More Trouble In Apple's App Store

quickOnTheUptake writes in to update the story of foul play in Apple's App Store, which we talked over on Sunday. The Next Web, which broke the story, now provides evidence of rampant App Farms used for theft in the store. Here is a summary of the problems TNW has seen, which includes large-scale break-ins of the App Store accounts of users worldwide. Apple has responded to the initial reports, has disabled the account of the initially fingered rogue developer, and has called on those whose accounts were misused to change their password and credit card. Both TNW and Engadget, at least, believe the problems go far deeper than Apple is admitting.

"problems go far deeper than Apple is admitting"

[bradgoodman]

...oh, like the antenna issue?!

But they were approved!

[Kohenkatz]

Wait, wasn't this the whole reason Apple wanted to approve apps - so they could keep the garbage out?!

Re:But they were approved!

[emag]

No, the apps that compete with theirs. Otherwise, there'd never be all the fart apps and such...

Re:But they were approved!

[Mark19960]

Apple did not catch him, the users did... when they lost their money and had no choice but to go to their banks to get it back.
Perhaps they should not approve apps that have no purpose?
Can a developer REALLY put together almost 5,000 apps?
That is to the point of being obvious as hell that your gaming the system, yet was allowed to.

All Apple proved here was the gardeners were inept.

Re:But they were approved!

[Missing.Matter]

I'd say over 75% of the apps on the app store are either cookie cutter, functionally useless, don't work as advertised or completely ignore Apples HIG. Apple doesn't mind this, however, because they enjoy putting out press releases touting they now however many hundreds of thousands of apps in the App Store.

Re:But they were approved!

[ergo98]

The important point is not that a rogue developer was able to get it, but that Apple was able to catch him, stop him, and let their users know about it quickly.

Apple didn't catch him. The "apps" in question were absolute trash (along with the 300+ iFart apps), making a mockery of any illusions that it's a curated garden.

However just to be clear, we already know that the Android market can do precisely the same thing, forcefully reaching out and removing rogue content. Instead of any ridiculous notions of curation, however, Android relies upon a permissions system that makes a user aware of the potential reach of any given application. It is far from perfect, yet despite some ignorant criticism directed at it recently it beats the hell out of anything on the iPhone.

Not really sure why we're talking about the phones though. The exploit in this case didn't necessarily have much to do with the actual handsets themselves.

Re:But they were approved!

[socz]

Eh, the system didn't work. Last night on TV, some dude on the "tech spot" for the local news said that up to $10,000 were spent from a single account!

The whole bit was REALLY lame. They explained it like this:

There's a warehouse, and 1 dude in there shouting "books, books" with no one buying because they can't hear his voice from the many other. So then, somehow he rigs it (hacks) so that he goes into peoples accounts and buys his own book. Then apple is like, o`rly? Why is this lowly book #1 beating out ze twinkle series? And so they noticed and are like arrrrg! We've been piz0wn0red, right And they recall the app and remove it from the store.

I think that, regardless of how bad they portrayed what happened, the damage is done. All the arguments the smug iPhonies have made of "well macs don't get viruses...(implying security)" "it's good that there is so much control because it makes it safer..." are now??? But, thankfully for apple, many of their fans will just turn their heads and look the other way.

So I guess only time will tell but I'm guessing those with that white veil over their eyes won't let this problem affect them. As one windows to mac user said "I just got tired of windows... and macs just work!"

Re:But they were approved!

[Dragoniz3r]

They'd never make it through the approval process.

Re:But they were approved!

[tibit]

Methinks that stupid/useless apps are not an issue. There's a lot of crappy books in every bookstore, and I have no problem with that. But the issue is that people's iTunes credentials got stolen, and I don't think it was Apple's fault unless the exploits were running on OS X...

Re:But they were approved!

[ergo98]

So a total of 48 apps out of 200,000+ were bad 'Apples', and suddenly the entire App store is a 'dismal failure'

Still trying to figure out who you are quoting with the dismal failure bit. Or are you setting up a strawman, ready for the heroic striking down?

However there are countless terrible, terrible apps in the App Store. There are countless terrible, terrible apps in the Android market. The difference is that one of these claims that they curate their market (comparing themselves to a fine museum) -- their founder openly saying that user privacy is why they curate their market -- and the other makes no such notion (but instead protects privacy by forcing apps to declare rights requests that users need to allow). I'll let you guess which is which.

