Pirated Mac App Store apps pose major risk

Angry Birds logoAs my colleague Rich Baldry pointed out earlier, Apple officially launched the Mac App Store today with their release of OS X 10.6.6. The App Store provides undeniable benefits to users who wish to easily find new programs and reduce the number of companies they share their credit card details with.

Unfortunately, many of the applications in the App Store can be pirated without payment. Developers of applications like Angry Birds appear to have ignored Apple’s advice on validating App Store receipts before launching.

What does this mean? It allows people to reconfigure a paid application to run on other people’s Apple IDs without requiring them to purchase the app.

Assume that I have purchased Angry Birds for $5 and choose to share it with a fellow OS X user. The way this should work is that the game would prompt my friend to authenticate as me when they try to run it. Because they do not have my password, this should not work. But what some researchers have discovered is that I can copy my identity into the program and it will happily run despite not having been legally purchased.

Apple program authentication

While this clearly should be a concern for Mac App Store developers who don’t want their software stolen, and of course Apple, who does not want to lose out on App Store revenue, it also raises some security concerns around how applications are validated as coming from the App Store.

In the past, we saw that the primary reason many people chose to jailbreak their iPhones was to acquire pirated applications that they would otherwise have purchased from the App Store. With no validation mechanism in place, this left their iPhones vulnerable to malware and trojanized versions of these “off-market” downloads.

Will the App Store lead to the same problem? No doubt some Mac users, also too cheap thrifty to pay, will succumb to the temptation of Googling to acquire these cool apps/games/utilities at no cost.

Unfortunately, as I demonstrate below, some applications downloaded from the App Store can easily be modified to include any sort of executable code you wish. It wouldn’t surprise me to see a surge in markets for pirated applications that might just be booby-trapped to include unexpected surprises.

Mac OS X users should be as cautious as ever about programs they download from the internet. The Mac App Store may introduce you to interesting new programs you would like to run on OS X without paying, but you should always be cautious of getting something for nothing. Someone who claims to provide you with paid applications for free may not simply give you a free program, they may give you an unwanted infection.

Mac users who want the best protection available for their computer can download Sophos Anti-Virus for free! Go to http://www.sophos.com/freemacav.