Users Report Foul Play In App Store Rankings, Purchases

An anonymous reader writes "Two iPhone App developers have spotted what appears to be a hacking of the App store rankings by a rogue developer. The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen. What's more concerning is that it seems individuals' iTunes accounts have been hacked to make mass purchases of that one developer's apps." Among the comments attached to the linked story is one which suggests the security problem may lie elsewhere.

Hrm

[therealobsideus]

Perhaps this is just another reason why I don't use iTunes. If I like an artist I download, I'll buy their CD - if not, I delete it. And makes it much easier to convert a CD to ogg or flacs than with a lot of their Apple's AAC crap.

Re:Hrm

Jobs doesn't care as long as he can by another yacht. Someone will mod this troll because they are an apple fanboy. But the truth is he is as unscrupulous as Balmer, Larry Ellison, and a world of corporations and lawyers. Apple, just like the rest, will only do as little as they need to as long as they have a bunch of sheep willing to buy whatever he trots out on stage next.

Re:Hrm

[socceroos]

Meh, every online store is going to have its weaknesses. Unfortunately, most of the time, the greatest weakness is the users themselves.

Not trying to justify iTunes - I hate it. Just saying that I doubt its any more 'hackable' than the next online store.

Re:Hrm

You must be from Cuba. Hi.

Re:Hrm

[dlanod]

I do use iTunes and the level of reviews are generally so crap as to be useless anyway. They tend to either be "this crashed on me once, 1 star" or "AWESOME!!! 5 stars!". That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

Re:Hrm

also, in the comments there are a lot of inconsistency on the 'users' reports.

for one, apple had never refused a refound for wrongly purchased applications.

but hey, let's blame apple for compromised machines and users with weak passwords!
(note: the first vector of infection on macs are pirated software torrents)

bad guy exploits stupid people, news at 11

Re:Hrm

Not liking assholes and viewing greed as a negative human quality doesn't necessarily make one a communist.

Re:Hrm

That works really well with iTunes gift cards. Not.

Re:Hrm

[whisper_jeff]

Perhaps this is just another reason why I don't use iTunes.

Do you pay for everything with cash? And, I mean _everything_. No, really - you do realize that this situation is not unique to iTunes, right? Hackers could go after your Amazon account, your Hydro account, or even your bank account. If the information is stored on a computer, hackers can (and have) found ways to go after it. It is not unique to iTunes.

If you don't like iTunes (as you clearly don't), just don't use it because you don't like it - there's no need to make up excuses. Otherwise, back it up and cancel your bank account and start paying for everything by cash. (*)

*I've heard of some people, who were sufficiently concerned about their information getting into the wrong hands, who do exactly that. It's a bit extreme, in my opinion but they at least put their money where their mouth is, so to speak.

Re:Hrm

You must not be from America.

Re:Hrm

[sortius_nod]

Exactly.

It's kind of like blaming Blizzard for people's WoW accounts getting hacked. Your account has something someone wants, they'll try to get it. If you use weak passwords, well, no one's fault but your own there.

Re:Hrm

[Quasar1999]

I tried that approach a few years ago (pay everything in cash)... only problem was I needed a bank account to cash my paycheque... So that's all I had it for... to put the cheque in, and remove the cash right after. Worked great... until I tried to get car insurance for a car that I paid for in cash... apparently I had no credit history and therefor was a high risk to insure.

So I hacked the credit application database and gave myself great credit.... umm... where was I going with this... ???

Re:Hrm

[interval1066]

"...every online store is going to have its weaknesses. Unfortunately, most of the time, the greatest weakness is the users themselves."

Perfect parable for US Federal Gov.

Re:Hrm

[Mitsoid]

Other problem with iTunes,
"All sales are final."

From Terms and conditions, security section:
"You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

So better hope something else protects those people harmed, as I don't think California law (The "fall back" for iTunes T&C) will help much if a hacker steals $100-300 from you from another country.

Glad I stopped storing my CC info with iTunes after they pulled products I paid for from the store and wouldn't let me re-download. They may have nice hardware, but their policies are horrible for end-users.

Re:Hrm

[Mitsoid]

Except Blizzard has a track record of account restoration and decent customer service in this area.

In reality, most of the time it's neither party's fault -- The recent Adobe Flash exploit hurt a lot of people as they targeted flash advertisements for wow websites... even legitimate websites could be infected as they have to show advertisements to stay in business.

Thankfully, Blizzard realizes that blaming end-users when a large, large percentage did not 'ask' for it, only costs the company money in the end when users stop using their service.

Re:Hrm

[Compholio]

But corporations have a right to make profits!!! The public good is just a concept after all, so it can't have any rights.

Re:Hrm

[BasilBrush]

That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

It would be pretty pointless mentioning them because for at least two years it's been impossible to review/rate an app unless you've actually bought it.

Re:Hrm

[pongo000]

Otherwise, back it up and cancel your bank account and start paying for everything by cash. (*)

After reading this FAQ item on Donald Knuth's webpage, I'm beginning to wonder if it's not whether my bank account will be owned, but when...

Re:Hrm

[am+2k]

If you hoard all your wealth in cash at home, there's a big physical security issue you have to worry about. It might not happen from a far-away country, but it's even more untraceable.

