12 Comments

Summary:

This is a developing story, and not all of the facts are out yet, but if what is being reported on The Next Web turns out to be true, it may be prudent to stop reading and remove your credit card from your iTunes account.

app_store_icon_thumb

This is a developing story, and not all of the facts are out yet, but if what is being reported on The Next Web and by developer Alexandru Brie turn out to be true, it may be prudent to stop reading this now and remove your credit or debit card from your iTunes account. I did, purely as a precautionary measure until this is sorted out.

The Next Web has been running a series of articles that detail how corrupt app developers have been using what they describe as “app farms” to hack into users accounts and purchase their own apps. Since originally posting the article, the first developer mentioned, “Thuat Nguyen,” has been removed from the app store, but The Next Web is reporting several other suspiciously successful developers who may be running the same kind of scam. Several users are reporting unauthorized iTunes purchases in the comments.

[inline-ad align="right"]Alexandru Brie first reported on his blog how his app (Self Help Classics) had lost its position in the top 20 in the books category to a group of “badly coded Vietnamese manga apps.” All but one without reviews, and all by the same developer, Thuat Nguyen. After being in touch with the app store team, and hearing from Phil Schiller himself that Apple was looking into the problem, Alexandru posted an update to his original story that highlighted several other suspicious developers in the top 200 apps in the books category.

In contrast, Arnold Kim wrote on MacRumors that the issue of hacked iTunes accounts is not new, and points to a running thread they’ve had open since January 2008. Kim notes that the Books category is one of the smallest, representing a tiny amount of sales compared to the millions of iTunes accounts.

Right now, there are a lot of unknowns, and some good reasons to be suspicious of how widespread the problem really is. We don’t know if the code of the app store has truly been hacked, or if the crooked developers have been using password guessing and targeting users with weak passwords. If the app store really has been “hacked,” then the strength of your password won’t matter, but I think this is unlikely. A brute force password-guessing attack goes after the weakest link: the users.

No matter how widespread the problem is, Apple should be taking it seriously. It is apparent that there are still holes in the curated “walled garden” and that the overall problem of the app store, the approval process, is still broken. How can these crooked, worthless apps get in, when some truly useful apps do not?

Post in the comments if you’ve seen any unauthorized charges on your iTunes account.

You’re subscribed! If you like, you can update your settings

  1. I don’t think this has anything to do with the AppStore per se but security in general. Most people use the same email+pass for multiple accounts and these guys just ran compromised details through the iTunes login, no different to any other security breach. As for the apps themselves, yea some are pretty crappy but they do follow the rules and don’t really get in anyone’s way, also, very few high quality apps actually get rejected.

  2. Hello, I to fell victim to this security flaw, but was lucky enough to catch it before it elevated to a very large number. I hope this gets resolved quickly.

  3. There is a question no one is asking though: how did so many obviously garbage apps get approved?

    Apple may tout the numbers of the AppStore but so much of it is shovelware or opportunistic crap like those -cheats/hints stuff with similar names/icons to the top 10 worthy apps (ie. Angry Birds etc.)

  4. And then they say Piracy Is bad.

  5. Henk Duivendrecht Tuesday, July 6, 2010

    I don’t know what’s worse: some vietnamese app farmer getting 5000 (!) fake apps into the app store, or the fact that Apple doesn’t acknowledge the problem and only tells users to change their password – without refunding the stolen money.

    Even if you have a weak password, the real problem is with Apple. They have installed an App Store with the single goal of controlling every app. This means they are responsible for any mishaps and should refund money stolen by these App Store pirates.

  6. Go Android! :-p

  7. my itunes account was hacked by thuat nguyen over thirty times between 6/28/10 and 6/29/10 for a total of $250.00us and apple/itunes stand so far is sorry for your luck change your pass word td bank says they will look into it do you think apple will stand tall void the book charges ?

  8. Apple should stand up and at least issue a warning. They ant to control your access to APPs and everything you do with the iPhone, iPod or iPad but they can’t or wont keep the crap and the hackers out of the store.

    Shame on you Steve and I’m sure glad I didn’t fall for the phone or the pad.

  9. San Juan Mom Tuesday, July 6, 2010

    My iTunes account was hacked on June 4th and someone generated a $50 iTunes certificate. Apple caught it before I did and froze the account, but has done nothing really to help me reinstate my ability to pay for Tunes. I was glad I wasn’t using the same password everywhere, but am having trouble understanding why Apple didn’t do more to notify me and others whose accounts were frozen. The problem is a lot more broad than “apps,” if they’re generating iTunes gift certificates from legitimate users.

  10. I tried to get to my account to remove my card number, but can’t get in due to “an error in the itunes store”.

Comments have been disabled for this post