Special Report: iOS app piracy soars

Powered by SC Magazine
 
Page 1 of 2 | Single page

Apple fails to protect the revenues of its developer community.

The iOS application community is under siege. Every popular application on Apple's app store has been cracked, their security mechanisms broken.

Today's special SC Magazine report reveals that within hours - at times mere minutes - of a paid app hitting Apple’s App store, it is available for free on alternative sites.

These pirate apps are lumped into a lesser known but prolific underground store App Trackr which brims with stolen warez.

This rampant piracy is the product of a global anonymous cracking scene that has operated publicly since at least 2008. Back then, cracking was fragmented, slower and limited to the technically savvy, who plied their trade using scripts and basic tools.

Today apps can be cracked, downloaded, shared and installed at the touch of a button using glossy applications that has opened piracy to the masses.

Of the current top 30 most popular iPhone apps in Australia last week, SC Magazine found that half were cracked and uploaded to App Trackr the same day they were released on Apple’s app store.

Eleven of the most expensive apps ranging between US$69.99 and US$999.99 were also cracked. One specialist dentistry app with a price tag of US$499.99 was cracked on the day it was released.

Click to enlarge
Top 30 paid apps, cracked
Click to enlarge
Most expensive cracked apps

[Click to enlarge]

So prolific is the piracy that at least one developer has abandoned efforts to sell their app.

Czech-based MadFingerGames was left floored by what the developer said was “unbelievably high” levels of piracy of its $1.00 game Dead Trigger. The level of piracy was such that the developer has dropped the price tag altogether.

Italian developer Flippo Bigarella has similarly reported a whopping 92 percent piracy rate on his popular app Springtomize 2 for jailbroken devices. The app had some 200,000 installs.

App security vendor Axran, which ran a study on piracy earlier this year, cited KPMG figures that put the value of the app development industry at US$139.5 billion. The security vendor said more than 92 percent of paid iOS apps were pirated, and every paid Android app had been ripped off.

Apple has refused to discuss app piracy with SC.

The company was asked whether its application design could be hardened against reverse engineering efforts - central to the pirating of apps. With a multi-billion dollar industry at stake, the company has refused to respond.

What is known is that Cupertino has tried, and failed, to stop the piracy onslaught. Late last year – and possibly earlier – it attempted to tackle App Trackr by issuing take down notices.

In response, pirates introduce CAPTCHA image verification to hinder the removal of copyright apps from file sharing websites and relocated content servers.

At best, the effort increased the operating costs of the pirate machine, prompting developers to call for donations and place advertisements within the download process.

But the pirates inevitably prevailed, and even mocked Apple’s take down efforts.

In 2009, each of the three million pirates a day who wanted to access the then infamous piracy site Appulous had to answer questions known only to cracking scene insiders. One quiz took a stab at Apple lawyer Ian Ramage, the author of several take down requests:

“I work for Apple’s law firm and have been trying to get Appulous shut down since the beginning. I wish I was better at my job :( What’s my first and last name?”

Too easy

By far the most popular method of accessing pirated Apple apps is through AppTrackr, and its related iOS application Installous.

Together, these tools allow users of jailbroken devices to download and install pirated apps.

Installous mimicks the design of Apple’s App store, lacking only user reviews and app price tags. Users can browse the most popular apps in a given category and download the warez from Bit Torrent or any number of file sharing websites. Those apps can then be installed.

The equally stylish Crackulous iOS app allows users to nominate legitimate apps downloaded from Apple’s App Store and in a single click, break the digital rights management and security controls protecting them. 

Crackulous
Crackulous

The apps can then be uploaded from within the app to App Trackr or any file sharing site of a user's choosing.

Crackulous, based on the Clutch cracking utility, got around Apple’s Address Space Layout Randomisation and works by executing apps, which run decrypted, and dumping their code.

“The method used is crude but simple,” states a Hackulous community wiki. “A debugger is attached to the executable and is used to dump the decrypted segments before the executable launches. The decrypted segments are then transposed onto the original binary, and the LC_ENCRYPTION_INFO load command's cryptid field is changed to 0.”

Attempts to mitigate this process have failed, Axran's report notes. App developers have applied traditional practices like simple code obfuscation, encryption, Security Development Lifecycle and app vulnerability testing, but none have helped against this type of reverse engineering.

“These approaches and tools continue to be relevant and important to avoid leaving flaws and holes in the apps (like buffer overflows and SQL injection) however, these approaches do not provide real-time integrity protection and security against tampering/reverse-engineering based attacks," the report noted.

“Vulnerability-free code can still be easily reverse-engineered and tampered resulting in the hacker compromising the integrity of the app.”

The company, which sells a product to secure apps, estimated that less than five percent of apps were secured against cracking.

“App owners are clearly far behind hackers in their understanding and sophistication around how easily apps can be compromised.”

Read on to page two: The hacking scene continues to flourish....

Copyright © SC Magazine, Australia


Special Report: iOS app piracy soars
The installous tool.
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
The installous tool.
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 417

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 196

Vote