Special Report: iOS app piracy soars

Powered by SC Magazine
 

Apple fails to protect the revenues of its developer community.

The iOS application community is under siege. Every popular application on Apple's app store has been cracked, their security mechanisms broken.

Today's special SC Magazine report reveals that within hours - at times mere minutes - of a paid app hitting Apple’s App store, it is available for free on alternative sites.

These pirate apps are lumped into a lesser known but prolific underground store App Trackr which brims with stolen warez.

This rampant piracy is the product of a global anonymous cracking scene that has operated publicly since at least 2008. Back then, cracking was fragmented, slower and limited to the technically savvy, who plied their trade using scripts and basic tools.

Today apps can be cracked, downloaded, shared and installed at the touch of a button using glossy applications that has opened piracy to the masses.

Of the current top 30 most popular iPhone apps in Australia last week, SC Magazine found that half were cracked and uploaded to App Trackr the same day they were released on Apple’s app store.

Eleven of the most expensive apps ranging between US$69.99 and US$999.99 were also cracked. One specialist dentistry app with a price tag of US$499.99 was cracked on the day it was released.

Click to enlarge
Top 30 paid apps, cracked
Click to enlarge
Most expensive cracked apps

[Click to enlarge]

So prolific is the piracy that at least one developer has abandoned efforts to sell their app.

Czech-based MadFingerGames was left floored by what the developer said was “unbelievably high” levels of piracy of its $1.00 game Dead Trigger. The level of piracy was such that the developer has dropped the price tag altogether.

Italian developer Flippo Bigarella has similarly reported a whopping 92 percent piracy rate on his popular app Springtomize 2 for jailbroken devices. The app had some 200,000 installs.

App security vendor Axran, which ran a study on piracy earlier this year, cited KPMG figures that put the value of the app development industry at US$139.5 billion. The security vendor said more than 92 percent of paid iOS apps were pirated, and every paid Android app had been ripped off.

Apple has refused to discuss app piracy with SC.

The company was asked whether its application design could be hardened against reverse engineering efforts - central to the pirating of apps. With a multi-billion dollar industry at stake, the company has refused to respond.

What is known is that Cupertino has tried, and failed, to stop the piracy onslaught. Late last year – and possibly earlier – it attempted to tackle App Trackr by issuing take down notices.

In response, pirates introduce CAPTCHA image verification to hinder the removal of copyright apps from file sharing websites and relocated content servers.

At best, the effort increased the operating costs of the pirate machine, prompting developers to call for donations and place advertisements within the download process.

But the pirates inevitably prevailed, and even mocked Apple’s take down efforts.

In 2009, each of the three million pirates a day who wanted to access the then infamous piracy site Appulous had to answer questions known only to cracking scene insiders. One quiz took a stab at Apple lawyer Ian Ramage, the author of several take down requests:

“I work for Apple’s law firm and have been trying to get Appulous shut down since the beginning. I wish I was better at my job :( What’s my first and last name?”

Too easy

By far the most popular method of accessing pirated Apple apps is through AppTrackr, and its related iOS application Installous.

Together, these tools allow users of jailbroken devices to download and install pirated apps.

Installous mimicks the design of Apple’s App store, lacking only user reviews and app price tags. Users can browse the most popular apps in a given category and download the warez from Bit Torrent or any number of file sharing websites. Those apps can then be installed.

The equally stylish Crackulous iOS app allows users to nominate legitimate apps downloaded from Apple’s App Store and in a single click, break the digital rights management and security controls protecting them. 

Crackulous
Crackulous

The apps can then be uploaded from within the app to App Trackr or any file sharing site of a user's choosing.

Crackulous, based on the Clutch cracking utility, got around Apple’s Address Space Layout Randomisation and works by executing apps, which run decrypted, and dumping their code.