Re:But they were approved!

[Stupendoussteve]

I haven't seen anything saying a program itself did anything without a password. Most likely scenario is developer got password through some other means, put up all these random apps, and began purchasing them.

Re:But they were approved!

[ergo98]

You seem to be confused, and should probably re-read the article. These apps are not scams, they are actually simple book apps, in and of themselves, unremarkable.

Did I say otherwise somewhere? If so, I apologize, but I'm quite sure I'm made no insinuation that these were any sort of exploit.

Instead they were just garbage fillers, used as a target for an exploit (the mechanism of which we have no idea of, though curiously lots of people are trotting out the Apple-can't-be-to-blamed simple passoard canards et al...which is curious because on any modern system you simply can't do dictionary attacks. Anyways...). I replied to a guy who made some argument for Apple's curation claims, and my point is simply that these "unremarkable book apps" have been widely noted as being trash (which is why it earned attention -- no one would seriously buy it). Curation indeed.

Re:But they were approved!

[ergo98]

User privacy is why they curate their market?

Yeah, guy, Steve Jobs said it at D8. Feel free to do a search.

I believe the privacy angle you're referring is in

NO IT ISN'T.

Listen, I realize you might have a problem with threaded conversation, and you seem to be trying to mesh every comment with the submission, but that just isn't how it works. See, I was replying to someone who made a command, and this thread carried on from there.

Judging from your statements, it appears you didn't read the article

Are you new to Slashdot? You understand the conversational nature? You might want to get acquainted with theads and conversations.

The article is about hacked iTunes accounts with a stored credit card and the fact that hackers used them to purchase apps.

Fascinating. So you have inside knowledge on what happens? No, I don't think you do.

Steve Jobs = Emmanuel Goldstein?

[WankersRevenge]

Problems or not, these apple stories are starting to feel like the slashdot version of Orwell's two minutes of hate.

Re:Steve Jobs = Emmanuel Goldstein?

Apple gets tons of coverage when they do something good, so they will likewise get tons of coverage when they do something bad.

You can't have your cake (pervasive marketing and mindshare) and eat it too (bad stories swept under the rug).

Re:Steve Jobs = Emmanuel Goldstein?

[h4rr4r]

So slashdot should stop reporting on them?

I think slashdot has done a good job avoiding that on the main page, or else they would have more stories about the antenna issues and supposed fix.

Re:Steve Jobs = Emmanuel Goldstein?

[WankersRevenge]

I'm not complaining about slashdot reporting stories ... I'm saying that any Apple story - whether it be positive or negative - turns into people screaming their hatred for the company like it were a picture of Emmanuel Goldstein. In the ten years I've been visiting the site, I've seen this only happen to two companies: Microsoft and SCO.

My point: Fuck apple ... I don't care about their rep ... it's this blind parroting that makes for a shitty discussion. If I wanted that ... I'd head over to Digg.

Re:Steve Jobs = Emmanuel Goldstein?

[something_wicked_thi]

Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.

Let's count the ways that Apple is just like Emmanuel Goldstein.

Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.

Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.

Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.

Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.

Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.

Re:Steve Jobs = Emmanuel Goldstein?

[yuriyg]

More like O'Brien. At first glance, he's an anti-establishment agent, determined to break down the oppressive system. But once he lures you in, you'll experience psychological pressure like never before and you will be assimilated!

Re:Steve Jobs = Emmanuel Goldstein?

[Elbereth]

I think you're actually on to something here, and you've hit the nail on the head as to why I can't stand reading slashdot for an extended period of time.

If I ever needed to raise up an army of brainwashed minions who think they're impervious to brainwashing, I'd use slashdot.

So much for app review

[Mark19960]

What happened there?
They won't allow flash or 'widgety' apps yet allow apps that do noting but get the developer points.
A developer with almost 5,000 apps?
So much for that 200,000 apps in the apple store.... perhaps half are fake?

Re:So much for app review

[Mark19960]

I have seen 'fake' apps in the Android store so this is not isolated to just Apple.
If you see an app in the market with virtually no rating then you know to pass it by.
The one thing that the Android market lacks is filters.

Quick anecdote

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

Re:Quick anecdote

[mlts]

This is probably another quick and anonymous method of checking the validity of a stolen card. Before, credit card thieves would run cards through gas station card readers. This worked until the readers started prompting for the ZIP code of the cardholder.

