Hacker News new | comments | show | ask | jobs | submit login
Pirated Apps in the App Store (lipsky.me)
134 points by jonlipsky 1627 days ago | hide | past | web | favorite | 44 comments

Serve DMCA infringement notices on Apple for the offending apps. The apps will certainly be removed. You shouldn't expect their legal department to respond to non-legal correspondence.

edit: not to downplay the egregiousness here. just my advice if you want this "fixed"

Per this comment: " I've been dealing unsuccessfully to try to get those removed; however as of today it's been taken up another level..."

Jon I know you're reading, read this : http://www.apple.com/legal/contact/includes/copyright-agent.... which will get the offending apps taken down (or you can hire a lawyer to sue Apple, which should be easy because lawyers love to sue companies with billions of dollars in the bank)

Since these folks are often "related" in that the developers that use these sorts of tactics to make a quick buck are related, if you are persistent they will get the message that your apps are a pain to copy and generally will stop, although you may find it useful to retain a law firm to go after them on your behalf.

Thanks for sharing that link. Apple has another link to submit copyright issues, but I hadn't found that one yet!

I have actually sent a DMCA notice to Apple.

While I would also suggest the DMCA route, I can tell you that you will experience the exact same effect (no obvious response) observed by the OP.

Shouldn't this be actually the better case (Apple not replying to a DMCA notification?). IANAL, but it seems the safe harbor policy of the DMCA don't apply if the service provider just ignores DMCA notification. Which means you don't need to go after the person who actually put a copy of your software into the app store, but you can directly go after Apple. The facts in that case seem to be relatively clear, so the risk of losing in court against Apple should be low.

The only problem is that Apple could retaliate and block the developer from using the app store in the future. In the end, Apple's store is Apple's, and they decide when a developer is more a nuisance than a boon for Apple's businesses.

This really bothers me. I've been fine with Apple's "Walled Garden" App Store approach, because I do believe it offers consumers an amount of safety when buying apps.

Anecdotally, I tell friends and family who are new to their iPhone (or Mac, iPad), that they don't need anti-virus, certainly not on their iPhone. They don't need to worry about downloading bad apps from the App Store, Apple doesn't let anything bad in (Android has a history of malware in its app store). It's what they expect from owning an Apple device.

I really don't want to have to start telling them, "Careful, you could be downloading a fake app" anytime soon. I believe Apple should work harder to stop apps like these from getting into the store - it's much better for developers and consumers.

According to 148apps.biz[1] Apple gets just under 1000 apps submitted per day.

At that scale they can not "guarantee" safety. The same goes for any other application store, that works at the scale.

Some of the checking the submitter did could easily be automated and flag a user if there is a possibility.

But they "must" be using some tech like that, I hope?

[1]: http://148apps.biz/app-store-metrics/?mpage=submission

With the magnitude of profits Apple makes from the App Store, they can't hire 100 smart people to intelligently and thoughtfully screen 10 submissions per day? Also, it sounds like their automated tests don't (for instance) check the submitted binary against hashes of all the other binaries that have ever been submitted, which I think would be a good step toward mitigating this particular plagiarism issue.

This happened to me recently, and it seems to be a very large scale problem on the app store. In my case there were three different copies of my app (UX Write) on the app store, under the names "Document Master", "Word Touch", and "Word to Go".

The only reason I found out about them was that in all three cases, there had been some extra resource files included for some unknown reason (likely from another app), which for a very obscure reason were causing the app to crash. I was receiving hundreds of emails containing crash logs and noticed that the process name was different, which is what tipped me off. The fact that all three had the same set of extra files (and all said "Document master" in the modified documentation file) suggested it was either three developers working together, or one developer with three separate accounts.

I found it extremely difficult to get this problem addressed. I contacted Apple and was asked to fill out a form on their website about the apps, and then their legal team just sent an email to the other "developers" asking if they owned copyright. None of the developers responded, and the legal team did nothing. Several more phone calls to the developer relations team left the problem unresolved.

I only managed to get the copies taken down eventually when I was at WWDC and took the opportunity to meet in person with two representatives from the app store team and show them the original & copies. They immediately recognised it was a clear-cut case, and removed the infringing apps within a couple of days.

I think there are some very straightforward technical solutions to this - the submission process could take hashes of all files in a new upload and check them for matches in a database of hashes of all files from all apps, with any matching apps flagged for further inspection. It amazes me this isn't done, especially given the reputation the app store has for being strict about political/sexual content etc. I've seen a ton of copied apps on the store; it's just ridiculous.

If it was such a clear-cut then why did you need to meet them in person to show them?

I think it was a matter of them not having actually checked the apps themselves, and that their process was just to shovel everything off to the legal dept.

Someone else made a comment here about Apple not wanting to get in the middle of copyright disputes (particularly for cases that aren't so obvious). So that's probably why they don't have a process in place to have someone actually look at the apps. Developers have to chase it up themselves, which is annoying.

I did some contracting at a place last year, while there the competition released a complete clone (as in identical) of the companies app. While we where having a laugh at how similar it was we noticed expanded the app store description and it was copied verbatim from the place I was at, which comically included links through to the support area, contact information via telephone, brand names etc...