With the existence of the key bumping method, I'm actually more worried about that than online security.

Re:Hrm

[jrumney]

Let your credit card company fight that fight. They are obliged to refund you, and have bigger pockets for lawyers to make Apple accept liability for its own security problems.

Re:Hrm

That's kinda funny. You had the sense not to get into debt, so you're high risk? lol america.

Re:Hrm

[hedwards]

I doubt very much that's an American thing. If you don't have any debt, as in no loans, CC etc., then they don't know how to rate your risk. Which doesn't make you high risk so much as an unknown. Which for reasons related to prudence mean that any lender should eye such a person with caution.

Re:Hrm

[kent_eh]

But corporations have a right to make profits!!! </sarcasm>

Even if you were being genuine, no one should have any expectation to make a profit from me specifically.

Re:Hrm

[noidentity]

Even if all your cash is secured somewhere safe, it still gets stolen from when the Federal Reserve inflates the money supply, thereby lowering the value of each dollar.

Re:Hrm

[LoRdTAW]

Like the poster above said, sometimes its neither. My brothers Gmail was hacked during the big Chinese Google hacking debacle. His WoW account was then compromised. Thankfully he has a G1 phone and saw the change password notification email on his phone and put a quick stop to it. Blizzard restored everything and he now has the little FOB thing with the LCD screen. And he changed all his account passwords (he uses very strong completely random passwords). Hasn't had a problem since.

Re:Hrm

They may have nice hardware

If by "nice" you mean it looks nice and feels slick then I agree but my Apple hardware has been much less reliable than other stuff. Seems to be the case with everyone I know that owns Apple hardware. The fans seem to ignore it though even though they wouldn't on non-Apple hardware. Reality distortion field indeed.

Re:Hrm

"Steve jobs is a greedy asshole" != "Everyone who makes money sucks"

Re:Hrm

[Mitsoid]

Unfortunately the Federal Trade Commission, through the Fair Credit Billing Act, and Electronic Fund Transfer Act, Provide you only so much protection.

Lets say, BEST case scenario, you receive an e-mail from itunes saying you just purchased $45 in items, you immediately call your card company and suspend the account.

You are still responsible for your entire purchase. The FTC Will not force your card company to refund you (Letter of the law does not require it). If you notify your card company you are responsible for the first $50 in charges -- YOUR CARD COMPANY MAY be kinder, but the LAW does not require it. If you already owe them money or are not in good standing they may not care to be kind to you.

Now, I can call Apple and dispute the charge too right? Wrong. Apple's website clearly states
"35. OTHER TERMS AND CONDITIONS [...] No Apple employee or agent has the authority to vary any of the Service's Policies or the terms and conditions governing any sale. "

So your only hopes? (Based on basic consumer protection laws and store policy)
1) Your card company decides to be nice
2) Enough BAD PR is made of the issue that Apple is forced to do something at a corporate level (as no one you'll ever reach by phone can help you)

Important note: I'm not a lawyer, there may be another law that protects you as it's done in cyberwebs, however what state does that law operate out of? do they have rights in China? Russia? Africa? Europe? for a $50 charge?

Final note: IANAL, there may be cyber laws that also factor in here. However, Apple policy, and current basic consumer protection laws involving credit/debit cards don't protect you from these small purchases like these.. you're still responsible to pay for them legally (as far as I can tell)

Re:Hrm

[shutdown+-p+now]

I do use iTunes and the level of reviews are generally so crap as to be useless anyway. They tend to either be "this crashed on me once, 1 star" or "AWESOME!!! 5 stars!". That's not even mentioning the frequent "I don't want to buy this app because it looks crap, 1 star" reviews that seem to pop up and aim to be even more useless.

As a side note, that's almost exactly like in Android Market - with the sole difference that you can't write a review there without installing the app, so you don't have "didn't buy, 1 star". The rest is spot on.

Re:Hrm

[shutdown+-p+now]

I fail to see what relevance Apple (much less Steve Jobs personally) has here. This is about hacked user accounts. This kind of thing is an unfortunate fact of life, keeping in mind that social engineering attacks take up the majority in security breaches. There's only so much Apple can do to mitigate this, and I don't see that they missed anything.

Heck, if anything, Apple's "walled garden" model - for all my dislike of it - is most efficient at dealing with these kinds of abuses. When malware authors have to go to the effort of hacking user accounts to get their crap shoved at users, you know they're tight against the wall already. In comparison, with Android, you just call yourself "Googe" (note spelling) and upload your malware directly.

(How do I know it's malware? I haven't installed it, of course - but when all their apps, including a non-multiplayer five-in-a-row game, request "full network connectivity" and "location information" permissions on install, you know something's fishy; the fake company name is just icing on the cake.)

The irony is that I can't even use Market feature to report it as malware, or at least write a 1-star review with a warning, because you can only write reviews/complaints once you install the app...

Re:Hrm

[winwar]

"You are still responsible for your entire purchase. The FTC Will not force your card company to refund you (Letter of the law does not require it). If you notify your card company you are responsible for the first $50 in charges -- YOUR CARD COMPANY MAY be kinder, but the LAW does not require it."

You might want to read the FTC site. Your liability is zero if the charge involves your CC number rather than your actual card.

