App Auto-Tweets False Piracy Accusations

An anonymous reader writes "Certain iPhone and iPad applications from a Japanese company have broken software piracy detection mechanisms that are sending out tweets on the user's own Twitter account, saying, 'How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession.' The trouble is, it's sending these out on accounts of users who actually paid up to $50 or more for the software and who are legally using it. The app is asking for access to users' Twitter accounts, but does not give the reason why it is asking, so the author of the article concluded (rightly) that things were being done deliberately. Would you want your legally purchased software to send out messages to all of your contacts on Twitter or on other social networks saying that you were a software pirate? Would you excuse the writers of the software if it was just an error in their piracy detection measures?"

no

no

Re:no

Good grief, what a crappy post.

Re:no

[mwvdlee]

-1 tl;dr

Re:no

Where is the public list of applications that do these things? So they are easier to avoid?

Re:no

no

Agreed - And wouldn't it be tragic if somebody were to break into the company's twitter account and publicly confess that the CEO likes to blow goats?

Re:no

Ass, the article asked two questions. He answered them, and we agree.

App permissions

[danomac]

Generally if I have an app asking for Twitter/Facebook credentials and it appears completely unrelated to the app I just remove it and move on.

Re:App permissions

Not using Twitter/Facebook also solves that problem.

Re:App permissions

[cjpa]

This app cost 50$ and it was only when the user got an update, that the app insisted on getting Twitter credentials. So he paid heavily for an app which subsequently sent out a dodgy update. Not a very nice practice.

Re:App permissions

+1. Isn't Apple supposed to disapprove apps like that? Clear breach of privacy whether pirated or not. How about hanging a shotgun at your front door entrance that is supposed to go off only when burglar comes in?

Re:App permissions

Yes, but it's a fucking Dictionary. It doesn't *need* Twitter. It doesn't matter who wrote it, or how many good reviews it has.

Re:App permissions

[green1]

You don't honestly believe that bit about the walled garden protecting the users do you?

Re:App permissions

[Nexion]

Actually that solves MANY problems.

Re:App permissions

[fustakrakich]

If you don't use Twitter/Facebook, you're obviously hiding something.

Re:App permissions

[EGSonikku]

As an iOS user since the original iPhone I have a few points to make.

Firstly, part of me wishes it were more open and that's why I've always used available jailbreaks.

Secondly, when one looks at the amounts of malware available for each platform it does become clear that the 'walled garden' does seem to have an affect on device security.

It really is a double edged sword, but I can see the merits of both arguments.

Re:App permissions

[Hatta]

Exactly. The article asks if this mistake is forgivable. The mistake isn't even the problem, that the app asks for permissions that it doesn't need is already a deal breaker.

Re:App permissions

[dgatwood]

If I were one of those folks, I would follow these steps to register a complaint with Apple. Just saying.

Re:App permissions

[danomac]

I didn't actually realize it was a dictionary - people actually pay more than a buck or two for an app? Considering a dictionary is available online, $50 for a dictionary app seems to be kind of silly.

Re:App permissions

[TheRaven64]

Secondly, when one looks at the amounts of malware available for each platform it does become clear that the 'walled garden' does seem to have an affect on device security.

Until you factor in the fact that iOS uses the MAC framework from FreeBSD to enforce a pretty restrictive access, and has a solid centralised update system, while Android uses a fragile, hacky chroot()-based system and only gets updates for core system libraries on a few devices / carriers. Then it becomes a lot less clear.

Re:App permissions

[Threni]

I noticed one of these twitter posts from Teller (the silent half of Penn and Teller) earlier today. I assumed it was a joke that I didn't understand, but it makes sense now.

I'm more than willing to make a statement in court to the effect that I assumed he was admitting to performing illegal acts if it helps in any subsequent lawsuit against the turd-like cretins who abused people's trust in their products by misrepresenting them publicly in this way.

Re:App permissions

Apple can't test every possible use-case and scenario of an app.

Re:App permissions

[tftp]

Considering a dictionary is available online, $50 for a dictionary app seems to be kind of silly.

Perhaps not to a journalist who earns his daily bread by reviewing applications for portable devices. It's one of his tools of trade.

The Web site approach that you talk about may work if you need one word in a month. However the browser is not a perfect interface. You need to scroll around, to zoom in, to zoom out... even a simple application that has only one input field and one output area will be a huge timesaver. This is important for journalists who routinely write articles, especially when those articles are in a foreign language (Norsk != English.)

Re:App permissions

[dbIII]

However in this case it's malware people paid for without understanding that it's malware. That one nasty step beyond Bonzi Buddy.

Re:App permissions

Exactly. The article asks if this mistake is forgivable. The mistake isn't even the problem, that the app asks for permissions that it doesn't need is already a deal breaker.

I agree completely. On an off topic note, why does a stopwatch program need to be able to send premium SMS messages? Just saying.

Re:App permissions

[interval1066]

It (they) doesn't need $50 either. Most I ever paid for an app was 4.95, and that was for a very nice mp3 player.

Re:App permissions

[Em+Adespoton]

If you don't use Twitter/Facebook, you're obviously hiding something.

...and that's a Good Thing.

Re:App permissions

[SomePgmr]

And he'll make his $50 back when the libel suit happens. ;)

Re:App permissions

[TFAFalcon]

Yeah, he must be a serial killer or something.

Re:App permissions

You must not read the articles these journalists produce.

Re:App permissions

[Dahamma]

Unless it's a class action, in which case he'll get a $5 coupon towards purchase of another broken app and the lawyers will get the rest.

Re:App permissions

[farble1670]

Secondly, when one looks at the amounts of malware available for each platform it does become clear that the 'walled garden' does seem to have an affect on device security.

okay, so you are now admitting that there is malware on iOS? that's a big step. so, from now on, your argument is going to be that there's less malware on iOS?

Re:App permissions

[tftp]

/me borrows a journalist's hat: "We, journalists, are writers, not readers!"

Re:App permissions

[Entrope]

In this case, MAC = Mandatory Access Control, and the GP was right.

Re:App permissions

If I were one of these folks, I'd be considering legal counsel. Just saying.

Re:App permissions

[R3d+M3rcury]

However the browser is not a perfect interface. You need to scroll around, to zoom in, to zoom out... even a simple application that has only one input field and one output area will be a huge timesaver.

I can't speak for Japanese dictionary sites, but dictionary.com's mobile site is pretty straightforward--no pinching or zooming required.

Re:App permissions

This app cost 50$ and it was only when the user got an update, that the app insisted on getting Twitter credentials.

So, those of us without twitter accounts can't use this app? Bugger off.

Re:App permissions

[EGSonikku]

I've never argued there was none, only that there is far, far less. If you have numbers showing the contrary I'm all ears.

Re:App permissions

[EGSonikku]

In fact, when searching for articles on iOS malware this is what one finds:

http://www.mactrast.com/2012/11/report-android-gingerbread-most-malware-prone-mobile-os/

"much still remains to be done before Android users can sleep as soundly as iOS users do."

and:

http://www.forbes.com/sites/andygreenberg/2012/07/05/researchers-say-iphone-users-hit-with-app-stores-first-ever-spam-sending-app/

The first EVER spam app hit the iPhone just this year - and was very promptly removed from the App Store.

"Just as antivirus researchers congratulated Apple for keeping the iPhone free of nasty apps five full years after its release, spammers seem to have finally tarnished that spotless record."

So I think it's fair to say that while not perfect (and who is?) that iOS has really done a remarkable job keeping the malware off it's platform. Android has gotten better and I freely admit that, and it's a good thing. But it's definitely not up to snuff quite yet compared to the competition in that particular area.

Re:App permissions

[MrEdofCourse]

Or a pirate!

Re:App permissions

No such luck: https://twitter.com/tpb

Re:App permissions

pffft AS IF. I tweet every kill
saw another surfer ATE HIM DELICIOUS
- shark

Re:App permissions

[xaxa]

I visited China recently, and paid £10 or so for Pleco. Its great:handwriting recognition of Chinese characters, OCR using the camera, and many more plugins I haven't paid for. All offline, I'd have used £10 many times over in roaming fees with an online app or site.

An app that's "all in one" doing something similar could easily be worth $50.

Re:App permissions

[Lisias]

If you don't use Twitter/Facebook, you're obviously hiding something.

...and that's a Good Thing.

We like good things! Tell us, what are you hiding?

Heartily, your government.

Re:App permissions

[flyingfsck]

What is this Twitter/Facebook everyone is yammering about?

Re:App permissions

Isn't Apple supposed to disapprove apps like that?

The app as approved didn't do this, it started happening after a recent software update, and the updates don't go through the same review process. It's a loophole in the review/approval system.

Re:App permissions

[dolmen.fr]

Please get it correct. It isn't very hard to do and it's rather annoying.

Please don't get it wrong. It isn't very hard to do and it's rather annoying.
Thanks Entrope.

Re:App permissions

I don't use twitter or facebook, not trying to hid anything, just think their a waste of time.

Re:App permissions

[davotoula]

$50 for a dictionary app seems to be kind of silly.

It's not only a dictionary app... it's also a Twitter client!