I'm not sure what the follow up was as I was only there a few weeks, but its shocking how lazy people can be when cloning something.

Hm, if I were to pirate your software, I'd much rather direct any support requests to you than deal with them myself. As long as I get the app store revenue, that's all that matters. Don't you think that's all they care about?

The app was free, so the motivation was literally an arms race I'd guess.

Exactly same disgusting thing happens to my app. I have filed a complaint to Apple weeks ago and yet to receive any response.

I thought a walled garden was suppose to fix these sorts of problems, isn't that what Apple fans say about Android?

I'm curious how one would reverse engineer and acquire the source code? Not looking to do anything illegal, just wondering what goes into making such duplicate apps.

They use a jailbroken device to obtain a decrypted copy of the application binary, then re-sign it with their own developer certificate, and submit. There's no recompilation needed.

You don't need the code. You just change some strings in the binary/bundle (if you're fancy), sign it with your certificate and upload to the app store.

Apple apps are basically just a special folder that contain a combination of compiled files and uncompiled "resources" which can include images and even some of the config files.

You can easily browse any native app on a Mac by just ctrl+clicking it and selecting "show package contents"

These cloners are just replacing image files and changing some text in config files which requires almost zero programming or reverse engineering skill.

I'm quite sure that they are merely replacing some of the application's image resources and resigning it... But I could be wrong.

Correct, they are simply updating the image resources and resigning the app. The code hasn't been touched (though the code is from a two year old version of the app).

I think we could add some detection to in the code that if the bundle id doesn't match, then app should display a warning.

Correct me if I'm wrong but doesn't the .ipa include the bundle ID as well as the App ID inside the binary? I didn't think it was possible to edit that and still get it codesigned for approval.

Unfortunately, the bundle id is just stored in a plist file, and it's actually quite easy to re-sign an app bundle with a different profile after modifying it.

Would checking the value of [[NSBundle mainBundle] bundleIdentifier] with a hardcoded value help?

It would be a bit more code, but just a few lines of verification code when the application launches and the app can refuse to start up if the value doesn't match.

Someone dedicated would still be able to crack it, but it would at least require some effort on the part of the fraudster

As of this morning, the first app mentioned in my blog post is no longer available for purchase, and the second application is now only for sale in Egypt.

For you android devs out there, is this something you've also had to deal with? I'm wondering how prevalent this is on the Android app store?

This is possibly the worst nightmare for app developers. This problem applies to both Android and iOS.

It also applies to desktop software. This problem has been known since the good old shareware days.

Sending an DMCA complaint to Apple/Google has at least the potential to be successful. Trying to take down a web site in Russia or China that is selling your software is another story.

Nope, the worst nightmare is being kicked off the store, so you can no longer make any money. Rit has happened to me before, for submitting too many apps.

This is a problem that isn't unique to a few outlier developers. This happens frequently. A word processor that I love to death, Bean, has several identical ripoff apps based on its code on the Mac App Store by a "developer" by the name of Weiwei Zhang.

The "developer" also has the audacity to charge nineteen dollars for that particular application. Disgusting.

Sometimes I wonder why people dread so much Apple approval process... I never got rejected.

Also, beside that, people also clone stuff NOT in the iTunes, and I mean clone by literally get someone app for other platform, reverse engineer it, and compile again for iOS and launch it as it was their own (even if controls end being shit).

Some people work on apps where Apple's policies are unclear or inconsistent.

You'd think the review process would catch this. But then I guess I should remember who apple does the reviews for. Not for customers, not for developers, but for apple.

I think Apple tries to avoid being involved too much in policing other people's IP. It can be a very messy situation with licensing and such. They tend to approve it then take it down if they get complaints.

> I think Apple tries to avoid being involved too much in policing other people's IP.

Given that they provide the sole means of performing this infringement (given that there are no other means to make money off iOS applications), this argument is a bit too generous towards what is basically Apple not giving a shit about developer's rights.

They do not "avoid being involved too much in policing other people's IP"; they are providing the only infrastructure and act as payment processor (even taking their share!) of the infringements taking part. This is morally significantly worse than Pirate Bay and the like (who provide a service to the public), but unfortunately[1], there's no RIAA/MPAA equivalent for software developers.

[1] It's debatable whether this is actually unfortunate for the general public

To clarify, I mean that Apple does not consider it their job to require proof that a given developer owns the IP during the initial review process. They don't want to be policing contracts and stuff that they aren't a party to.

I've had an in-app purchase (newsstand magazine issue) rejected because the supplied screenshot didn't match. At times they can be a tad overzealous and the opposite is also true. End of the day, the App review team is made up of humans.

Not catching that the screenshots do not represent the actual app seems like a pretty big goof.

It's in Apple's best interest to project a quality image in the AppStore. Quality over quantity.

Apple used to allow screenshots to be changed after the app was approved, so it wasn't necessarily a goof.

They still allow the description and "What's New" text to be changed even after review.

Apple changed their policy on screenshot updating back in January, so I'm pretty sure they approved the app and the screenshots together.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact