software
into the app store, but you can directly go after Apple. The facts in that
case seem to be relatively clear, so the risk of losing in court against Apple
should be low.

------
Ethan_Mick
This really bothers me. I've been fine with Apple's "Walled Garden" App Store
approach, because I do believe it offers consumers an amount of safety when
buying apps.

Anecdotally, I tell friends and family who are new to their iPhone (or Mac,
iPad), that they don't need anti-virus, certainly not on their iPhone. They
don't need to worry about downloading bad apps from the App Store, Apple
doesn't let anything bad in (Android has a history of malware in its app
store). It's what they _expect_ from owning an Apple device.

I really don't want to have to start telling them, "Careful, you could be
downloading a fake app" anytime soon. I believe Apple should work harder to
stop apps like these from getting into the store - it's much better for
developers and consumers.

~~~
oneweekwonder
According to 148apps.biz[1] Apple gets just under 1000 apps submitted per day.

At that scale they can not "guarantee" safety. The same goes for any other
application store, that works at the scale.

Some of the checking the submitter did could easily be automated and flag a
user if there is a possibility.

But they "must" be using some tech like that, I hope?

[1]: [http://148apps.biz/app-store-
metrics/?mpage=submission](http://148apps.biz/app-store-
metrics/?mpage=submission)

~~~
BHSPitMonkey
With the magnitude of profits Apple makes from the App Store, they can't hire
100 smart people to intelligently and thoughtfully screen 10 submissions per
day? Also, it sounds like their automated tests don't (for instance) check the
submitted binary against hashes of all the other binaries that have ever been
submitted, which I think would be a good step toward mitigating this
particular plagiarism issue.

------
rjd
I did some contracting at a place last year, while there the competition
released a complete clone (as in identical) of the companies app. While we
where having a laugh at how similar it was we noticed expanded the app store
description and it was copied verbatim from the place I was at, which
comically included links through to the support area, contact information via
telephone, brand names etc...

I'm not sure what the follow up was as I was only there a few weeks, but its
shocking how lazy people can be when cloning something.

~~~
nisse72
Hm, if I were to pirate your software, I'd much rather direct any support
requests to you than deal with them myself. As long as I get the app store
revenue, that's all that matters. Don't you think that's all they care about?

~~~
rjd
The app was free, so the motivation was literally an arms race I'd guess.

------
chj
Exactly same disgusting thing happens to my app. I have filed a complaint to
Apple weeks ago and yet to receive any response.

------
thejosh
I thought a walled garden was suppose to fix these sorts of problems, isn't
that what Apple fans say about Android?

------
waps
You'd think the review process would catch this. But then I guess I should
remember who apple does the reviews for. Not for customers, not for
developers, but for apple.

~~~
smackfu
I think Apple tries to avoid being involved too much in policing other
people's IP. It can be a very messy situation with licensing and such. They
tend to approve it then take it down if they get complaints.

~~~
_pmf_
> I think Apple tries to avoid being involved too much in policing other
> people's IP.

Given that they provide the sole means of performing this infringement (given
that there are no other means to make money off iOS applications), this
argument is a bit too generous towards what is basically Apple not giving a
shit about developer's rights.

They do not "avoid being involved too much in policing other people's IP";
they are providing the only infrastructure and act as payment processor (even
taking their share!) of the infringements taking part. This is morally
significantly worse than Pirate Bay and the like (who provide a service to the
public), but unfortunately[1], there's no RIAA/MPAA equivalent for software
developers.

[1] It's debatable whether this is actually unfortunate for the general public

~~~
smackfu
To clarify, I mean that Apple does not consider it their job to require proof
that a given developer owns the IP during the initial review process. They
don't want to be policing contracts and stuff that they aren't a party to.

------
navs
I'm curious how one would reverse engineer and acquire the source code? Not
looking to do anything illegal, just wondering what goes into making such
duplicate apps.

~~~
ipodize
I'm quite sure that they are merely replacing some of the application's image
resources and resigning it... But I could be wrong.

~~~
jonlipsky
Correct, they are simply updating the image resources and resigning the app.
The code hasn't been touched (though the code is from a two year old version
of the app).

~~~
chj
I think we could add some detection to in the code that if the bundle id
doesn't match, then app should display a warning.

~~~
navs
Correct me if I'm wrong but doesn't the .ipa include the bundle ID as well as
the App ID inside the binary? I didn't think it was possible to edit that and
still get it codesigned for approval.

~~~
jonlipsky
Unfortunately, the bundle id is just stored in a plist file, and it's actually
quite easy to re-sign an app bundle with a different profile after modifying
it.

~~~
aqrashik
Would checking the value of [[NSBundle mainBundle] bundleIdentifier] with a
hardcoded value help?

It would be a bit more code, but just a few lines of verification code when
the application launches and the app can refuse to start up if the value
doesn't match.

Someone dedicated would still be able to crack it, but it would at least
require some effort on the part of the fraudster

------
jonlipsky
As of this morning, the first app mentioned in my blog post is no longer
available for purchase, and the second application is now only for sale in
Egypt.

------
navs
For you android devs out there, is this something you've also had to deal
with? I'm wondering how prevalent this is on the Android app store?

------
philthesong
This is possibly the worst nightmare for app developers. This problem applies
to both Android and iOS.

~~~
kybernetyk
It also applies to desktop software. This problem has been known since the
good old shareware days.

Sending an DMCA complaint to Apple/Google has at least the potential to be
successful. Trying to take down a web site in Russia or China that is selling
your software is another story.

------
kunai
This is a problem that isn't unique to a few outlier developers. This happens
frequently. A word processor that I love to death, Bean, has several
_identical_ ripoff apps based on its code on the Mac App Store by a
"developer" by the name of Weiwei Zhang.

The "developer" also has the audacity to charge _nineteen_ dollars for that
particular application. Disgusting.

------
speeder
Sometimes I wonder why people dread so much Apple approval process... I never
got rejected.

Also, beside that, people also clone stuff NOT in the iTunes, and I mean clone
by literally get someone app for other platform, reverse engineer it, and
compile again for iOS and launch it as it was their own (even if controls end
being shit).

~~~
wahnfrieden
Some people work on apps where Apple's policies are unclear or inconsistent.

