Le principe Noemi concept
Astuces informatiques
Webbuzz & Tech info
Noemi météo
Notions de Météo
Animation satellite
Mesure du taux radiation
NC Communication & Design
News Département Com
Portfolio
NC Print et Event
NC Video
Le département Edition
Les coups de coeur de Noemi
News Grande Région
News Finance France
Glance.lu
Apple opened its Mac App Store just recently, offering Mac users an easy way to pick up and install new software on up to five machines, but within just hours, hackers began claiming to have hacked the store’s security. The crack won’t be available until February 2011 and according to the Hackulo.us ember, Dissident, it will enable software downloaded from the store to be installed on more Macs.
“We don’t want to release kickback as soon as the [Mac App] Store gets released. I have a few reasons for that.
Most of the applications that go on the Mac App Store [in the first instance] will be decent, they’ll be pretty good. Apple isn’t going to put crap on the App Store as soon as it gets released. It’ll probably take months for the App Store to actually have a bunch of crappy applications and when we feel that it has a lot of crap in it, we’ll probably release Kickback.
So we’re not going to release Kickback until well after the store’s been established, well after developers have gotten their applications up. We don’t want to devalue applications and frustrate developers.”
Some instructions have started showing up online with ways to bypass the Mac App Store receipt validation. By simply copying the receipt and info.plist data from a free app and pasting it into a paid app, you can run apps copied from friends computers or torrents. It has been confirmed by many that this is true and is essentially a massive failure in the implementation of Apple’s receipt system.
The app developers are also a bit entangled in the issue. Apple’s current documentation on how to validate receipts is fairly complex, but the sample code and Apple’s own instructions ask developers to validate against data that is entirely external to the binary itself. The worst part about it is that it instructs developers to validate against plate text data, which is easily editable with any text editor. If you are an app store developer and you are using Apple’s default security logic, you should review these validation steps in your code:
- Verify that the receipt bundle identifier matches the value for CFBundleIdentifier in the Info.plist file. If they do not match, verification fails.
- Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString in the Info.plist file. If they do not match, verification fails.
And change them to be something more like along the lines of:
- Verify that the receipt bundle identifier matches the value for CFBundleIdentifier that you hard code into your application.
- Verify that the version identifier string in the receipt matches the value for CFBundleShortVersionString hard coded into your application. If they do not match, verification fails.
When it ultimately comes down to it, if your app is popular enough it will eventually end up on a pirated site, but for the time being if you follow the instructions mentioned above, you can avoid having your app easily cracked with TextEdit. For those who of you who are interested, Angry Birds only implemented 2 of Apple’s suggested validation steps, so the pastebin instructions will only work for Angry Birds, but you would need to do a little bit more work for apps that handle all 5 validation steps. Also, a quick tip: If you are using roddi’s receipt checking code from github, below are the lines you need to change:
BOOL validateReceiptAtPath(NSString * path)
{
...
bundleVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleShortVersionString"];
bundleIdentifer = [[NSBundle mainBundle] bundleIdentifier];
...
}
We will all have to wait to see how the whole situation pans out. We would anticipate that Apple and its developers will be very angry that their already liberal approach to install rights (with each app allowing up to five Macs) already being circumvented.
Stay tuned for more news and info on the topic by following us on Twitter and/or subscribing to our RSS feed.
Authors: _GadgetNews
mobileporn
