Lack of receipt checking could enable Mac App Store piracy
Not long after the Mac App Store opened, several warnings via Twitter began to surface. "You did implement receipt checking so that people can't pirate your app. Yes?" developer Nik Fletcher (also one of our former writers here at TUAW) asked his followers. Ged Maheux at the Iconfactory also pointed out that he was able to run a for-pay app purchased by another person, and run it on 10.5 and 10.6.5 Macs as well -- none of which should be happening, it would seem.
Receipt checking is the process that lets developers verify that the app is installed as a valid purchase by checking the embedded purchase receipt, which is included (in encrypted form) by Apple and contains the UUID of the Mac authorized to run the app. Apple did not force developers to implement a particular way of handing these receipts and as a result, some paid apps are not properly protected against piracy.
While the number of affected apps is not known -- and probably very small -- it's not clear there's anything Apple could have done to protect developers from themselves in this situation. According to veteran Mac developer Daniel Jalkut of Red Sweater Software, the burden of preventing the app from running in an unlicensed setup is on the app itself, not Apple's receipts.
"If developers think anything doesn't check out, at any time, they are obliged to exit the app," says Jalkut. "So nothing Apple does, short of breaking the exit system call itself, would cause an app to run when the developer's code discovers something is not right." Jalkut suspects that the apps in question may not have implemented a receipt check, or that the check they are using has flaws in its implementation. He also points out that Apple's testing process only looks for "false positives," meaning that if a valid license/receipt is present and the app fails to launch, that's grounds for rejection; if one is absent and the app launches anyway, that's not since receipt checking is optional. [Developer Alex Curlyo points to his open-sourced routines for validating store receipts, in case Mac app developers need some help.]
Fellow TUAW writer TJ Luoma was kind enough to share an app with me to test this. He archived an app purchased through the Mac App Store, dropped the app in Dropbox and sent me the link. I installed it, then restarted the Mac App Store. The store showed the app as being installed, and was able to use the app as if I had bought it myself. However, it did not show up in my purchased apps list. When I removed the app from the machine, the Mac App Store gave me the option of paying for a legal license instead of saying it had been purchased or previously installed in any manner.
To be clear: TUAW does not endorse app piracy, and I immediately uninstalled the app we tested. However, it's in developers' interest to double-check and make sure they have receipt support enabled for their products in the Mac App Store.
[And no, if you were wondering, Angry Birds is not the application we tested.]
Share
Not long after the Mac App Store opened, several warnings via Twitter began to surface. "You did implement receipt checking so that...
Add a Comment
A lot of applications for Mac are honor based anyway.
Even Apple themselves. Mac OS X doesn't ask for a serial number. So as iWork now (it used to ask for one)
Even Microsoft Office removed their network serial number check.
It can be run on another Mac simply by copy and pasting the folder in /Applications.
So what's the fuss now?
Mac App store apps are already cracked. The method is ridiculously easy: http://www.macuser.gr/mac-app-store-cracked-apps-3027
January 06 2011 at 7:14 PM Report abuse Permalink rate up rate down ReplyMethod tested with Angry Birds and worked!
Of course I uninstalled the game after 5 minutes and bought it from the Mac App store cause Rovio ROCKS!
The question is why is there no DRM in the 1st place?
Does this kind of checking mean there are going to be problems when I upgrade my mac, or want to run the software on two computers of which I am the sole user?
January 06 2011 at 2:56 PM Report abuse Permalink rate up rate down ReplyNot if you use your AppleID on that new (or 2nd) computer.
January 06 2011 at 6:29 PM Report abuse Permalink rate up rate down ReplyRaj - My Apple ID, or the ID I use to buy still on itunes. :-)
Yot - Why should there be DRM? After all the talk of why DRM on music and such is bad, we now start advocating it for applications?
I am a developer and I chose to implement receipt checking only on 10.6.6 and later. Sooner or later everyone will upgrade anyway, but this way people can use my software on their other Macs where they have no App Store installed. Pirates will get their cracked versions anyway, but they should not get a "better" (i.e. runs everywhere) version than someone who legally bought the product.
January 06 2011 at 2:37 PM Report abuse Permalink rate up rate down ReplyA different approach to a very debated topic! It's actually a pretty damn good one too. Want the good stuff, pay up like you're supposed too, else use yesterday's version.
January 06 2011 at 2:44 PM Report abuse Permalink rate up rate down ReplyI believe that any software I buy should be allowed to be put on all my Macs. I have several.
If I were to purchase a separate license for each of them, or when I upgrade to a new system would be cost prohibitive to me.
Many of the apps I run on my Mac are from Developers/Publishers who explicitly permit me to install a copy on my home desktop machine, my office desktop machine and my laptop. If I need a fourth authorization or I need to delete one due to retiring a machine, these are easily accommodated. If Apple were to take on this chore as they well may in future, it will start out as a one-size-fits-all nightmare and evolve glacially from there.
So, this is not just a piracy issue. There's much more to consider.
"Perhaps the only real problem here is whether the developer can actually implement the necessary checks..."
It's mildly tricky, but there's open source available to make it straightforward enough to be a couple hours work at most. If you're really interested follow the links in my post here:
http://www.alexcurylo.com/blog/2010/11/27/validatestorereceipt/
I didn't put it in my app because I only read about it a few days ago, not a biggy for me and not unlike the situation prior to today.
January 06 2011 at 1:03 PM Report abuse Permalink rate up rate down ReplyI've seen you say something about your app in two different articles, what exactly is the app? Or if you're afraid of pirates, what does it do? Just curious. :)
January 06 2011 at 2:41 PM Report abuse Permalink rate up rate down ReplyYou have to be a real jerk to pirate 3rd party applications like this, and hopefully it won't be a big problem.
There are some big name, big price programs that I may have pirated in the past but I never used them seriously and it was more of a curiosity thing. Any program I use seriously I always pay for, it's only right. 3rd party mac applications are what distinguishes the platform from windows because windows 7 is pretty good now. Without supporting those developers you will not get the badass stuff we're used to.
Or perhaps some developers purposefully chose not to implement any kind of particular DRM
January 06 2011 at 12:44 PM Report abuse Permalink rate up rate down ReplyExactly, I think it's nice for it to be an optional part of the application, as long as it does exist, and developers are made aware of how it works (and it sounds like both of those requirements are being met).
Also, hi Brian, didn't realize you were a TUAW reader. Small world.
Deals of the Day
more deals- Used Apple iPad 32GB Wi-Fi Tablet for $200 + free shipping
- Apple iPod nano Multi-Touch 8GB MP3 Player for $100 + $8 s&h
- Cases for New iPad at HandHeldItems: Extra 20% off, $2 credit, from $3 + $3 s&h
- $15 Apple iTunes Gift Card for $8 for new Saveology customers
- Retro 80's Case for iPhone for $11 + $2 s&h
- HHI 360 Dual-View Stand Case for new iPad w/ $2 credit for $12 + $3 s&h
Software Updates
more updatesFeatured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
19 Comments