Re:Hrm

[Mitsoid]

And quick follow up to my post:
You have 2 business days from the time Apple sends you an e-mail to notify your bank/credit provider.
After 2 business days from the e-mail, you are liable for $50 if you linked a credit card, and $500 if you linked a debit card.

You *may* have additional protections depending on your issuer, however expect none, go remove your credit card info from apple's server now, change your password, and wait until you need to do another purchase to put it back on at least.

Footnote: 2 days from when apple sent you the e-mail is simply because there's no 'grey area' in this case.. If you read your e-mail and find out 5 days after the fact, you now may have to 'prove' that fact to your debit card company to fall in the $50 bracket.

Re:Hrm

You mean the MPEG-4 audio spec AAC crap.

Re:Hrm

"...but their policies are horrible for end-users."

I don't doubt that, but I haven't bothered to read them since they seem to be updated every time I use iTunes, and I waste enough of my time reading Slashdot to have any more time left to waste with Apple's EULAs. They should add a changelog or something.

Version 5.76
*fixed third paragraph of section 2.1.3.1 in order to close an embarrassing legal loophole that would more easily enable a user to sue Apple in case their account is hacked
*rearranged wording of section 3.1.7b to be more confusing to someone without a law degree
*changed font to look more legal and scary
*added "Written by Apple's lawyers in California" to front page

Re:Hrm

Sorry to disappoint you, hedwards, but it is in fact largely "an American thing". In Sweden, saying that you have a credit history implies what Americans refer to as a bad or negative credit history.

Re:Hrm

[TooMuchToDo]

How about Apple look at your account, notice you live in Bumfark, IA, and not allow logins from IPs outside of the US unless you provide additional authentication or they send an SMS to your phone and you have to provide the code?

Re:Hrm

[sjames]

To those who disagree, consider, Christianity defines greed as a sin. The Republican party supports Fundamentalist Christianity. So the Republican party defines greed as a sin. Therefore, the Republican party is Communist!

BOING!!!

Re:Hrm

Other problem with iTunes, "All sales are final."

While on Amazon, all sales are final.

Re:Hrm

[L4t3r4lu5]

Full network connectivity is required for downloading advertisements, which are required to keep many of the apps free. You can buy any app you choose, and many will not come with advertisements. Location information comes in two types: Course (GSM antenna triangulation) and Fine (GPS), presumably to serve you targeted advertising. You can turn off data connections and use the app, then if you wish remove it before reconnecting.

I have, however, spotted some free games on the Android Market which require things like read/write phonebook access, phone state information, read/write to SD card, and other very odd behaviours I wouldn't expect to be required to play Whack-a-Mole or somesuch. Those don't get installed.

Re:Hrm

Why not? We've spent long enough blaming MS for its stupid users and saying the OS should prevent them doing stupid stuff. Meanwhile the Mac users have always argued that their OS is superior and they're not an attack vector - well this is what happens when the balance of power shifts and it actually becomes worthwhile for hackers to attack your OS. No more security through obscurity (and I do acknowledge that Windows is full of holes you could drive a truck through that makes it zero effort for hackers to take control, but following that phishing attacks are the next easiest attack vector and owning an Apple device is no protection).

Re:Hrm

[delinear]

However, because many of the apps are free (and even the paid ones you can get a full refund if you uninstall within 24 hours, IIRC) you end up with insane amounts of comment spam, "Great app, for many more visit my site at ..." posted on every single app that gets released.

Re:Hrm

[delinear]

Maybe it's due to our "special relationship" with the US, but certainly here in the UK if you have no history of good credit repayments (store card, credit card, overdraft or loan repayments) it's incredibly difficult to get finance for large purchases, and next to impossible to get something like a mortgage. Ironically, someone with zero debt who has never owned a credit or store card or taken out loans and believes in paying for everything in full, in cash, would have to use the same high interest company to secure a loan as someone who had a known history of missing payments.

Re:Hrm

[tyrione]

Jobs doesn't care as long as he can by another yacht. Someone will mod this troll because they are an apple fanboy. But the truth is he is as unscrupulous as Balmer, Larry Ellison, and a world of corporations and lawyers. Apple, just like the rest, will only do as little as they need to as long as they have a bunch of sheep willing to buy whatever he trots out on stage next.

Jobs isn't a sailor. Larry Ellison is a yachtsman.

Re:Hrm

That application most likely has ads. I'm an Android app developer and I have to request network permissions (to retrieve the ad) and coarse location information (to retrieve ads relevant to your location).

Re:Hrm

We don't have risk rating in that way in Sweden, when a company pulls up your payment history and see no marks on your record you are good to go, so yes it's an American thing.

Re:Hrm

[Tim+C]

Read/write SD card access may well be to store save games, high score info, preferences, etc.

Phonebook access is a definite no-no though, I agree there.

Re:Hrm

[bingoUV]

I am not an American, but can't they do this : Check my bank balance history. They could ask for other measures of "net worth certificate" - such certificates might be a set of investment certificates. These are required only if the "credit history" does not store such information. The credit history will tell them that there is no liability.

Re:Hrm

[KDR_11k]

Yeah, I wish we could report apps as suspicious, I ran into one that I bought and rated poorly, then it got deleted and replaced by a differently named one, with a completely nonsensical 5 star review attached. The app description also cites a lot of falsified review quotes (none of the cited reviews exist).