Re:App permissions

Nonsense. Someone writing for a living won't be doing it on a portable device like a iThing. They'll be using a real keyboard on a decent sized screen. Having to pick up another device, use its clumsy interface for a work look up is far slowing than using a native, or online equivalent on the writer's machine.

Re:App permissions

That's an american problem. In the real world, grouped cases work very well.

Re:App permissions

[AmiMoJo]

What these articles about Android malware always fail to mention is that 99.9% of it requires you to tick the "Unknown sources" box and then agree to the warning message about it being your own responsibility to check what you install. IMHO if you did all that you have accepted that responsibility and should not expect Google to protect you.

The link you provided uses stats from Kaspersky. The people most likely to install an anti-virus product are the ones also installing lots of dodgy apps they download from warez forums. The results are worthless as a general indicator.

Google is pretty good at keeping Play clean of malicious apps. If you stick to Play, like most people do, you will be fine. That is the only fair comparison with iOS.

Re:App permissions

[SomeoneGotMyNick]

It's kind of like that post-login "Wall" you can write on when you do your daily dial-up into the "Old Geezer BBS" :)

Re:App permissions

No, "malware" for Android generally involves an app explicitly requesting user permissions to do various dodgy things and the user blindly clicking "yes, of course you can have my fine-grained GPS location, full internet access, and access to everything on my Google account, whatever, just install this Angry Birds clone already!"

There doesn't seem to be a software-based fix for this vulnerability at present.

Re:App permissions

[EGSonikku]

How is it not 'fair'? Android can't give users the side loading choice and at the same time claim 'its not our fault!'.

Re:App permissions

[quacking+duck]

Google is pretty good at keeping Play clean of malicious apps. If you stick to Play, like most people do, you will be fine. That is the only fair comparison with iOS.

No it is not.

Everyone makes a big deal about Android being more open than iOS, how it's not a walled garden, that you have the ability to install non-approved software. This openness and customizability is probably the #1 advantage people cite about Android over iOS, other than price and an ideological "it's not from Apple".

When comparing Android against iOS, you therefore MUST include software from outside Google's own walled garden, warts and all, otherwise stop using ability to install non-Google Play apps as an advantage because "most people don't use it". Anything else is Android fans trying to have their cake and eat it too.

Re:App permissions

I noticed one of these twitter posts from Teller (the silent half of Penn and Teller) earlier today. I assumed it was a joke that I didn't understand

You can spot it wasn't the real Teller, because none of *his* tweets contain more than 0 characters.

Re:App permissions

This app cost 50$ and it was only when the user got an update, that the app insisted on getting Twitter credentials. So he paid heavily for an app which subsequently sent out a dodgy update. Not a very nice practice.

While I agree the software publisher is a scumbag, people could just refuse the upgrade. I haven't used iOS, but I've refused multiple upgrades on Android that removed features or asked for unacceptable access.

Re:App permissions

[AmiMoJo]

No, the absolute essence of our point about side-loading is that it is available if you want that responsibility. If you don't then you are free to stick to Play, the walled garden.

Re:App permissions

[tftp]

Nonsense. Someone writing for a living won't be doing it on a portable device like a iThing

I guess you missed the entire "mobile revolution" thing, where it became hip to sit whole day at Starbucks and work (?) on your iDevice. Working at the office is so yesterday...

The proof of that is simple: the guy paid $50 for a dictionary application. Either he is a fool who buys things that he doesn't need, or he is not a fool - and that means that he is using the dictionary, therefore he is writing articles on his iDevice. (However unwise this may seem to be to us, graybeards :-)

Re:App permissions

[BasilBrush]

It's a licensed version of the Oxford English Dictionary. For British English that's considered the authoritative dictionary, so an academic might consider it worth paying. I don't think there is any free online access to OED definitions.

But a $50 app that has malware in it is adding insult to injury. They'll presumably be thrown out of the app store program, and face being sued by the end users. Big expensive mistake that.

Re:App permissions

[Em+Adespoton]

Thanks for reminding me... I need to update my .project file.

Re:App permissions

[mcgrew]

Loophole? No, it's a design flaw. Kind of like the antennas that people held wrong.

Re:App permissions

So in comparing Apple approved apps (and ignoring that 99% of users jailbreak and install unapproved apps)
vs
All Android apps

You find that Apple approved apps are safer.
Great!

Why not make it fair and compare Apple approved apps vs Google approved apps?
Or how about actual install apps? The presence of an Android malware doesn't mean every Android user goes out and installs it. OTOH the % of iFanBoys clicking "OMG I can't believe she did this" links...

Re:App permissions

I assumed it was a joke that I didn't understand

I'm more than willing to make a statement in court to the effect that I assumed he was admitting to performing illegal acts

'How about we all stop committing perjury? I promise to stop. I really will. #courtroomliarconfession.'

Re:App permissions

Security Researchers have been known to put overpriced apps in the app store to test the security systems of the app store in detecting trojan software. The overpricing is to prevent innocents from downloading their proof of concept. Perhaps they didn't price it high enough.

Legal liability

[Lisias]

This is character assassination.

You know that old joke about crying "FIRE" in a crowded theater? The bottom line is that you must be damn sure the place is really catching fire before doing that.

The software owner should be legally charged.

Re:Legal liability

[Intrepid+imaginaut]

I'd expect a few libel suits in lieu.

Re:Legal liability

Could you tell me the punchline to the old joke about frying FIRE? I think I missed that one.

Re:Legal liability

[flimflammer]

What major user group on Slashdot believes people should be allowed to sell bootleg software?

Cut out your bullshit.

Re:Legal liability

[VortexCortex]

You know that old joke about crying "FIRE" in a crowded theater?

Nope, does it have anything to do with assassinating the characters?
Maybe it's related to those horrible laws against little boys yelling "WOLF" in small villages... I mean, that's both Sexist and Ageist.

The software owner should be legally charged.

Hmm. So, you're proposing we prosecute the people who bought the software that's defaming them, legally (as opposed to charging them... figuratively)?
Isn't that a bit like yodeling "THEATER" in a crowded fire?

Re:Legal liability

[alantus]

The problem is not the software error, its the malicious intention of the developer by coding an app to humiliate the user behind his back with his friends whenever it thinks it was pirated.
Even if the piracy detection works, the intention is still there.
What's next? posting your private pictures to facebook? Sending your passwords to the developers?

Re:Legal liability

This is textbook libel. These people WILL be sued into the ground, and for good reason. This is exactly why the often-misused libel and slander laws exist to begin with.

Re:Legal liability

[The1stImmortal]

Copyright owners have been telling us for years that we dont own our software/music/movies, only a license to them...

Re:Legal liability

[Entrope]

Don't forget to include the almost equally textbook identity theft claims when filing the defamation action...

Re:Legal liability

[blade8086]

Go check all of the stupid comments (not mine of course) ha on:

http://yro.slashdot.org/story/12/11/13/2120215/in-mississippi-15-year-jail-sentence-for-selling-pirated-movies-and-music

Re:Legal liability

It's yelling "movie" in a crowded firehouse

Re:Legal liability

Exactly. This is illegal even if the app were pirated. Piracy is a matter for police, not for public shame; resorting to that is libel. Further, it is still identity fraud.

Re:Legal liability

[darkshadow88]

This is textbook libel.

Or rather dictionary libel.

Re:Legal liability

Legal textbooks, as derived from law books. Dictionary doesn't usually hold up in court, if there is a conflict.

Re:Legal liability

[Myopic]

Legally charged? To me "charged" implies "charged with a crime", but character assassination isn't a crime; it would be Libel (or Slander) which is a tort. It would be fun, though, if users sued the programmer -- and in my opinion, yes, he is liable. At a minimum he should apologize and refund the purchase price to all affected users.

Re:Legal liability

[Lisias]

Cultural differences.

Slandering is a "crime against the honor" in my country - it's hard to remember these details, but I'll try to remember it.

Thanks for the heads up.

Re:Legal liability

[FatLittleMonkey]

Or rather dictionary libel.

Not according to the dictionary app I have on my iPad.

Re:Legal liability

Ignore this post. I completely forgot the topic is a dictionary. Ha Ha good sir.

Re:Legal liability

Can there more to this than just Libel/Slander? I'm thinking along the lines of false advertising, selling items that do not function as intended, or something from the Computer Misuse Act?

"The first section in the Computer Misuse Act forbids a person to use someone else’s identification to access a computer, run a program or obtain any data, even if no personal gain is involved in such access....The second provision in the Computer Misuse Act is gaining access to a computer system in order to commit or facilitate a crime. You can’t use someone else’s system to send material that might be offensive or to start worms or viruses."

This is a program which gains the identification of the user and uses it for slander. It would be interesting to know if a licence agreement could get the company out that, and what laws around the world would apply?

Re:Legal liability

I just checked, and while I saw a lot of people disagreeing with the sentence that guy got, I saw few people saying that people should be allowed to sell bootleg software. Did you confuse the two things?

Economics

[YodasEvilTwin]

Regardless of whether piracy is right or wrong, people will always do it. It's an economic problem. Many people will stop if the price is low enough; for others, "free" in both senses is the only price low enough. This is reality, and it will never change. Creators and their associated industries need to get over it. There will never be a way to stop everyone, there will never be a way to catch everyone.

That said, it may also be good economics to implement DRM in some cases; you have to weigh the benefits against the costs. (This does not appear to be one of those instances; this company is fucked.)

