Apple DRMJust a day after Apple introduced its Mac App Store, some users already have found a way around the DRM system designed to ensure that they have paid for the apps that they’re using. The technique seems to work only on apps that don’t correctly implement the method for checking the App Store receipts.

A number of sites are reporting that users can bypass the technology that Apple advised developers to use to protect their apps by simply copying and pasting the receipt from a legitimately downloaded app–even a free one–into the package for a premium app that’s been pirated. The “Receipt Checking” mechanism in the Mac App Store is meant to ensure that the premium app that a user has installed is connected to a legitimate Apple ID.

However, some developers either have implemented the mechanism incorrectly or they’ve failed to do so at all. That’s opened the door for unscrupulous users to bypass the system altogether and run pirated premium apps for free. Several reports have cited the game Angry Birds as the most prominent example of an app that can be pirated with this method.

Apple has told developers how to use the receipt-checking technology in their apps, but some developers either have ignored the advice or followed it incorrectly. Graham Lee, a Mac developer and security specialist in the U.K., posted some advice on how to remedy the situation for developers:

  • Check whether you have a receipt
  • Check whether Apple signed the receipt you have
  • Check whether the receipt is valid for your product
  • Check whether the receipt is valid for this version of your product
  • Check whether the receipt is valid for this computer

The Mac App Store debuted Thursday with the release of Mac OS X 10.6.6, and it is Apple’s attempt to bring the iTunes App Store buying experience to the Mac platform. The move has been anticipated widely in the Mac user community, but the quick circumvention of a portion of the security safeguards that Apple put in place raises some worries.

Categories: Cryptography, Vulnerabilities, Web Security

Comment (1)

Comments are closed.