For reference, the name of the app was Gatter Cycles, now it's renamed to Gatter Raid (including a partial wipe of references to the old name on the developer's website). The developer is called Sebastian Schnell and operates under the name SSMD. There, I hope that stabs his reputation in the neck.

Re:Hrm

[hedwards]

We do have secured credit cards here, where you have to put down collateral in order to borrow. But the problem is that it's your money in the bank account. Whereas you're asking to borrow their money.

Compare reporting fraud on an ATM card versus on a CC in the US and you'd see what I mean. Because it's their money with a CC the anti-fraud measures tend to be much more significant than an an ATM card where it's your money, not theirs.

Re:Hrm

[KDR_11k]

I'm an iPod Touch user and if the application demands an internet connection just to run it's not going to work because I don't have an always available internet connection (and usually delete apps like that unless they're online multiplayer games or things like that). Location services are fine, my device doesn't have a location sensor anyway so that gives no useful data.

Re:Hrm

[KDR_11k]

Makes you wonder how a traceable business partner (the ad company) can get away with an illegal act like malicious ad banners without being sued into oblivion.

Re:Hrm

[KDR_11k]

I can't speak about durability but the battery life on the iPod Touch when used for gaming probably rivals the Nomad (I think even the PSP is better than that). At times it feels like you have about two hours of battery life. It might be prettier than the DS but the battery life is abysmal and the system gets painfully hot under load.

Re:Hrm

[bingoUV]

No no. I am asking to borrow their money only. But I am saying - lend me money because I am rich. Kind of what my credit history would have said too. Even with credit history, there is no guarantee that I'll pay back this particular debt.

Secured credit cards is a totally different beast. Here, the lender has an absolute certainty of not losing his money. Like you, I am also not talking about this beast.

Re:Hrm

[Khyber]

Pray tell how does a bumpkey work against a combination lock?

That's right, it doesn't.

Which is why my locks were replaced with combination locks.

Re:Hrm

[crafty.munchkin]

Hint: the Internet is global now, and America only makes up 5-6% of the global population.

Re:Hrm

[Muad'Dave]

Course (GSM antenna triangulation) and Fine (GPS)

That's coarse, as in not fine. A course is a planned route, like a racecourse.

Re:Hrm

[Albatrosses]

And how well does your combination lock work against me reading the combo through a pair of binoculars as you enter it? Or a blowtorch up close? Or smashing your windows and bypassing the lock entirely?

It's all relative.

Re:Hrm

[socceroos]

Cause it was an Adobe Flash exploit, not an evil ad campaign. Although, the end result of the former was the latter. =)

Fowl Play

[brianwells]

The only fowl play I've found so far is Angry Birds.

Re:Fowl Play

[noidentity]

Just wait until a bunch of twits tweet about it, then it will be full of fowl.

Re:Fowl Play

[base_chakra]

Those twits just love to tweet about Thuat. But seriously, Thuat ftn.

it's a new Service "iBuy"

[s0litaire]

Guys this is apple! So it's not a hack or flaw!

Apple is taking the hassle of you actually wanting to buy things. Let Apple (Or un-approved 3rd party) decide which apps you're going to buy...

Re:it's a new Service "iBuy"

[MakinBacon]

One more thing: Your iBuy has already purchased itself on your behalf!

Timing is everything

[tomhudson]

Amazing that this only breaks into the news over a long weekend?

Banks and CC companies will expect some purchases "out of the ordinary" on long weekends, and you won't be getting the first-line staff when you complain to Apple, etc.

Re:Timing is everything

[TheKidWho]

Are you implying that the two iPhone app developers who spotted this are in cahoots with Apple?

Re:Timing is everything

[whisper_jeff]

So they're supposed to sit on the news until Monday? News happens when it happens.

Oh, and it's a holiday in _America_. That doesn't mean it's a holiday in the rest of the world. Just FYI.

Re:Timing is everything

[tomhudson]

Of course not - what I'm saying is that if you're going to scam a lot of people, a short workweek is the best time to do it. People are making their vacation plans, you've got the long weekend before the head honchos will deal with it, etc.

Re:Timing is everything

[noidentity]

Oh, and it's a holiday in part of North _America_. That doesn't mean it's a holiday in the rest of the world. Just FYI.

Refined that for you.

Re:Timing is everything

[tomhudson]

Both itunes.com (17.149.168.45) and store.apple.com (17.149.156.10) route to Internap's San Jose facility (apple-17.sje.pnap.net (66.151.128.62).

Last I heard, unless the Big One has hit in the last day, San Jose is still part of the US.

Re:Timing is everything

[helix2301]

I am surprised as well that this breaks over a long weekend and I agree timing is everything with something like this.

Re:Timing is everything

[dryeo]

Actually most of North America has a holiday this weekend (including taking Friday off) as July 1st is Canada day.

Possible details from AppleInsider

[immaterial]

Last month, a user posted a forum comment stating, "I am going to tell you the truth about what has been going on with your account." The anonymous user then explained, "let’s say you are a Chinese guy or girl with an iPhone or iPad and you want to get some music, movie or app. How you do you do it? You go to http://www.taobao.com/ The (by far) largest online market in the world and type iTunes in the search bar. Immediately you will be presented with a list of more than 7,000 items.