Re:Economics

[sjames]

None of that is applicable here. The app is hijacking the users twitter credentials to falsely claim that they are pirates.

Even if I accept for the sake of argument that DRM is OK in general, I see two major ethical problems there.

Re:Economics

[RocketRabbit]

How do we know it is falsely claiming that the users are pirates? The guy in the link admits to using Installus which is an application specifically crafted for piracy. Maybe he pirated it, maybe he didn't, but who likes to admit to being a criminal even when busted red-handed?

Re:Economics

[tftp]

How do we know it is falsely claiming that the users are pirates?

Because at least one instance of a false positive is known. The guy has the receipt. Nothing else matters; the guy is not a pirate.

The guy in the link admits to using Installus which is an application specifically crafted for piracy.

How does that change the fact that the guy has paid his dues with regard to the dictionary? Even if he pirated all other applications - which he denies - this doesn't give the dictionary a right to accuse the owner of anything. Besides, the guy claims that he needed Installus for a legitimate purpose: " you can use it to go back to an older version of an app you legally own. This is otherwise impossible in iOS."

Re:Economics

Yes,e. The app is hijacking the users twitter credentials to falsely claim that they are pirates.

Re:Economics

[gnasher719]

How does that change the fact that the guy has paid his dues with regard to the dictionary? Even if he pirated all other applications - which he denies - this doesn't give the dictionary a right to accuse the owner of anything. Besides, the guy claims that he needed Installus for a legitimate purpose: " you can use it to go back to an older version of an app you legally own. This is otherwise impossible in iOS."

Difficult. Legally, it may very well be that if you have paid for a copy that you are not using, and then install another copy that you haven't paid for, it is copyright infringement even when no harm was done to the copyright owner. Not saying it is, but it might be. It may also be that paying for an app on the App Store gives you a license to install the app on several devices that you own, but not on a jailbroken device.

Clearly if the guy paid for the app, he is not a thief. On the other hand, the Slashdot mantra is "copyright infringement is not theft", and that mantra might now be biting him back: "No theft" doesn't imply "no copyright infringement" either.

Re:Economics

[tftp]

Legally, it may very well be that if you have paid for a copy that you are not using, and then install another copy that you haven't paid for, it is copyright infringement

We don't pay for copies. I struggle to recall when was that time when I had to pay $20 for a set of floppies with something... What we pay is a license to use a specific piece of software. That license covers earlier releases that the user was entitled to. Otherwise the license must contain specific words to that effect like "As soon as the next latest release becomes available you have 3 days to download it and upgrade, otherwise your license is null and void." I can't easily remember any such license. They are not used in iOS/Android world - or anywhere else - because the customer can always stay with the previous version and not upgrade in the first place. Even Microsoft doesn't care if you downloaded the bits of their OS off of Pirate Bay. They only care that you buy a license to run those bits. You can install service packs, remove service packs, install patches, remove patches - it all remains licensed forever.

This case also is special because the latest release was broken. It should never have been released; the developer caused harm to his customers by enticing them to upgrade to a nonfunctional product. This happens, and we don't run around and sue ISVs for that - we talk to them and try to find a solution. This guy did the same - he contacted the developer and, after the developer was unable to deliver, obtained the earlier version of the software that he was using just yesterday and downgraded. The developer was aware of the issues here, and that was the best solution for him as well - compared to being sued for breaking the product and not offering a repair procedure. (Even if the iOS developer writes a patch overnight, it still takes about 10-15 days for the Apple review process to complete. You cannot push the updates out faster than that. Emergency fixes? Ha, it's not Apple's problem.)

It may also be that paying for an app on the App Store gives you a license to install the app on several devices that you own, but not on a jailbroken device.

If so, this journalist is in a world of hurt, since he has so many applications installed (he is reviewing them!) Probably Apple can sue him for a billion dollars or something :-) I don't know the licensing terms either, since I don't have iDevices, but any court would look at the facts of the case - and the facts are that the user paid for use of his software. Limiting licensing to non-jailbroken devices may be even illegal in itself (constraint on trade?) If you license my software I cannot put in the license that you may use it only while listening to Metallica; and I cannot tell you that you may run my software only on computers made by Dell. Copyright violation is illegal; but if you jailbreak your device to sideload an application that I compiled and gave you bypassing the Apple store, then the government has nothing to say here - it is legal. Apple may not like that, but their likes and dislikes are not the law; at best they are a contract, and Apple can ban jailbroken devices from Apple store. Go ahead, Apple, do that and see the feathers fly.

Re:Economics

Forget the theft aspect then. What reason do we have, to believe the guy infringed copyright? We have the software attestation that he did, but no other evidence that he did. We have the user's attestation that he didn't. We don't know what arguments the software has to back up its assertion (it offers none), but the user has a powerful argument (receipt) to back up his.

All indicators point to the most likely scenario being that no copyright infringement took place.

Libel

I would sue the app author for libel because thats exactly what it is.

That's all fine and dandy...

[DewDude]

...till you get a phone that for whatever reason refuses to post tweets. Go ahead apps; try to post a tweet to my account....I can't even tweet from my phone.

Re:Who would pay $50 for an iOS App?

[EGSonikku]

Flamebait much? People pay far more than that for desktop apps. People tend to think that an iOS iPhone or iPad app is going to always be some simple thing, and a lot are. But there are plenty of higher end "desktop quality" apps available on the platform.

Granted I don't personally believe a Dictionary app would be, but hey, an app is worth what people are willing to pay.

Back to the topic of what's triggering these erroneous piracy messages, there could be a couple of things at play. Some people are reporting its happening on Jailbroken devices that also have the "Install0us" app installed, which is to be fair used solely for app pirating. It may be the app sees "Hey, I'm on a hacked device with a pirate store installed" and assuming it itself has been pirated for that reason.

However, other users are reporting the same issue on non-jailbroken devices which leads me to believe that these apps were targeted for iOS 5.1.1 and may be seeing the massive backend library and OS changes Apple made for iOS6 and incorrectly assuming its running on a Jailbroken devices due to unexpected OS differences.

I'm not defending the app maker for obviously going overboard on anti-piracy measures, just trying to figure out the 'why' of it being triggered for paying customers.

Boycott app stores

[KiloByte]

There's a simple solution: never install programs from an untrusted source, such as an app store. A source that's trustworthy has the sources you can download and read -- and if any such a logic bomb is found, it can be removed immediately -- not that code with such a bomb should be really allowed back without a thorough review. This possibility makes such sabotage virtually absent in free software.

Re:Boycott app stores

[pclminion]

So, if you were reviewing the code for an app and found some sneaky logic, you'd just remove it and proceed to use the app anyway?

You think the person who put one thing like that in there, didn't also put ten things like that? And you think you're smart enough to be able to recognize them all? I think that's insanely reckless.

Re:Boycott app stores

[KiloByte]

In that case, I'd avoid the app in question like a plague. What I meant are projects with many commiters, only one of whom is bad. And even then, such review can be really hard.

Re:Boycott app stores

http://notanumber.net/archives/54/underhanded-c-the-leaky-redaction

Evil code can look completely simple and benign. You would never catch this kind of shit reviewing an app's source code. At some point, you just have to trust the developer.

Re:Boycott app stores

[Em+Adespoton]

There's a simple solution: never install programs from an untrusted source, such as an app store. A source that's trustworthy has the sources you can download and read -- and if any such a logic bomb is found, it can be removed immediately -- not that code with such a bomb should be really allowed back without a thorough review. This possibility makes such sabotage virtually absent in free software.

This is a SIMPLE solution? You're going to get some bare hardware, pressure the manufacturers of the hardware components for the source and flashing tools for the firmware (so that you can personally code review the firmware prior to flashing). Of course, you also have to bootstrap your flashing tool to ensure it's not injecting something. Next, you have to do a full code review of the OS you dump onto the device, with only people you trust doing the review. When that's done, you start in on the apps themselves.

By the time you're done, it's 5 years later, and everything you're running is woefully obsolete and incompatible with what all the "good enough" users are using.

You have to trust people to some degree just to get things done. Openness of code is nice, but you still have to trust the reviewers and the review process (and that what got reviewed is actually what gets installed).

Re:Boycott app stores

[KiloByte]

Debian is ------> that way. Go use it.

Android without a malicious telco is not outright bad. There's typically a bootloader and some minor parts that can't be reviewed, though -- and the phone really needs to be rooted and reloaded with some known-good build.

I'm not paranoid, but trusting people is good only if they have some incentive to be trustworthy. A closed app on the other hand gives them no benefits for being honest and plenty of opportunities to try to make additional dime at your cost.

Re:Boycott app stores

[VortexCortex]

So, if you were reviewing the code for an app and found some sneaky logic, you'd just remove it and proceed to use the app anyway?

Yes. We wouldn't have had Unix without its C compiler...

FTJF

Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the login command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler — so Thompson also arranged that the compiler would recognize when it was compiling a version of itself, and insert into the recompiled compiler the code to insert into the recompiled login the code to allow Thompson entry — and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

The Turing lecture that reported this truly moby hack was later published as “Reflections on Trusting Trust”, Communications of the ACM 27, 8 (August 1984), pp. 761--763 (text available at http://www.acm.org/classics/).