“The method used is crude but simple,” states a Hackulous community wiki. “A debugger is attached to the executable and is used to dump the decrypted segments before the executable launches. The decrypted segments are then transposed onto the original binary, and the LC_ENCRYPTION_INFO load command's cryptid field is changed to 0.”

Attempts to mitigate this process have failed, Axran's report notes. App developers have applied traditional practices like simple code obfuscation, encryption, Security Development Lifecycle and app vulnerability testing, but none have helped against this type of reverse engineering.

“These approaches and tools continue to be relevant and important to avoid leaving flaws and holes in the apps (like buffer overflows and SQL injection) however, these approaches do not provide real-time integrity protection and security against tampering/reverse-engineering based attacks," the report noted.

“Vulnerability-free code can still be easily reverse-engineered and tampered resulting in the hacker compromising the integrity of the app.”

The company, which sells a product to secure apps, estimated that less than five percent of apps were secured against cracking.

“App owners are clearly far behind hackers in their understanding and sophistication around how easily apps can be compromised.”

Read on to page two: The hacking scene continues to flourish....

Scene

The Apple app cracking scene meanwhile continues to flourish.

Hackulous, the nerve centre of the cracking effort, has over approximately five years evolved from a private network into a slick public repository that serves many millions of visitors.

Installous
Installous
Installous

In a token anarchic chat room, users post links to cracked apps and request help to reverse engineer others, while moderating Hackulous founders sit by.

In other areas, the founders organise into committees and schedule meetings to discuss the future of Hacklous, its goals, structure and what information should and should not be public

These founders do not see themselves as pirates: They are frustrated consumers, not content with Apple’s business model that demands users pay for apps before testing them.

“Hackulous is a community dedicated to providing trials for iOS applications,” the site states. “We are home to all of the significant advances in the cracked apps community, including the cracking process, installation on mobile devices, patches, bluetooth/wifi app sharing, and application indexing.”

The evolution of the Hackulous flagship Installous from a crass command line tool into an interface rivalling Apple’s own store - together with its immense popularity among pirates - may cause some outsiders to question whether this stance continues to hold true.

For at least one Hackulous founder the movement has gone too far. Kytek, one of the original founders of Hackulous, left the scene once the "honest hackers" were outnumbered by pirates.

Kytek operated Appulous, the biggest cracked app store of its time, some four years ago. He left a note on what remains of the site, explaining how the scene changed for the worse.

“The vision was not piracy. Not even close. People's frustration over Apple's terrible App Store was what sparked our community. We were all elated when Apple finally allowed third-party applications, but fell intensely annoyed after we bought app after app that made itself out to be incredible in its description, but was worthless after purchase.”

“…the hardcore pirates had moved in and started taking the apps for free, with no intention to purchase them if they liked them. It was inevitable and no one was so naive as to think it wouldn't happen. This alone wasn't what turned things sour for me. It was intensely frustrating to see our community overrun by people interested in piracy alone, who thought they were somehow entitled to free iPhone apps.”

Copyright © SC Magazine, Australia


Special Report: iOS app piracy soars
The installous tool.
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
The installous tool.
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest articles on BIT Latest Articles from BIT
Another phone with Telstra's Blue Tick: The Samsung Galaxy S5
Apr 8, 2014
Samsung's latest flagship phone joins Telstra's list of recommended handsets for customers in ...
Run an online shop? This might be worth bookmarking
Mar 28, 2014
Things like Australian safety standards are probably the last thing on your mind, but just ...
Vodafone switches on 4G in Tasmania: list of locations
Mar 28, 2014
See a list of locations in Tasmania that now have access to 4G via Vodafone's network.
Samsung Galaxy S5 on sale from Telstra next month for $912
Mar 27, 2014
It's not cheap, but if you are looking to upgrade your phone then the Samsung Galaxy S5 could be ...
What Australian workplaces actually rely on tablet computers?
Mar 14, 2014
If you're curious about where tablets are being used at work, here are three examples.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1458

Vote