"You want to save money, so you filter the list to show only items under RMB25.00- (US $3.60) and still you have more than 3,600 offers. So you pick some one at random like, as an example, this one: http://item.taobao.com/item.htm?id=5516054242. You open the online chat and you transfer him RMB22.00 (US $3.20). He ask you in the online chat to provide a new iTunes account name and password, and you comply: User: qiuwge3foe3333@yahoo.com Password: qwer34567

"He asks you to wait 10 minutes online. He has already a number of user accounts under surveillance, so he enters in the iTunes account of his victim, change his/her username and password to the one you provided, and come back to ask you try it and approve the transaction so Taobao.com releases his money. Even if you cant read Chinese you can see very clearly in his item description that this account will not last more than 24 hours (the time for his victim to see the charges mounting and then cancel the credit card).

"He claims that he selects 'his' accounts so you can drain at least US $250.00 from them before they get cancelled. He urges you to be fast and buy and download as fast as you can. Start immediately! Keep the download going on for the full 24 hours! There is no warranties on how long it will last! Because he already changed the username and password, the victim can’t stop you.

More details here though so far there's no explanation of how the accounts are getting hacked.

Re:Possible details from AppleInsider

[girlintraining]

More details here though so far there's no explanation of how the accounts are getting hacked.

It's not hard to guess: Average people use the same password for just about everything, or simple permutations of the same password. Get access to any source that the user entered a password for, gain access to everything else.

Re:Possible details from AppleInsider

Hmmm, I wonder if I can guess what country you're from.

I'm thinking it's probably one that claims to belong to its people, and in reality belongs to an oppressive plutocracy with an absolutely brilliant record for brainwashing its subjects.

Re:Possible details from AppleInsider

That doesnt even make sense, considering the scale on which this is happening.

Re:Possible details from AppleInsider

[ducomputergeek]

This is why you only use pre-paid gift cards that you can buy anywhere. Usually once a month I'll get a $15 or $25 refill while at the checkout line at walmart or the grocery store and fill up my iTunes account.

Re:Possible details from AppleInsider

The USA fits that description pretty well these days... Mass media brainwashing, rule by plutocratic elites...

Re:Possible details from AppleInsider

[RocketRabbit]

Dude I just clicked on taobao.com and now my IDS logs are absolutely ablaze with hack attempts from China.

Those guys are really responsive.

Jobs answer

[Exitar]

Just avoid hold it in that way.

Re:Jobs answer

This joke DOESN'T MAKE SENSE. Stop modding bullshit.

Re:Jobs answer

This joke DOESN'T MAKE SENSE.

It does if you hold it correctly.

Re:Jobs answer

[Ethanol-fueled]

What happen? Did Apple set you up the bomb?

Main screen turn on.

You have no reception make your time.

Re:Jobs answer

[shutdown+-p+now]

It's not a technical flaw in Apple's software, or design flaw in Apple's ecosystem. Well... I guess that "Troll" mod is well-deserved.

Sounds like phishing...

[maccodemonkey]

Any bets? Sounds like there were suddenly a bunch of phished accounts that got "activated."

Re:Sounds like phishing...

[gsgriffin]

Yep. Email for you: "Secure your iTunes account now...All iTunes customers are encouraged to log on to their account and change their passwords now. CLICK HERE TO GO TO THE SECURE WEBSITE. Enter your personal info and we will make sure you are protected...blah blah"

I hate to think that 20 years from now we will still have people all around the world falling victim to phishing. Everyday I get princes and princesses from all around the world that need my help in transferring millions of dollars to the US. Every time I delete the email, I think, "lots of people are falling for this today and losing their money....sad!"

Re:Sounds like phishing...

[hedwards]

Eh, not just that, I got a call the other day from US Pharmacy, wanting to know about my Xanax prescription. I don't take Xanax and a quick google revealed it to be a phishing scam wherein they eventually ask for your CC number to supposedly look up the account information. Of course, I hung up when he wouldn't admit that I don't have a prescription for that from them.

Re:Sounds like phishing...

[PitaBred]

People have been falling for snake oil for a long time before it was called Homeopathy. It's going to be constant as long as people relinquish reason when blinded by greed

PICNIC Problem

This is a Problem In Chair Not In Computer problem. If users are stupid enough to respond to the iTunes phishing scams that circulate then they shouldn't be surprised when someone uses their details.

My suggestions:
1. Report any fraudulent transactions to your credit card company/bank so the transactions are stopped. And get your card cancelled.
2. Login and choose a secure password morons

Re:PICNIC Problem

[MichaelSmith]

This is a Problem In Chair Not In Computer problem. If users are stupid enough to respond to the iTunes phishing scams that circulate then they shouldn't be surprised when someone uses their details.

My suggestions:
1. Report any fraudulent transactions to your credit card company/bank so the transactions are stopped. And get your card cancelled.
2. Login and choose a secure password morons

But with your average person the problem is in the chair. You can give lots of good advice, but the market is still going to be corrupt because it provides avenues for theft. A corrupt market is bad for all of us.