My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

Re:Quick anecdote

[Kitkoan]

Consider either using iTunes gift cards.

Gift cards like those worry me and I refuse to buy them for ANY company. I've seen too many people buy gift cards (that just use a number string) try to get the credit from the card after buying them to only be told that the number has already been used by someone else (they use them by using a Random Key Generator). And since it's just about impossible to prove that you were the first and only owner of it, your typically SOL.

Re:Quick anecdote

[tlhIngan]

I know someone who works in the fraud prevention business and they allege that iTunes purchases and credit card fraud are strongly correlated. Their story goes like this: an iTunes purchase is made for an unknown app, and within minutes a very high value (basically max-out) charge is placed on the same card. The catch is that the max-out charge is placed with an *actual* card (presumably a cloned card) and since it is incredibly unlikely that every case is fraud abuse (a made up 'theft' story by the cardholder) there is something that iTunes is either doing directly or indirectly that is enabling this activity.

Now the question for the armchair detectives is: is the iTunes purchase the moment of the leak of the card info (through some sort of hacked app), or is the iTunes purchase a test mechanism for the already stolen card info? Not being a big Apple person I haven't spent much time buying from the App store; is it possible to buy an app for someone elses' device, or for a device that doesn't exist yet?

The iTunes thing is a credit card test.

If you think about it, if you steal a bunch of credit cards (e.g., hack a payment processor), the easiest way to test them is to run up a charage against something that has most people thinking is a normal charge.

E.g., a lot of people have iTunes accounts, so get iTunes to do run a charge and see if it goes through - you'll see this as a $0.99 billing mostly. The goal is to hide that 99 cent charge amongst hopefully other iTunes charges.

Earlier this year, a payment processor was hacked (one used by one of my favorite stores) - it's unusual because the store itself doesn't store credit card data (they can't), but a bunch of people who used that store noticed the iTunes charges, while others noticed and saw the strange charges as well (too late).

I don't think there's any credit card information being stolen from Apple (no app can get at it unless it key logs - at worst they'll get your iTunes account information as your credit card isn't transmitted to Apple at all - Apple looks up your stored credit card info).

As for enabling the activity, I think it's because iTunes is quite popular - a good chunk of those doing online shopping have probably bought something from iTunes, thus the change of burying a charge is greater, and there's probably some API that was hacked in order to rapidly test credit cards. Also, Apple delays charging for a week or so (to avoid multiple 99 cent charges, they'd rather do a batch charge) but iTunes does do a reservation for each charge to ensure credit is available.

Re:Quick anecdote

[pseudorand]

> My solution? Consider either using iTunes gift cards, or if that isn't an option, put the CC info in, make purchases, then remove the information.

TFA agrees with you ("Remove your iTunes card details and consider using gift cards where possible."), but using a gift card is a really bad idea. The article also says to "try prevent any iTunes purchases from clearing." These suggestions show a misunderstanding of the legal protections afforded consumers when we use credit cards.

Under the law, you have 60 days to dispute credit card transactions. You can do this if the transaction has cleared (which is typically less than 24 hours). You can do this even if you've already paid your credit card bill. Your credit card company is required to refund the amount to your account until the dispute is resolved and help you in the dispute resolution process. The law has some antiquated restrictions about transactions occurring more than 50 miles from your home and technically gives you a liability of $50, and doesn't cover debit cards. However, both Visa and Mastercard have policies of zero liability that cover both credit and non-PIN-based debit transactions independent of how far from your home they occur. I've disputed numerous charges for various reason, including having someone make a copy of my card in Mexico (I still had the card but the bank said it was a card-present transaction). Disputes have always been resolved quickly and in my favor. In short, using a credit cards is the safest way to buy stuff. Always use a credit card for any purchase.

Think if you'd used a gift card. Gift cards are like cash. If the purchase was fraudulent, you only lose the value of the gift card, but you have no way to get it back. I guess the safest way would be to reload your gift card each and every time you make a purchase for the exact purchase amount. I think that would be a bit annoying.

Apple account hacked months ago

[shidarin'ou]

The hackers attempted to order a macbook pro. I called Apple support- who kept asking what product I was having a problem with. One insisted that I was viewing the Apple website through a Mac, so therefore the problem was actually with the Mac.

Apparently they have no technical support/hacking section for their website- account issues don't exist according to them. I was finally able to reach level 2 tech support after faking a problem with my Macbook; where the account was flagged and order canceled.