You see, the behavior of which you speak is in the very definition of "back door". With the source code available, it's actually possible to compare the expected compiled binary to the resulting binary. If you're talking about some cleverly hidden in plain sight vulnerability we just call those "bugs", and carry on. Deliberate bug infested additions rarely persist beyond refactoring and further contributions. Eg: Only about 2% of Linus' original code remains in the Linux kernel due to code churn. Not that I suspect such foul play, but it would be pretty hard to coordinate a persistent threat in open source code unless the code rarely changes.

Re:Boycott app stores

[Splab]

Really? So you have sat down and read through every single line of code in everything you use? Or are you just believing some creature out there is doing that for you and hoping to god they spot the problems?

Re:Boycott app stores

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler

A compiler, not the.
Further, the compiler should yield the same result when compiling itself independent on which compiler the self-compiling compiler has been compiled with. Thus if you have another third party compiler you can bust this behaviour.

Re:Boycott app stores

[Em+Adespoton]

Debian is ------> that way. Go use it.

Android without a malicious telco is not outright bad. There's typically a bootloader and some minor parts that can't be reviewed, though -- and the phone really needs to be rooted and reloaded with some known-good build.

I'm not paranoid, but trusting people is good only if they have some incentive to be trustworthy. A closed app on the other hand gives them no benefits for being honest and plenty of opportunities to try to make additional dime at your cost.

I thought this was the way you were going.
For servers, Debian is the only Linux I'll use. I've even installed it on a Palm TX with a modified input library so that I knew exactly what was going on underneath. I've personally reviewed a LOT of the core Debian code, and compiled it myself to ensure there were no shady linkers etc.

But when you get into the commodity market, this doesn't fly. Android has enough closed bits that you can't trust it -- and the hardware that Android runs on is inherently untrustable. You can always set it behind a firewall and do packet inspection for WiFi operation, to protect against data exfiltration -- but good luck firewalling the cellular signal for data analysis.

So, you need to figure out what's "good enough". What data are you OK with leaking? What data are you OK with not trusting?

Closed apps have incentive to be trustworthy, because they're a black box with I/O. If the I/O doesn't line up, the product's going to be dropped, and ALL the black boxes made by that company will be untrusted, unlike open source where if there's something slipped in, it will be fixed, but the rest of the code is still generally trusted. Because of this, it is in a closed source vendor's best interests not to slip things in that may be found out. This means that they'll likely slip in a few bugs, some stolen code, a hacky shortcut or two, but all it takes is one vendor in the space to pull one fast one and be found out, and nobody's going to do that anymore.

This falls down with things like, say, the Android Marketplace, where anyone can set up as many "companies" as they want. If one gets found out doing something dodgy, they close down the "company" and keep going with the others. It's the ultimate shell game for information.

This is why I like compiling code and using "jailbroken" devices. But this isn't going to work for anyone who can't do their own code review, therefore it's not a simple solution.

Regardless...

[klingers48]

...Of whether or not the user has pirated the software, this kind of name-and-shame digital vigilantism on the part of the software author is just playing with fire. Especially (but not only) when it's shoddily coded and hitting false positives.

I can imagine them sitting around their dev table brainstorming "Ok guys, what's the best possible way we can open the company up to libel and defamation lawsuits? Hey, I know... Let's even give people who use and rely on Twitter as a business tool an opportunity to claim commercial losses against us as a result of an automated piracy accusation going out to their X-million followers!"

Sometimes things just aren't thought through very well...

Misrepresentation

The app is posting a tweet purporting to come form the user, whereas it actually comes form the app's author. As the app's message is implying that the user is violating copyrights, a crime, this is defamatory, so the author of the app is libelling the user. The user isn't a public figure, so doesn't have to prove malice on the part of the app's author. As I see it, the only defence for the app's author would be to prove that the user did illegally copy software.

Re:Misrepresentation

[tftp]

As I see it, the only defence for the app's author would be to prove that the user did illegally copy software.

It wouldn't be even nearly enough. For example, an ISV cannot set fire to your house upon detection of unauthorized use. There is a specific limit to what software developers may do when they have a good reason to suspect piracy. Have a look at Microsoft's solution - MS had enough lawyers thrown at the problem, so what MS did is basically the maximum of what is legal and safe.

In this case the software developer committed several crimes. And those crimes do not even PREVENT the piracy! What would prevent it? Simple: just don't run the software! Or run it in demo mode. Good solutions are numerous.

One good advice that got overlooked here is this: always maintain good communication. Talk to the user. Let the user always know what is happening. Let the user make his decisions. In this case the software bypassed the communication phase and decided to become not only the detective, but also the judge, the jury and the executioner. Note that only a judge can order a convicted offender to publicly humiliate themselves. This rarely happens, but such sentencing does occur now and then - usually as an offer that can be refused (if you like the inside of a prison more, for example.) This software took upon itself the right that rare a human is entrusted with.

Re:Misrepresentation

As I see it, the only defence for the app's author would be to prove that the user did illegally copy software

In most parts of the world, truth is not an absolute defense against defamation, I believe that only applies in the US. So even if they were pirating some app (the tweet doesn't identify which software is pirated), the vendor is still liable.

Re:Misrepresentation

[Psyborgue]

In many western countries truth is an absolute defense. Where the US is unique is in the public figure doctrine (you need to prove actual malice as well as falsity when you're a public figure plaintiff). Also the onus is reversed in the US. The defendant is not automatically considered to be "guilty". It's up to the plaintiff to prove the defendant made a false statement of fact.

The company's name is Enfor. Ask for a refund.

Seriously, would it be so hard to include that in the article?

The company you want to avoid from now on is called "Enfor", and they deserve to have this bullshit rubbed in their face. If you want to sock 'em in the gut, email Apple and explain to them what happened after you legitimately purchased the app, and ask for a refund. I'm sure this is breaking one of their SDK rules somewhere, but even if it isn't- they have a walled garden to protect legitimate users from this kind of crap. When stuff like this gets past them, it makes Apple look bad as well as the company who wrote it.

So email Apple and tell them how you feel about this betrayal of trust. Tell them the app has publicly humiliated/embarrassed you, that you want a refund, and that this whole situation has shaken your confidence in Apple's walled garden. If enough people do this, Apple will turn around and tear a strip off Enfor- either by freely issuing refunds to anyone who asks for it, or by taking down the offending apps (goodbye sales!), or by banning the developer.

Re:The company's name is Enfor. Ask for a refund.

[flimflammer]

It is included in the ars article.

Re:The company's name is Enfor. Ask for a refund.

[Sponge+Bath]

The companies name is Enfour, not Enfor. Enfor Consultants (www.enfor.com) is a different company.

Re:The company's name is Enfor. Ask for a refund.

Jumps aboard the outrage bus, goes to the wrong destination.

Re:The company's name is Enfor. Ask for a refund.

Whoopee does that make it another case of libel?

Re:The company's name is Enfor. Ask for a refund.

[quacking+duck]

Libeling (even if accidentally) the wrong company, while commenting on the actual company accidentally libeling their own users. My irony meter just exploded.

Apple failing at protecting software developers

[bhlowe]

Apple should provide anti-piracy protection to its developers. It could--it is a walled garden and each device has a unique ID... but chooses not to.. Most developers don't make a penny selling iOS software... Apple should take as many steps as possible to encourage a healthy marketplace for quality developers. Ideas such as waiving the $99/year fee for apps that good but not yet profitable would be a start.. And re-vamping the app store to make it easier to find software would be another good first step.

Same way Apple should brick stolen phones.. But AFAIK, doesn't.

Re:Apple failing at protecting software developers

If you can't spend $99/year to get access to the app store, you honestly shouldn't be in this business.

Re:Apple failing at protecting software developers

[Kyusaku+Natsume]

Only if the device can be jailbroken you can use pirated software in it. If you are using the most recent version of the OS at this time you simply can't do it, what more do you expect them to do? All the jailbreaks are basically methods to break the security model of the OS.

Re:Apple failing at protecting software developers

[Rob_Bryerton]

Google should provide anti-piracy protection to its developers. It could--it is a walled garden and each device has a unique ID... but chooses not to.. Most developers don't make a penny selling Android software... Google should take as many steps as possible to encourage a healthy marketplace for quality developers. Ideas such as paying devs a $99/year cash prize for apps that good but not yet profitable would be a start.. And re-vamping the app store to make it easier to find software would be another good first step.

Same way Google should brick stolen phones.. But AFAIK, doesn't.

Re:Apple failing at protecting software developers

Android isn't a "walled garden"; that's the main appeal of the platform for most of the people here.

Re:Apple failing at protecting software developers

[bhlowe]

There are many talented programmers (kids, foreigners, unemployed) where $99/year is not insignificant.. Apple has a pretty sweet deal--they're collecting $99/year from tens of thousands of developers who give their products away on the Apple store or are unable to sell their products for 70 cents because they're lost in the sea of other apps. Apple could get a tiny bit of good will by giving free code certs to developers who have products with good ratings in the store. Apple has a trillion dollar market cap and is swimming in money and the app store developers are often working for slave wages.