Re:PICNIC Problem

[Mitsoid]

Secure passwords mean little in the case of Phising/Trojans.

I've seen a lot of Passwords "Stolen" over the last few weeks -- likely the adobe bug, or another vulnerability.

If your password is "!!Hell0Kitty77KeRt*?Captain" it can be stolen just as easily as any insecure password.

And in the case of Adobe / in-advertisement trojans, you can't really blame the end user for using programs that are almost 'required' nowadays to actually use websites. To expect end-users to know enough about IT security as an IT expert is silly. How do I teach my grandfather to use Firefox, and install NoScript and configure his security settings... (I unfortunately cant get to him)

Re:PICNIC Problem

[twidarkling]

If your password is "!!Hell0Kitty77KeRt*?Captain"

HEY! Where'd you get my password?! Dammit. I knew I should have gone for Sailor Moon instead of Hello Kitty.

Re:PICNIC Problem

[delinear]

A corrupt market is bad for the security conscious. For everyone else, they're probably willing to accept that they pay a little more for everything to cover the cost of the losses because it means they can jump through fewer security hoops to do anything. It's the people who would gladly jump through those hoops but aren't being given the opportunity that are really losing out so that everyone else can be lax - maybe a two-tier system where you can get some return on being less of a security risk would help (some bonus store credit, for instance), but how to asses the risk is always going to be tricky. You don't know if the guy with the 32-character password that he changes daily has it written on his facebook page just in case he ever forgets it, for instance.

Re:PICNIC Problem

[Albatrosses]

You'll never get mine, now matter how hunter2-ing hard you try

easy shot

They're buying it wrong. They shouldn't buy it that way.

Re:easy shot

And not to forget: Retire, relax, enjoy your family. It is just your bank account. Not worth it.

The hell?

[Robotron23]

Thuat chance of these rankings being legit. Nguyen piss off if you believe they are.

Faster this appspam is removed faster we can Wok on Bai. Sheesh.

Re:The hell?

[Inf0phreak]

If you know how the name Nguyen is supposed to be pronounced, you'll be completely blind to the second half of this attempted joke ("attempted joke"---almost sounds like a crime, doesn't it?)

Re:The hell?

Lol weaboo faggot ^_^

Re:The hell?

[gyrogeerloose]

("attempted joke"---almost sounds like a crime, doesn't it?)

If it ain't, it should be: a crime against humormanity.

Re:The hell?

[RocketRabbit]

Oh Phuc off you Thach.

Re:The hell?

[Culture20]

If you know how the name Nguyen is supposed to be pronounced, you'll be completely blind to the second half of this attempted joke ("attempted joke"---almost sounds like a crime, doesn't it?)

Not an epic Nguyen?

Re:The hell?

[KDR_11k]

I fall back to German pronunciation for romanized Asian words (which tends to be closer to the proper pronunciation than trying the English one) so I didn't even get the first part.

Re:The hell?

[Khyber]

Not Japanese, you ignorant shit. Vietnamese or Thai.

You've been Steeved!

[Animats]

Other problem with iTunes, "All sales are final." .... From Terms and conditions, security section: "You are entirely responsible for all activities that occur on or through your Account, and you agree to immediately notify Apple of any unauthorized use of your Account or any other breach of security. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account. "

That's so Steve Jobs.

Re:You've been Steeved!

[MobileTatsu-NJG]

That's so lawyeresque.

FTFY.

Use temporary credit card numbers online

[perpenso]

Some banks / credit cards allow you to generate temporary credit card numbers with a limit that you specify. The ones I've seen in use also tie themselves to the first vendor they are used with. The temporary credit card number is effectively an alias for your real number. Personally I think these temporary numbers are far better to use online than a real credit card number.

--
Perpenso Calc for iPhone. Classic Scientific and HEX functionality plus RPN, fractions, complex numbers, 32/64-bit signed/unsigned bitwise operations, UTF-8, IEEE FP decode, and RGB decode with color preview.

Re:Use temporary credit card numbers online

[noidentity]

BTW, Slashdot has an automatic signature feature, which gives you two benefits: you don't have to add it manually after each post, and those readers who aren't interested in the clutter of signtures can turn them off. When you add it manually, you annoy the latter group.

Re:Use temporary credit card numbers online

[PitaBred]

I think that's the entire point. Maybe they think if they annoy those that disable signatures, they'll get them to click on ads or something...

Re:Use temporary credit card numbers online

[perpenso]

I apologize, I didn't know about the built-in functionality.

Re:Use temporary credit card numbers online

[RocketRabbit]

Thank you sir. As another appdev I appreciate where you are coming from, but I doubly appreciate your attitude and the fact that you shut off the sig.

There is hope for us yet!

Re:Use temporary credit card numbers online

[L4t3r4lu5]

There's also a "Filter AC comments" option. Just going to turn that on :)

Re:Use temporary credit card numbers online

[xtracto]

I would not do that. Lately, most of the most insightful comments I have seen on slashdot come from ACs That's why I prefer to browse around 3 or 4. and hide everything else.

Re:Use temporary credit card numbers online

Yeah right, no one cares about whatever app you are trying to advertise, always keeping ready in your clipboard.