Re:Apple account hacked months ago

[mjwx]

you just talked to a stupid rep. they are perfectly capable of transferring you to any apple department, and there is most certainly a department for fraud handling.

You've never dealt with CSR's before have you. No point in even trying to single Apple out here with the OP's experience, all CSR's that retarded.

Let me put it this way, would you be a level 1 phone CSR if you weren't borderline retarded, socially inept and/or had the intelligence to get a better job. People who work in call centres are like people who work in McDonalds but with fewer people skills.

Would this be

[DevConcepts]

Apple Farming?

Re:Would this be

[Rockoon]

Farmville for Developers.

Re:"problems go far deeper than Apple is admitting

[phonewebcam]

Speaking of which, there's a demotivational poster for that.

New Credit Cards?

[fluch]

Wait, so they suggest customers to get new credit cards? Well, one thing I do not understand is this: the credit card information is with Apple, but I thought only Apple has access to this stored information. There should be no way for the bad guys to obtain my credit card information from there. If they have the credentials to my apple account they can make Apple charge my credit card without my authorisation. But in this case Apple would have to give me back this money as I did not authorise it etc. And as soon as I have changed my password ... the problem should stop (as long as they don't get my new password somehow)...

Or what am I missing here?

Re:New Credit Cards?

[cusco]

Or what am I missing here?

Stolen database backup? It's incredibly easy, and extremely embarrassing. Most companies don't want to admit, "Well, the intern that we foisted the backup jobs on gave the tapes to some guy in an Iron Mountain shirt and now we don't know where your data is." I know it's happened locally at least twice, and neither company fessed up to its customers.

Approved apps?

[fluch]

Just wondering: So if harm is done with apps approved by Apple ... isn't Apple then also liable for the fraud done by them?

Re:Approved apps?

[billy8988]

Nah...that's MS yardstick. If a rogue developer hijacks IE then it's a MS problem. If a rogue developer does something to Appstore then it is that damn rogue developer.

Re:Approved apps?

[agent_vee]

Can't wait to see Steve Jobs e-mail reply to a user asking what Apple is going to do about this problem. "Just don't purchase those apps. -Steve"

Identity Theft

[ShopMgr]

Yeah, there is an app for that...

Apple Slashdot Attention

[helix2301]

I have to agree Apple is getting a tone of slashdot attention. Knowing Apple's reputation they probably plan and want the publicity. But lately they been getting a lot of negative attention which is not a good thing.

Re:4568 apps?

[Bing+Tsher+E]

The apps from that 'developer' are things like 'xxx Quotes' where there are quotes collections for many many different people. And slider puzzles where there are many different pictures. And recipie books.

Basically the kind of 'stuff' where the actual codebase is a small container re-released over and over and over with different content.

That's part of the problem in general with the 'little Apps' model Apple has developed. There are separate 'Web Radio Players' for each radio station, leading to thousands of different radio 'apps.'

meme wars

[jDeepbeep]

But am I the only one that finds a quote from Princess Leia just sounds stupid?

If we added a car analogy, we're looking at at least a 4-funny.

Apple isn't arrogant?

[copponex]

Listen, when your marketing literally states that you are "changing the world" with your phone, and apparently you didn't properly engineer the antenna, your customers are going to complain bitterly. And then everyone who realizes that Apple is just Microsoft with better industrial designers and better marketing are going to laugh at the brand loyalists who got bitten again because Apple favors form over function.

It's really not more complicated than that.

0.00000003% of accounts accessed is not deep

[gig]

The servers weren't even hacked. 400 accounts with guessable passwords were accessed. That is why the users were asked to change their passwords, and everybody got their money back.

How much hysteria does there have to be around Apple before it's enough?

Re:"problems go far deeper than Apple is admitting

[drinkypoo]

Speaking of which, there's a demotivational poster for that.

I think you mean there's a demotivational poster for that.

The attacks on Apple continue (but not from apps)

[sjonke]

This is yet another ludicrous attack on Apple. The problem here is not that "rogue apps" have stolen your itunes account and credit card number, it is that these rogue developers have stolen itunes accounts/credit cards or purchased same from some other source and are using these to purchase their apps and make money, both from the purchases and the rising up in the charts. So, please, please just stop with this. Why do you idiots want to kill Apple? If it's because they don't make a phone that you like, well, that is really f-ing pathetic.