Re:Apple failing at protecting software developers

[tlhIngan]

Apple should provide anti-piracy protection to its developers. It could--it is a walled garden and each device has a unique ID... but chooses not to.. Most developers don't make a penny selling iOS software... Apple should take as many steps as possible to encourage a healthy marketplace for quality developers. Ideas such as waiving the $99/year fee for apps that good but not yet profitable would be a start.. And re-vamping the app store to make it easier to find software would be another good first step.
  Same way Apple should brick stolen phones.. But AFAIK, doesn't.

And Apple does. Unlike Android (pre-4.1 versions, anyhow), all IPAs contain encrypted blocks that cause the app to crash if they're installed without the proper unlock key (your Apple ID). And the OS doesn't allow unsigned binaries to run. The OS loader decrypts the encrypted portions on application loading (at no time is it unencrypted in nonvolatile storage).

And developers were abusing the unique ID for other things that led to Apple cracking down for privacy purposes. Though UUID is a poor way to do it as the license is I think 5 iOS devices the user owns (iPhones, iPod Touches, iPads). Not per device - so multiple installations and executions are possible.

As for developers - well, they still need to market their apps. It's not a case of put-it-up-and-they-will-buy-it. Never has, never will be. And there is no instance where that happens in real life - even open-source has to have some marketing. Linus' post on Linux 0.1 is an obvious example of marketing. Because how else are users supposed to know about apps? They can search, but then you're relying on need to drive sales (a very poor marketing model because users don't know what they need and may search for something completely tangential to your app).

As for the $99 - there are many developers who make money outside of the App Store. Should Amazon get the $99 waived because the Kindle app made $0? And really - is price of entry that huge a factor? After all, you need a Mac, and the cheapest starts at $600. If $99 is too much, perhaps it's time to rethink priorities. Plus, not all apps are worthy of the price charged - there's enough crap in the App Store. (Just like everywhere else - indie music, indie movies, indie games, etc., there's huge pile of crap out there, with very few "making it").

As for finding apps - well, guess what. Apple bought Chomp, an app search engine (which has promptly killed their Android side - funny how Chomp's search engine was considered better than Google's for searching apps). It's an inherently hard problem because searching is need-based - you need an app to do X, but users have ill-defined needs.

Re:Apple failing at protecting software developers

[david_thornley]

Back in the 1990s, decent compilers for Mac and Windows frequently cost over $99, and there's been inflation since then. (Alternatively, price a non-Express version of Visual Studio.) For iOS, assuming you have a Mac with a recent enough OS, all the development tools are free, no matter who you are. You only need to spend $99 if you want to put it in the App Store, or on an actual device. If you're doing it for your own use, you've obviously got a Mac and an iDevice, and already have enough invested in this so that $99 shouldn't be all that burdensome. If you have an app with good ratings in the store, you can find some way to monetize that to cover the $99/year. If you can sell a dozen $0.99 premium apps in a month, you've paid for your license.

As for slave wages, that's how it's always been in self-employed creative fields. (If you're not self-employed, you either get better than slave wages or you walk.) People flood into those fields because they look fun and because they overestimate their own abilities. The majority of actors work for slave wages, and rely on a day job to pay the bills. Most fiction writers can't make enough to quit the day job. Heck, look at baseball players - for each one making big bucks there are several making lousy money and riding around in uncomfortable buses - and that's the successful ones. It's possible to make gobs of money in creative fields, but the vast majority don't.

Re:Who would pay $50 for an iOS App?

So you want to see $700 software on an iPad before you'll believe there could be software worth $50t?

Applications were called apps by a lot of people before the iPhone even existed.

Points aren't generally proven, they're supported or contradicted.

The only thing you accomplished was getting me to respond to a troll. Congrats, go out and celebrate.

I wouldn't of paid $50 for the app

[Nyder]

and everyone that knows me knows I pirate software, music, movies, whatever. In fact, I'm the go to guy.

See, I tell people I pirate software, so no, the app wouldn't bother me.

But it goes to show, the only people that buy dvd/bluray's are the ones who get hit with DRM and warnings about copyright, because I sure as fuck don't get those when I download pirated versions.

You buy goods because you like the abuse. I pirate the goods because I don't like to be abused.

Re:I wouldn't of paid $50 for the app

That's some truly twisted logic there. I don't condemn you for piracy but I do think you're full of shit about why you do it. I know why I do it......because I can.

Re:I wouldn't of paid $50 for the app

Having been to your blog, I'd address your virginity first, then your strange twisted moral compass next.

Re:I wouldn't of paid $50 for the app

"I know why I do it.... because I can."

  When you assume that other people just have to have the same motivations and though processes as you do, it is called projection.

Re:I wouldn't of paid $50 for the app

Then don't pirate the next ten things you normally would have and see all the crap you'll have to put up with the 'good' versions of whatever it is you're getting.

Re:I wouldn't of paid $50 for the app

I wouldn't of paid $50 for the app

Perhaps you should have considered paying $50 for an English grammar app.

Re:I wouldn't of paid $50 for the app

[lxs]

I suffer from this! I like breathing, so I assume everybody else likes breathing too. Luckily it's all in my mind.

Re:I wouldn't of paid $50 for the app

[mumblestheclown]

No, you pirate becaus you dont like paying for things. The rest is pseudophilosophical rationalizaton.

Do the right thing

I would "do the right thing" and sue the shit out of the app developer for libel as well as Apple for allowing such trash inside their "walled garden".

Re:Looks like it might have been pirated after all

[flimflammer]

Except that he explained the reasoning for having Installous on a jailbroken phone, and others have rung in saying that Installous isn't what's flagging it, or the only reason.

/me is a lame software pirate

/me is a lame software pirate

Libel

The user of the app should sue the developer for Libel.

I'd sue them

[JustNiz]

I'd sue them for personal defamation and, If I operated in any business capacity, damages to my corporate/professional image.

Re:Who would pay $50 for an iOS App?

[_merlin]

When I'm in a country where I have severely limited vocabulary in the local language, a good dictionary application is one of those can't-live-without things that I actually do depend on for getting by. I haven't seen how good this application is/isn't, but I'd pay more than $50 for a great dictionary app. Also, a mobile version is more valuable than a desktop version. I know from experience what it's like pulling a notebook computer out of a bag when I get stuck trying to read a sign or communicate with a stranger. I'll give you a hint: it's not as practical as pulling a phone out of your pocket.

Re:Looks like it might have been pirated after all

[squiggleslash]

Well, he gave a rationale so you're apparently wrong. And nobody suggested that Installous was required for jailbreaking, so why mention that?

Apple's nonexistent App Store "approval" process

For all the high-and-mighty talk Apple bandies about regarding how carefully they analyze every app before approving it to be posted in the App Store, there sure are a lot of iOS Apps that do shady stuff like this.

The pirated version doesn't do that

[sgt+scrub]

I'm finding more frequently the reason people use a pirated version is to avoid this type of stuff. I'd be willing to bet only 25% of their customer base knows that. I'd also be willing to bet future customers are going to think twice about paying.

Why did Enfour do it? "Only 25% of our apps in use are legitimate copies. Piracy is threatening the survival of all independent devs," she wrote.

Re:The pirated version doesn't do that

[gl4ss]

25% is a ridiculously good rate. they should have just been happy with that. greedy fucks.

Enfour, Inc Oxford Deluxe dictionary app devoloper

[Stan92057]

There that's who they are! so claims the article.Don't buy their products and send them alot of pissed off customer emails. Let em know how ya feel.

Re:Looks like it might have been pirated after all

[c0lo]

The author of the article admits to using Installous, which is a program for installing pirated iOS applications.

And a hammer can be used to crack skulls as well as for any problem that looks like a nail. Should we shame the hammer users?
(my point: don't blame a tool, because a tool is a tool)

When Scanner Pro, which I also legally own, introduced a bug in the app that made the app stop working completely on my device. Installous lets you browse a list of available pirated versions of the app, which also means you can use it to go back to an older version of an app you legally own.

Re:Looks like it might have been pirated after all

[c0lo]

Except that he explained the reasoning for having Installous on a jailbroken phone, and others have rung in saying that Installous isn't what's flagging it, or the only reason.

There is no rational for having installous on a jailbroken phone other that to install pirated apps.

TFA:

When Scanner Pro, which I also legally own, introduced a bug in the app that made the app stop working completely on my device. Installous lets you browse a list of available pirated versions of the app, which also means you can use it to go back to an older version of an app you legally own.

Does the above says something about your rational abilities? Naaahh... a simpler explanation exists: who the hell bother to actually RTFA?

Should be illegal

[nurb432]

Doing crap like that should be illegal.

The 'author' should be taken out back and flogged for it.

Re:Should be illegal

[shutdown+-p+now]

It is illegal. It's libel. And I do hope someone sues them.

Re:Should be illegal

[nurb432]

I wasnt even talking about the libel part, just the very idea that it would do something like this should deserve a trip to jail.

You want to prevent piracy, fine, you disable the product. Nothing more.

I remember one company back in the 80's that would destroy your data if it detected it was 'pirated'. That didnt go over well once discovered, and they are no longer in business.

Re:Should be illegal

[shutdown+-p+now]

But it is pretty much the libel part that's objectionable here. And impersonation. Possibly, fraud in advertising. And probably a dozen other offenses for which we already have laws on the books.

Similarly, your situation with destroying data - that's material damage, also obviously illegal, and laws are also available to pursue it.