Re:Use temporary credit card numbers online

[noidentity]

Amazing, I figured you just did it to get more eyeballs seeing your ad. I commend you.

This is STILL going on?

The exact same thing used to happen (and possibly still does) with PalmOS apps and the associated online stores. Certain developers, mostly asian-based, would create very basic, sometimes useless apps, and list them on stores like Handango for low, low prices. Then they'd suddenly skyrocket in the listings. If you grabbed a demo version, you could see that a lot of these applications were complete duplicates with just the name changed. They'd bank on some legit sales once the app was ranked, but boost their own sales with stolen credit cards/accounts. Every now and then, someone would get delisted. I'm surprised, given that its been years since I did anything on the PalmOS (had a few apps myself, only I just created them out of boredom and could care less about sales), that this wasn't foreseen by Apple. It's a pretty basic scam.

Could be worse

[Ilgaz]

It is not phishing, it is something worse. Some Apple guy told a friend "change your password immediately" when he contacted them regarding 4-5 apps he didn't actually buy showing up on his order history.

It really sounded like some "password stolen" issue to me but I really doubt it is phishing as I know the guy, not a type who will be a phishing victim.

Note that it is a theory only, I don't have the actual data nor I am an iPhone customer.

Re:Unpossible!

[Kitkoan]

Ignoring the 'X OS is more secure then Y OS' debate, nothing is immune to being hacked. It just takes times and a desire. Like every system, if someone wants to break into it enough then they will find a way. Something like this would have been a targeted attack which pretty much makes any normal security moot since the way it was done would have been unique to this system. Its a tailor-made attack and nothing short of disconnecting the iTunes server could have prevented it.

On a side note though, it was an interesting move for them to do this on a long weekend since it's the 4th of July holiday weekend in the US and since this is a US company they no doubt have a lot of their staff off so they can enjoy the holiday. Least amount of physical presences and security to watch out for such an attack. Tomorrow might be one hell of a day at the office for Apple though.

big mistake in the first place

[SethJohnson]

It does deserve to be noted as a colossal mistake to have allowed reviews by people who hadn't even downloaded a given app.

When SuperMonkeyBall was released, there were over 3,000 reviews. The average star rating was a high 4. I paid $9 for it and found out it was a horrible port with horrible controls and actually sucked. Then I read the reviews and they were mostly from iTunes users who were fans of the console version of the game and wanted to mouth off about how great it is. Few of them had actually played it on the iPhone.

Tech savvy people, right?

[Runaway1956]

A lot of these people seem to come across as "tech savvy". So - why do they have their primary credit card accounts linked to the app store? I have one debit card that I use online. Guess what? It's almost always EMPTY. Balance of zero. No cash onhand. DEBIT cards can't be used to make mass purchases when there is no balance on them. Each week, when I get my pay, I pretty much know what I want to purchase online - I just deposit enough to cover those purchases, and a dollar or two more.

Hey hackers - good luck trying to rip me off!!

Occam's Razor

[webdog314]

After reading the article, the other linked article, and the comments posted on the linked site, I have to ask what's more likely here: that approximately 30 people out of 100+ millions of iTunes users have infected systems with key-loggers and were phished, or that the App Store has some huge security problem?

Just saying.

Re:Occam's Razor

[delinear]

Would 30 people out of 100+ million really be able to sway the App store so much that the targetted apps would account for 40 of the top 50 apps? I don't disagree that the mostly likely explanation is people with infected systems or people subject to phishing attacks, but it's patently a hell of a lot more widespread than you're suggesting.

Re:Occam's Razor

[alobar72]

isnt it true that only the "book" section is affected ? I read somewhere, that the sell numbers of the apps in that section are so low, that you could easily manipulate them with a few hundrets buys

I've said it before..

[crossmr]

Apple doesn't care. Even if it was 100% their problem.
They don't care.
There are currently apps on the app store which are fake. They aren't as described. I grabbed one of them when they had a "Free" day. They're described as epic stickman fighting games. But the screenshots bear no resemblance to what the description is and feature no UI. They're filed under games, but feature no gameplay. They are all the same 4 low res stickman videos they pulled off some site.
There are several copies of this app with different names. They've all been reported multiple times but apple has not removed them, made them change the description or even categorize them appropriately.

Could it be?

[masterwit]

I be some user just entered
<script>
before a comment.
Control the content you control the users, right?

Ratings?

[KlaymenDK]

Out of interest (and because you seem like a rational debater), could you enlighten me on the subject of the Apple app store's rating system? I'm an Android user myself, and I don't know how things are in Apple land. In the Android Market, you can rate apps with 1-5 stars (1 being 'poor', 3 being 'average', and 5 being 'excellent').

You see, I would like to investigate if app stores could be better compared on quality rather than quantity. It seems to me that it would be better to have one thousand apps with a high average rating, than a million apps with an appalling average rating.

There are some Android Market ratings available, although I'm sure more detailed ones can be gotten hold of. I do note that only one fifth of all rated apps have a single star, and two fifth have the highest rating. This is based on nearly 900.000 ratings, but I do not know the ratio of rated vs. unrated apps.

Re:Ratings?

