Blog Post

Holes in the Walled Garden: Has the App Store Been Hacked?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

This is a developing story, and not all of the facts are out yet, but if what is being reported on The Next Web and by developer Alexandru Brie turn out to be true, it may be prudent to stop reading this now and remove your credit or debit card from your iTunes account. I did, purely as a precautionary measure until this is sorted out.

The Next Web has been running a series of articles that detail how corrupt app developers have been using what they describe as “app farms” to hack into users accounts and purchase their own apps. Since originally posting the article, the first developer mentioned, “Thuat Nguyen,” has been removed from the app store, but The Next Web is reporting several other suspiciously successful developers who may be running the same kind of scam. Several users are reporting unauthorized iTunes purchases in the comments.

[inline-ad align=”right”]Alexandru Brie first reported on his blog how his app (Self Help Classics) had lost its position in the top 20 in the books category to a group of “badly coded Vietnamese manga apps.” All but one without reviews, and all by the same developer, Thuat Nguyen. After being in touch with the app store team, and hearing from Phil Schiller himself that Apple was looking into the problem, Alexandru posted an update to his original story that highlighted several other suspicious developers in the top 200 apps in the books category.

In contrast, Arnold Kim wrote on MacRumors that the issue of hacked iTunes accounts is not new, and points to a running thread they’ve had open since January 2008. Kim notes that the Books category is one of the smallest, representing a tiny amount of sales compared to the millions of iTunes accounts.

Right now, there are a lot of unknowns, and some good reasons to be suspicious of how widespread the problem really is. We don’t know if the code of the app store has truly been hacked, or if the crooked developers have been using password guessing and targeting users with weak passwords. If the app store really has been “hacked,” then the strength of your password won’t matter, but I think this is unlikely. A brute force password-guessing attack goes after the weakest link: the users.

No matter how widespread the problem is, Apple should be taking it seriously. It is apparent that there are still holes in the curated “walled garden” and that the overall problem of the app store, the approval process, is still broken. How can these crooked, worthless apps get in, when some truly useful apps do not?

Post in the comments if you’ve seen any unauthorized charges on your iTunes account.

12 Responses to “Holes in the Walled Garden: Has the App Store Been Hacked?”

  1. Bryan

    My account was hacked just over two weeks ago resulting in app purchases worth AU$130.

    I have lodged a credit card dispute claim for these transactions and am keeping my fingers crossed to get some money back.

    I’ve noticed a flaw with the iTunes account security system. I’ve noticed that all you need is a date of birth and email and usually very simple “secret” question to change another user’s password thus giving you the ability to make purchases using his/her card. Usually the secret question feature in other sites results in a reset password being sent to the associated email account. On the plus side, you do get an alert that your password has been changed sent to your email but this might just be too late.

  2. My iTunes account was hacked on June 4th and someone generated a $50 iTunes certificate. Apple caught it before I did and froze the account, but has done nothing really to help me reinstate my ability to pay for Tunes. I was glad I wasn’t using the same password everywhere, but am having trouble understanding why Apple didn’t do more to notify me and others whose accounts were frozen. The problem is a lot more broad than “apps,” if they’re generating iTunes gift certificates from legitimate users.

  3. Apple should stand up and at least issue a warning. They ant to control your access to APPs and everything you do with the iPhone, iPod or iPad but they can’t or wont keep the crap and the hackers out of the store.

    Shame on you Steve and I’m sure glad I didn’t fall for the phone or the pad.

  4. melissa

    my itunes account was hacked by thuat nguyen over thirty times between 6/28/10 and 6/29/10 for a total of $250.00us and apple/itunes stand so far is sorry for your luck change your pass word td bank says they will look into it do you think apple will stand tall void the book charges ?

  5. I don’t know what’s worse: some vietnamese app farmer getting 5000 (!) fake apps into the app store, or the fact that Apple doesn’t acknowledge the problem and only tells users to change their password – without refunding the stolen money.

    Even if you have a weak password, the real problem is with Apple. They have installed an App Store with the single goal of controlling every app. This means they are responsible for any mishaps and should refund money stolen by these App Store pirates.

  6. There is a question no one is asking though: how did so many obviously garbage apps get approved?

    Apple may tout the numbers of the AppStore but so much of it is shovelware or opportunistic crap like those -cheats/hints stuff with similar names/icons to the top 10 worthy apps (ie. Angry Birds etc.)

  7. Captain

    Hello, I to fell victim to this security flaw, but was lucky enough to catch it before it elevated to a very large number. I hope this gets resolved quickly.

  8. I don’t think this has anything to do with the AppStore per se but security in general. Most people use the same email+pass for multiple accounts and these guys just ran compromised details through the iTunes login, no different to any other security breach. As for the apps themselves, yea some are pretty crappy but they do follow the rules and don’t really get in anyone’s way, also, very few high quality apps actually get rejected.