Re:Looks like it might have been pirated after all

<advocate client="devil">
Note that he does not "legally own" Scanner Pro as he claims, rather he holds a license which permits him to use it under certain conditions. I rather doubt those conditions include "download old versions from piracy apps", so he surely is using it precisely to violate copyright, or in the common parlance, "to install pirated apps", despite the apps not having been taken by force on the high seas.</advocate>

Copyright law: it's hilariously busted, but let's fix or eliminate it rather than making excuses for violating it.

Approved Malware

[Dan+East]

I've been rather surprised at the porousness of Apple's walled garden. My iPad is 100% stock (not jailbroken, etc), and all of the apps came directly from the app store. A couple weeks ago I noticed some odd files in my dropbox root folder. There were two executables - one for Windows (Xbox 360 MSP Generator.exe.), one for OSX (IGenerate 6.7) - both for generating "free" XBox points. Fortunately Dropbox allows you to (via their web interface only) view the versions and history of files. Both those files came from my iPad. Then last week it happened again with just a windows executable (iLividSetup.exe), also from my iPad.

So some iOS app is interacting with the Dropbox app in some way (either via API or just throwing files into a folder that Dropbox must have all permissions open on). I have yet to determine which app it is. I only use 6 or 7 apps regularly, so I'm pretty sure it's not any of those, and I have yet to do a more systematic check on the other dozens of odd lesser used apps. The moral of the story is that these app stores are not foolproof by any means, and malware is still being approved, even if the attack vector is novel, dependent on a 3rd party app (dropbox) and is cross-platform.

Anyone else see this behavior in their Dropbox files?

Re:Approved Malware

[Inda]

Google says a metric tonne of people are having the same issue.

Looks like malware, sounds like malware, is malware.

Re:Approved Malware

[mybecq]

So some iOS app is interacting with the Dropbox app in some way (either via API or just throwing files into a folder that Dropbox must have all permissions open on).

Most likely they're using Dropbox's iOS SDK. That would have required you to give permission however.

Check Dropbox's My Apps to see if any 3rd party apps have access.

Re:Approved Malware

[DNS-and-BIND]

Heh [tm]. I bought an HTC phone from a grey-market dealer in China (Chinese domestic phones are hardware crippled by gov't) and used the stock ROM for several months. I knew custom ROMs existed, but didn't want to fuck with my phone as the stock ROM seemed OK, and I had previously bricked my Windows phone by applying ROMs from xda-developers (bootloader was corrupted at some point - brick). I began to notice that weird Chinese icons were appearing on my shortcuts. Huh. After I installed an unrelated app - which for some reason includes application update/install/uninstall history - I noticed that apps were being downloaded over 3G (not wireless) in the dead of night and installed. I'd uninstall them, but who knows what they were doing in the meantime? I eventually installed Cyanogen and the mysterious behavior went away. So, yaknow, maybe walled garden means nothing when the phone is pre-rooted by powers beyond your control. Yeah, Android isn't walled garden - but I intentionally never installed anything that wasn't from the official Market, never less than 100,000 downloads, and never rooted my phone.

Re:Approved Malware

[Dan+East]

Thank you. The mystery deepens further. I only have one app listed for Dropbox access:

App name: PDFReader Dropbox Uploader
Publisher: Kdan Mobile
Access type: Full Dropbox

When I click on Kdan mobile it's a 404. I triple checked my app history, and I have never installed that, or any other, PDF reader on my device. I've never needed to. I also have never given any access to dropbox for an app. Perhaps that is just a sham app the malware claims to be when getting access to dropbox?

Re:Approved Malware

[mybecq]

A few possibilities:
1. It is possible that another app is using the PDFReader's secret key, etc. It would still have to have given permission to the app.
2. Someone else installed it on your iPad using their own App Store credentials, gave permission, then uninstalled the app.
3. Dropbox has some other API issue that allows files to be uploaded somehow...
4. Any combination of the above.

I guess you'll see if the mystery uploads cease when you revoke the Dropbox access PDFReader has.

Re:Approved Malware

[Dan+East]

It's not #2, because the app store shows all apps I've ever installed, and that can't be cleared.

Re:Looks like it might have been pirated after all

[c0lo]

<advocate client="devil"> Note that he does not "legally own" Scanner Pro as he claims, rather he holds a license which permits him to use it under certain conditions. I rather doubt those conditions include "download old versions from piracy apps", so he surely is using it precisely to violate copyright, or in the common parlance, "to install pirated apps", despite the apps not having been taken by force on the high seas.</advocate>

Copyright law: it's hilariously busted, but let's fix or eliminate it rather than making excuses for violating it.

<advocate client="devil"> I wouldn't be that sure he's using it precisely in the sense of copyright violation, his description of the problem admits a situation in which he actually has a license for a version that, upon upgrade, failed to work.
If indeed this is his situation, he has a license to use the application (perhaps even in its newer version, otherwise why try to upgrade?), but the application fails to be usable in his conditions. In which case, what he is doing is not illegal and maybe more pragmatical (than suing the provider for the lack of use).</advocate>

Maybe it pays to first look at (/get to know) the specifics of a situation before spitting blood in a fight with windmills.
Granted, addressing the sickness at the source is the actual solution (anything else being palliative) - even though the big but is if you can afford it.

Re:Who would pay $50 for an iOS App?

[MrEdofCourse]

" the "Install0us" app installed, which is to be fair used solely for app pirating."

No it's not.

It's also one of the easiest (and in some cases only) way you can revert to previous versions of apps. I don't pirate apps on iOS, and I rarely have a use for Install0us, but a couple of times it's saved me when a newer version of an app was unusable and Install0us was the only way to get a previous version re-installed and running again.

In the spirit of being fair though, ya, it's mostly for pirating, but I wouldn't jump to the definitive conclusion that someone who has it on their iOS devices is pirating apps.

huh

between piracy and this kind of behavior.... i gotta choose piracy. Because this kind of douchebaggery is fairly high on the scale.

That'll teach you to pay for apps huh. lol

If this were to happen to me. . .

[kimvette]

I'd forgive them if they were to compensate me financially for libel, defamation of character, and unauthorized access to a computer device or service.

Re:If this were to happen to me. . .

[Kyusaku+Natsume]

If I were in this company's shoes I would negotiate with Apple a way to offer at least a partial refund to my customers. That would be a sincere apology.

Re:Who would pay $50 for an iOS App?

[EGSonikku]

Well certainly not everyone but I'd be comfortable saying 99%+.

Again, I'm not saying this developer is in the right at all, just that I can see where they are coming from, even of they certainly fucked up in this case.

Re:Who would pay $50 for an iOS App?

[ArhcAngel]

This is a much better example than Photoshop. What's hilarious is the Vuvuzela app is $200 but the same company offers their universal translator app for $5.99

Sounds Legit

[MacGyver2210]

I would be fine with this. It would at least save me the trouble of announcing all the pirated software I'm using as I usually do. All apps should have this.

Pirate and Proud.

Re:Who would pay $50 for an iOS App?

[RulerOf]

Its function truly is piracy, but it has a lot of utility in legitimate scenarios.

That said, it's on my phone so that I can downgrade, and so that I can try apps that don't have a free version. I've wasted too much money on apps that I literally had to buy before figuring out they don't work right or don't fit the bill for what I want.

Returns on iOS are non-trivial.

FIRE in a theater is not a joke

That claim, isn't a joke, it's a phrase used to justify the ending of freedom of speech.

As if *shouting* fire is the same as speaking it.
As if shouting fire would actually cause everyone to believe there is a fire, even as they can see there is no evidence of a fire and that you have no special knowledge or insight, and anyway the fire alarm bell isn't ringing.
As if shouting (or crying as you put it) isn't the real problem there, you could shout "bananas" and it would be equally a nuisance that would get you thrown out.

Yet its used to suppress free speech.

Feel free to speak 'fire' to your girlfriend in the cinema, but not too loudly or you'll disturb other people watching the movie. You do after all have free speech, whatever that bitch Jacqui Smith might think.

Re:FIRE in a theater is not a joke

[Lisias]

+ informative, please.

Thanks for the correction, I was bit by my mother tongue - I made a literal translation without further thinking.

Re:FIRE in a theater is not a joke

Please mod up, informative. Absolutely on target. The fire/theater thing was BS designed to make us think we don't actually have free speech depending on if it could cause trouble. The actual first amendment is quite clear in it's intent.

I for one am not even slightly surprised

[Crypto+Gnome]

The common thread you see in many cases of software or content which are heavy on the anti-piracy (advocacy, DRM, etc) is that they (er, the organisation responsible) have no integrity, no shame, and are mostly hypocrites.

Not absolutely every one of them, but near enough that to say otherwise is nothing more than legal nit-picking.

Seriously folks, when will Big Business (and even some small ones) stop thinking that ALL their customers are a bunch of ratbags, when will they stop thinking that THE UNIVERSE owes them a GUARANTEED profit FOR EVER?

Maybe I'm just not young anymore, but I remember a time when a product gave value-for-money, customers paid gladly, and businesses were pleasant about the whole experience.

