ReceiptChecking
Latest
Lack of receipt checking could enable Mac App Store piracy
Not long after the Mac App Store opened, several warnings via Twitter began to surface. "You did implement receipt checking so that people can't pirate your app. Yes?" developer Nik Fletcher (also one of our former writers here at TUAW) asked his followers. Ged Maheux at the Iconfactory also pointed out that he was able to run a for-pay app purchased by another person, and run it on 10.5 and 10.6.5 Macs as well -- none of which should be happening, it would seem. Receipt checking is the process that lets developers verify that the app is installed as a valid purchase by checking the embedded purchase receipt, which is included (in encrypted form) by Apple and contains the UUID of the Mac authorized to run the app. Apple did not force developers to implement a particular way of handing these receipts and as a result, some paid apps are not properly protected against piracy. While the number of affected apps is not known -- and probably very small -- it's not clear there's anything Apple could have done to protect developers from themselves in this situation. According to veteran Mac developer Daniel Jalkut of Red Sweater Software, the burden of preventing the app from running in an unlicensed setup is on the app itself, not Apple's receipts. "If developers think anything doesn't check out, at any time, they are obliged to exit the app," says Jalkut. "So nothing Apple does, short of breaking the exit system call itself, would cause an app to run when the developer's code discovers something is not right." Jalkut suspects that the apps in question may not have implemented a receipt check, or that the check they are using has flaws in its implementation. He also points out that Apple's testing process only looks for "false positives," meaning that if a valid license/receipt is present and the app fails to launch, that's grounds for rejection; if one is absent and the app launches anyway, that's not since receipt checking is optional. [Developer Alex Curlyo points to his open-sourced routines for validating store receipts, in case Mac app developers need some help.] Fellow TUAW writer TJ Luoma was kind enough to share an app with me to test this. He archived an app purchased through the Mac App Store, dropped the app in Dropbox and sent me the link. I installed it, then restarted the Mac App Store. The store showed the app as being installed, and was able to use the app as if I had bought it myself. However, it did not show up in my purchased apps list. When I removed the app from the machine, the Mac App Store gave me the option of paying for a legal license instead of saying it had been purchased or previously installed in any manner. To be clear: TUAW does not endorse app piracy, and I immediately uninstalled the app we tested. However, it's in developers' interest to double-check and make sure they have receipt support enabled for their products in the Mac App Store. [And no, if you were wondering, Angry Birds is not the application we tested.]