[BasilBrush]

Out of interest (and because you seem like a rational debater), could you enlighten me on the subject of the Apple app store's rating system? I'm an Android user myself, and I don't know how things are in Apple land. In the Android Market, you can rate apps with 1-5 stars (1 being 'poor', 3 being 'average', and 5 being 'excellent').

It works the same on the iTunes App Store. A 1-5 star rating. I don't know of a site that calculates an average rating for the entire store.

Re:Ratings?

[delinear]

Ratings on the Android market place seem to be even worse than those described above for the Apple app store. I frequently see people giving apps one star because it crashed on their phone, even though their phone is often either not on the supported list (usually because it lacks the resources to handle said app), or even if the developer specifically states that it doesn't work on handset X for reasons a, b and c. Alternately I see spammers everywhere giving five stars but not because they've even used the app, just because they want to post a link to their website in the comments. I'll always use proper app review sites to determine which apps are actually worth using - the reviews on the market place are worse than useless.

In fact, the whole filtering of the market place is one of the few disappointments with my HTC - I don't know if this is because people are expected to go online to search, but there are just too few options. I can either search on top rated (which is split into paid and free, but is rubbish for the reasons I've already stated) or "just in", which I assume is ordered by timestamp, but is a mix of free and paid and seems to be useless anyway because it doesn't order by the original release date of the app, but rather by the last version update - so you end up with the position that apps are being updated several times a week, I don't know if this is a cynical move to stay at the top of the "just in" list or if these apps really are being updated for the better, but either way it has the same result on finding anything.

And don't even get me started on the millions of useless screensaver/wallpaper/soundboard/etc apps. Why release one app which allows users to select from 1,000 different wallpapers using a web service when you can just package them as 1,000 different apps each with only 1 wallpaper and flood the hell out of the market place? Ugh, indeed.

Re:Ratings?

[KlaymenDK]

I frequently see people giving apps one star because it crashed on their phone, even though their phone is often either not on the supported list (usually because it lacks the resources to handle said app), or even if the developer specifically states that it doesn't work on handset X

In that case, the developer is still at fault for not specifying the proper prerequisites in the project manifest. If handset X can't handle the app, it should not be listed in the first place. (Of course, the process can be circumvented by handing around APK's manually.)

Alternately I see spammers everywhere giving five stars but not because they've even used the app, just because they want to post a link to their website in the comments.

This is a true problem, I agree. One aspect of the problem is that it's too cumbersome to individually mark each such occurrence as spam (one might envision stripping comments for links and link-like content, but it's not there yet).

In fact, the whole filtering of the market place is one of the few disappointments with my HTC

I agree again; although the fault here lies with Android rather than HTC. Filtering could (and should!) be done much better -- but it can't be done without adding complexity that will inevitably be "scary" for novice users.

(nitpick: Why do you say "my HTC"? Would you say "my Apple" if you had an iDevice?)

Re:Ratings?

[KDR_11k]

On the app store you see software adding several As to the front of their name just to end up near the top in an alphabetical list.

Re:Ratings?

[SethJohnson]

In both app stores, the vendors apparently need to really improve the presentation of apps. Sorting by rating would be a VERY nice feature in the Apple App Store, for instance.

But in both cases, if they are going to provide a proper infrastructure for selling mobile phone software, the consumers and developers would both benefit hugely by better categorization, sorting, and filtering of search results.

Seth

Re:Macfag Status:

[RyuuzakiTetsuya]

Shit. I just got told. I need to go to the ER to make sure I wasn't also served. Last time this happened Apple went Intel. Hopefully it isn't that bad. Oh god it hurts so much. :(

I agree that it's probably phishing

[tlambert]

I agree that it's probably phishing

It's most likely that the app itself is asking for the iTunes username and password. This could nominally be for an in-game purchase, or it could be prompting claiming it was for some other reason, such as "activating the application", where people are willing to put in the information because they've already thrown money at the application. Or it could just be asking for them with no reason given.

It's really hard to avoid this kind of trojaning, if it's either time activated, or activated by the nefarious application checking for an activation token on a remote web site.

One thing that could be helped is if the request is for the nominal in-application purchase; however, the fix lacks a little convenience for the user, which would in turn be likely to reduce the number of in-application purchases: queue the request, and handle the actual purchase through an Apple-supplied application that goes through the queue and has you OK or abort the purchase on a case-by-case basis. This would also have to deal with the enqueued request records not being accessible to the enqueueing application, once enqueued, to prevent rewriting of data in other enqueued requests by a nefarious application to appear to be the request requested, but to actually contain a different payment target as payload.

Most attacks, however, will probably just pop up a request dialog and trust that most users will just be foolish and enter the information requested, and so would not be mitigated by such a (complicated for the user) prevention scheme.

-- Terry

Simple solution

[Radical+Moderate]

Let's make sure I understand the problem:

1. Rogue developer writes crap app and gets in App Store
2. Rogue developer hacks iTunes account and purchases his own app with it
3. Apple charges hacked account and transfers funds to rogue developer
4. Hackee finds out he's been ripped off and has to fight with Apple for refund

Solution: Replace step 3 with: Apple transfers funds for untrusted developers to an escrow account for 30 days before paying out. A developer can become trusted after a set amount of sales or time, whichever comes last.
4. Apple cheerfully refunds money because it never left its pocket. Minus a handling fee if Steve is feeling evil.