Nowadays, when I go to The Cinema (yeah, I still do occasionally) I spend 30 minutes watching advertisements (seriously!) and his is only a 90 minute movie. AND there'll be AT LEAST 2 advertisements telling me I should be ashamed of myself for being such a filthy pirate (seriously, format-shifting is illegal, time-shifting is illegal, and FOR FUXAKE what d'you mean I LITERALLY cannot buy that content in this country - and NOT for legal-reasons, just because YOUR'E A RETARDED MONKEY).

Really RIAA/MPAA (and friends) you deliberately go out of your way to make it legally impossible for me to purchase the content, yet you also want to whine about people who violate your copyright?

I'm NOT going to say such obvious things as "can't have your cake and eat it too" but rather SHADDUP AND TAKE MY MONEY ALREADY.

Re:Who would pay $50 for an iOS App?

I'm not sure I follow : As for as I know, people choose to install apps ( they don't install themselves ).
So why would anyone install an app which posts tweets about piracy ? Seems like a pretty lame feature.

If the purpose of the app is something else, then you are paying for a 'feature' you don't want.

Re:Who would pay $50 for an iOS App?

[Stolpskott]

A very quick search (quicker than responding to your post) has turned up a list of 15 apps in the range of $150 to $999.99, none of which is Photoshop but all of which are worth the purchase price to the user who is really REALLY going to use any of those apps.

Re:Looks like it might have been pirated after all

<advocate client="devil">
Note that he does not "legally own" Scanner Pro as he claims, rather he holds a license which permits him to use it under certain conditions. I rather doubt those conditions include "download old versions from piracy apps", so he surely is using it precisely to violate copyright, or in the common parlance, "to install pirated apps", despite the apps not having been taken by force on the high seas.</advocate>

Copyright law: it's hilariously busted, but let's fix or eliminate it rather than making excuses for violating it.

<advocate client="devil"> I wouldn't be that sure he's using it precisely in the sense of copyright violation, his description of the problem admits a situation in which he actually has a license for a version that, upon upgrade, failed to work.

If indeed this is his situation, he has a license to use the application (perhaps even in its newer version, otherwise why try to upgrade?), but the application fails to be usable in his conditions. In which case, what he is doing is not illegal and maybe more pragmatical (than suing the provider for the lack of use).

Sorry, no. Not legal, unless the license specifically permits it -- despite how obviously it should be legal. Copying is bad unless authorized by the rightsholder, and they won't authorize you to get replacements anywhere but the app store. Hell, they use the licensed-not-owned bit for CDs or DVDs and it's illegal to copy your buddy's disk because yours is scratched and unreadable -- why would it be different here, where you haven't even lost access to the app (no, never mind that the newer! better! version is fucked on your device -- I guarantee they didn't take that into account writing the license.)

He's in a situation where:
He has the legal right to use the new version, and a legal way to get it (should he wipe his device, it'll be redownloaded from the app store), but no technical capability for it to work on that device.
He probably (this could be limited by the license, but it typically isn't) has the legal right to use the old version, and definitely the technical capability, but no legal way to obtain it.
It's a Catch-22, and you're mistaken in thinking the legal system does anything to prevent you from ending up in such a fix, either in general or in this particular situation.

As I said, it's hilariously fucked, but it's the law.

Re:Who would pay $50 for an iOS App?

No.

Re:Looks like it might have been pirated after all

[SuricouRaven]

There will be a license. It's that wall-o-text that no-one reads. You can't be sure of the legal situation regarding downgrades wthout reading that - but it's something rarely enough done that I doubt the license even addresses the issue.

Re:Who would pay $50 for an iOS App?

My boring anecdote.

Traveling on I-87 northbound and we got stuck in traffic. Stop and Go snail pace traffic.

Out comes a shiny glittering wonder of the world iphone with a 50$ map/direction/traffic application. "This is the BEST EVAAAR, DUDE!" the guy said. "Let me get us out of here". Everybody rejoiced. Alas, the joy did not last long. The app had no idea about the current traffic that we were sitting in.

Out comes an android. Not so shiny, mind you. It had this free little known map application called Google Maps. Not only it showed the "red" lines for next 20 miles, it also showed all the small roads with few of the "green" ones. Lo and Behold - we were out of the traffic and on our way.

The dude is now using his shiny iphone with the latest and greatest mapping app EVAAR called Apple maps. Oh the irony!

Re:Who would pay $50 for an iOS App?

[psmears]

where I have severely limited vocabulary in the local language, a good dictionary application is one of those can't-live-without things

If you're trying to expand your vocabulary, throw the dictionary in the trash and get a thesaurus.

...and how does that help when you don't even know one synonym in the target language?

And I have no idea why you'd pay $50 for a dictionary app when you could just buy the actual paper dictionary for $20.

Clue: a good multilingual dictionary weighs several pounds. Installing an app adds no extra weight. When travelling to/around a foreign country, that can be important :-)

Isn't this costing you?

Isn't the tweet costing you? You now have recourse to the app creator (and Apple) for costing you money by their bug. Financial value is being taken from you.

Even more obviously than any piracy claim does.

Android is more popular than iOS, hence more malwa

Android is more popular than iOS, hence more malware for it.

Someone has.

And that's all that's needed.

Just like removing encryption or DRM, all you need is ONE person looking to remove it and it's gone for EVERYONE.

It's not like an actual bug sitting in your house eating your stuff where you are the only one who could see it. It's going to be all versions of the code has the bug.

I realise that you hate the idea of being able to audit your own code (for no reason whatsoever), but suck on it, dickhead.

Warning bells

The users should really have known this software was malicious when it pulled the phishing attack on their Twitter accounts.

Then legally the recourse is criminal action

From the person who has a license (but see later) whose right to use has been removed, their property HAS BEEN STOLEN by the app provider.

THEFT. ACTUAL THEFT.

However, your assertion is complete and utter bollocks. YOU HAVE NOT BOUGHT A LICENSE YOU BOUGHT A GOOD.

You do NOT need a license to use a copyrighted product you purchased. Copyright only controls certain aspects of copying and a copy required for use of the product (i.e. installation) is NOT a copy controlled by copyright.

Your assertion is hilariously fucked, because IT IS NOT THE LAW.

You just agreed with the absolutely false allegation of the party who wants to sell something without selling it to someone.

Next time READ THE FUCKING LAW.

Re:Then legally the recourse is criminal action

From the person who has a license (but see later) whose right to use has been removed, their property HAS BEEN STOLEN by the app provider.

THEFT. ACTUAL THEFT.

In a moral sense, perhaps. In a legal sense, no. Not theft at all. What are you smoking?

However, your assertion is complete and utter bollocks. YOU HAVE NOT BOUGHT A LICENSE YOU BOUGHT A GOOD.

You know we're talking an app store right? There's no good even changing hands. Regardless, the last major precedents in this area predate digital-download purchases and maintain that even with a CD changing hands, the sale may be only of a license, depending on terms.

You do NOT need a license to use a copyrighted product you purchased. Copyright only controls certain aspects of copying and a copy required for use of the product (i.e. installation) is NOT a copy controlled by copyright.

Except when it IS a copy controlled by copyright -- specifically, when you are licensed a copy, not sold a copy, and the protections you refer to don't apply. This distinction is today absolutely real, thanks to federal courts inventing it and consistently applying it.

Your assertion is hilariously fucked, because IT IS NOT THE LAW.

You just agreed with the absolutely false allegation of the party who wants to sell something without selling it to someone.

Next time READ THE FUCKING LAW.

How I read TFL (i.e. US code) doesn't matter. How judges read it does matter (Note, this is implicit in what "the law" means IRL -- at least here in the US, a common law country), and they've consistently read it in exactly the way I describe. So you read the fucking law (i.e. court decisions), until you realize what the status quo is. Then maybe we can work together to fix copyright law such that there's no way for the judges to interpret it that way?

Re:Apple's nonexistent App Store "approval" proces

[gnasher719]

For all the high-and-mighty talk Apple bandies about regarding how carefully they analyze every app before approving it to be posted in the App Store, there sure are a lot of iOS Apps that do shady stuff like this.

This app doesn't do anything bad apparently unless it is installed on a jailbroken device. In that case, all odds are off. It may even be that the app is sandboxed and cannot do what it does on a non-jailbroken device.

The ONLY thing the Blackberry does better.

[faedle]

This is a serious problem for both Android and iOS apps, and it's something that Blackberry had figured out from the very beginning. On the Blackberry, the user has a CHOICE as to whether to allow the apps access or not. You don't just get a screen saying "the app needs access to these things" and you have the options of exactly "take it or leave it." You get little checkboxes to say "No, the app can't access my personal contacts" and the app will still install, run, and work without access to your personal contacts.

Maybe I'm ok with an app having course location information, but not fine, and I'm willing to accept that the app may not be as useful that way. Maybe I don't want Facebook rummaging around in my personal contacts. Maybe I'm not comfortable with TV.com having the ability to record audio from my handset's microphone.

There's a flashlight app for Blackberry that wants access to the personal data on my phone. I say "nay nay", and the app works just fine.

So how about it, Android and iOS? Give the users REAL choices.

Re:Who would pay $50 for an iOS App?

So brave.

my dictionary app ...

[JSkills]

... is Google.

If I am unsure of the spelling of a word or not entirely sure of the meaning I just type it into the Chrome URL box and I end up with a Google search with corrected spelling and links to the definition by default.

Probably not as easy on an iPad of course ... but $50 for any iPad app seems exorbitant. Unless I am missing something, if the point of the app is to be a dictionary, you really don't need an app (rig up a web service or something?). Ok this app has sound bytes for pronunciation, but Dictionary.com app is $4.99 (does the same as well as voice recognition of words) and this Oxford Deluxe is $50? I am probably missing something ...

Also any app that asks for my credentials to any other app or account would not get installed to begin with. Seriously, who would give a dictionary app access to their twitter account? Who says I even have a twitter account?

Re:Who would pay $50 for an iOS App?

[DNS-and-BIND]

Google Translate. It's free. It even supports voice. Why even bother learning the local language when you travel?

No

I would sue.

Meh

[eno2001]

For some people quitting piracy is just as hard as quitting the fap. Oddly there seems to be a direct correlation between the two activities.

AmIRC

[YttriumOxide]

Many many years ago, the Amiga IRC client "AmIRC" used to do a similar thing if you had a known pirated key. Everything sent to the IRC channel would come out as "/me is a lame software pirate", however would appear normal to the user themselves (so they were usually unaware until someone told them).

It was actually fairly well accepted as a clever and cute anti-piracy mechanism; but unlike the app in TFA, it never screwed up (as far as I heard about).

Re:Android is more popular than iOS, hence more ma

[EGSonikku]

There are more Android phones in the wild yes, but not by that much.

http://bgr.com/2012/07/02/android-market-share-us-smartphone-iphone/

In the US it's 50% VS. 31%.

But Android still has 1000%+ more malware. It's not a 'popularity' issue, it's a basic OS security one.

Offline use

[tepples]

How well does dictionary.com's mobile site work with 0 bars, such as on a laptop or tablet while riding a bus? A $50 dictionary is cheaper than a $500 per year mobile broadband plan.

Re:Offline use

And a paperback dictionary... oh forget it.

Re:Offline use

[R3d+M3rcury]

Well, that's not really what the discussion was about. The GP was discussing the UI of the dictionary app.

Regarding the network capabilities, you're mostly correct. But some of it is paranoia. So if you're someplace where you have no WiFi, no Cell Service, and you absolutely positively need a dictionary right now, this would be a godsend and easily worth $50.

For the other 90% of humanity, who don't really need a dictionary right now and are generally around WiFi or Cell Phone signals, it's probably not worth $50.

Which might explain the price, actually. If the demand is small, you have to charge more to make money.

Charged, guilty, and other crime-specific words

[tepples]

To me "charged" implies "charged with a crime"

Solve for X in the following analogy: charged is to crime as X to tort.

Re:Charged, guilty, and other crime-specific words

[Mister_Stoopid]

charged is to crime as X to tort.

Uhh... "eat"? Mmmmmmm... . toooort.... *droooool*

Re:Charged, guilty, and other crime-specific words

[Rogerborg]

Captain Kirk.

No, wait, that's the answer to any question of "Who would win in a fight between Captain Kirk and X".

Re:Charged, guilty, and other crime-specific words

[Myopic]

"Sued." You sue people for civil matters; you charge them with crimes. But the OP educated me on the appropriateness of the jargon in his region.

Trusting trust when there's one compiler

[tepples]

A compiler, not the.
Further, the compiler should yield the same result when compiling itself independent on which compiler the self-compiling compiler has been compiled with.

In other words, the "trusting trust" attack is defeated with several independently developed compiler toolchains.

Thus if you have another third party compiler you can bust this behaviour.

And there's the rub. I was under the impression that Apple had a monopoly on at least one part of the toolchain targeting iOS.

Unreasonably difficult != impossible

[tepples]

Really RIAA/MPAA (and friends) you deliberately go out of your way to make it legally impossible for me to purchase the content

Unreasonably difficult, yes; impossible, no. Can't you hop on a plane, buy a copy, and fly back?

Offline use

[tepples]

If I am unsure of the spelling of a word or not entirely sure of the meaning I just type it into the Chrome URL box and I end up with

...a "Cannot find server" error because you are offline.

Probably not as easy on an iPad of course

Especially if your iPad is a Wi-Fi model, not a cellular model, and either you're riding the bus (hence no AP) or the APs in range are for employees only.

Unless I am missing something, if the point of the app is to be a dictionary, you really don't need an app (rig up a web service or something?).

Paid Wikipedia applications tend to have a large subset of articles available offline, where web services cannot reach. I imagine that paid dictionary applications are the same way.

Also any app that asks for my credentials to any other app or account would not get installed to begin with.

So how do FarmVille and Spotify get away with requiring all users to be members of Facebook?

Google anything relies on an Internet connection

[tepples]

Google Translate. It's free.

Only if you've already signed up for a long-term cellular data plan in the country that you happen to be visiting.

Unethical

The software engineers that developed the app should be slapped with a trout in the face for unethical software development practice. Dingbats.

Re:Who would pay $50 for an iOS App?

[Half-pint+HAL]

A persistent internet connection isn't always possible when you're travelling... and it's not cheap even when it is.

Re:Who would pay $50 for an iOS App?

i'm also comfortable with the fact that 99% of people are fucking retards.

Libel

[spasm]

Depending on the country, you may be able to sue the app makers for libel. Many countries have much stronger libel laws than the US, and the app is definitely 'damaging your reputation'. Bonus payout if your occupation is actually dependent on your customers' sense of your probity - eg lawyer.. :)

Re:Who would pay $50 for an iOS App?

[Garybaldy]

That is one of the reasons Americans are so disliked in foreign tourist destinations. Most can't even bother to try.

Here's their apology (not good enough)

[bacchus612]

Well, they realized that the fscked-up. They just issued this apology / justification (not nearly enough IMHO)... From enfour.com/OpenLetter.pdf:

On November 1, 2012, a version of the UniDict® iOS software revealed a bug that has embarrassed both our users and our company. We are sincerely sorry for the uproar and the bad feelings our customers have experienced. To everyone affected, we offer our humble apologies.

The story and tech details

On the morning of November 1, customers had an unpleasant surprise if they opened the app and let it go to sleep before it was closed. Upon waking, a dialog box showed "Run in Safe Mode" then the app disabled itself and performed an auto soft close. A notification appeared locally on the device and if the user had authorized the app to access their Twitter account, a tweet of the notification was sent out under their account with a hash tag #softwarepiracyconfession. This tweet only happened if the user tapped a send confirmation button.

As soon as we realised there was a problem, we corrected it by removing the anti-piracy module and working with Apple to get the patched version online for download. It was available before close of business on November 1. At no time was the device itself or personal information compromised; there was no virus, no unofficial APIs, no hacking and no malware involved. Nevertheless, a number of users with certain system configurations were affected during this time period. Some may still be if they haven't updated to the fixed version. If you are not running the latest version, we urge you to update your app immediately to avoid the potential embarrassment of an unexpected tweet.

Why this happened

Combatting piracy is challenging. As a small family-owned company with few employees every lost sale impacts our livelihood and our ability to continue developing apps that we are passionate about. Piracy of Enfour products happens at an astonishing rate. We have seen a 1:100 ratio of legal to pirated copies of our software. Ouch. We can't thwart truly determined hacker & crackers, but we wanted to possibly shame those who were opportunistically stealing our software. Just like installing a shop-lifting alarm in a store, we thought we were being creative with a notification and a timed tweet for users of a cracked app.

In retrospect, this was not the wisest choice. The bug that revealed this creative indiscretion was a screwup and we accept full responsibility. We have tried to reach as many affected people as possible using social media via our personal accounts as well as via our website and also the iTunes store -all in multiple languages. We have taken all possible steps to ensure that our customers are never affected again.

Piracy is a hot issue. Despite what some believe about piracy being acceptable and harmless, we know piracy does cost us money and affects us directly. It's far too large and personal a topic for us to pontificate upon, but if you are interested in a perspective that fits our opinion, there is a good article in Bloomberg Business Week. http://www.businessweek.com/articles/2012-11-01/piracycuts-into-paid-app-sales

Thank you We appreciate the time you took to read this letter and if you would like to discuss the issue further, we are available for comment.
Tracey Northcott
VP International Communications
Enfour, Inc.
3F Kouju Bld 3-52-8 Sendagaya
Shibuya-ku Tokyo 151-0051 JAPAN
tracey@enfour.co.jp
http://www.enfour.com/
https://itunes.apple.com/artist/enfour-inc./id284965604?l=en
TEL: +81-3-5411-7738
FAX: +81-3-5411-7704

I'm not a user of their software, or apple products for that matter, but if I were affected by this bug I would def

Sloppy use of language

[B.Stolk]

"...up to $50 or more..."
This makes no sense at all.
Please put a little bit more effort into editing submitted stories.

Re:Who would pay $50 for an iOS App?

[danomac]

Yes, but the paper dictionary will work when the phone's battery runs out. Especially when you find out you can't charge your phone without an adapter.

There's benefits to a paper copy.

Re:Who would pay $50 for an iOS App?

[_merlin]

Itâ(TM)s also rubbish. The examples of words in context are pulled from random web sites, and often server to confuse more than anything else, for example.

Re:Who would pay $50 for an iOS App?

[ArhcAngel]

Who knew? And it's only 9.99