PULLED: 41 of Top-50 Books apps (fraud + hacked iTunes accounts)

From Day 1 of the iPhone App Store, it’s been possible and profitable to push your apps up the rankings by buying them in bulk yourself (requires you to buy mulitple iTunes accounts). Now an Asian developer has gone one further, by hacking other people’s accounts to do the purchasing:

The rankings in the books category of the US iTunes store features 40 out of 50 apps by the same app developer, Thuat Nguyen.

(PLEASE NOTE: The linked website – TNW – has done a neat job of summarising this, but they’re a bit out of their depth on the whole “investigation” side of things. Some of the accusations/insuations they make are patently false, and borderline defamatory (e.g. they apparently know nothing about the multi-billion-dollar “free to play” games industry). Read with caution)

The hack wasn’t subtle. It was very stupidly done – they were guaranteed to get caught within a week, while Apple’s policy is that they wait a month or two before paying developers. The hacker was never going to get the cash. In response to (we suspect) a huge volume of complaints, Apple has now pulled all the developer’s apps:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns.

Developers do not receive any iTunes confidential customer data when an app is downloaded.

If your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately. For more information on best practices for password security visit http://www.apple.com/support/itunes.

The evidence was pretty overwhelming, and was accompanied by a stream of ordinary iTunes customers seeing unexpected credit-card transactions:

“Yesterday my credit union contacted me saying there was suspicious activity on my debit card. Sure enough over 10 transactions in the $40-$50 area all on iTunes equaling to $558″

Security notes

Since launching iTunes, Apple has appeared to be pretty weak on customer security.

NOTE: an Apple spokesperson has allegedly stated that they will ask for the verification code on the back of your credit card “a little more often” from now on. Find any security expert and ask them if that’s a solution (hint: expect them to be laughed at).

My company develops iPhone apps, and we are careful that NONE of our iTunes accounts have a credit-card; this is the only online purchasing system in the world that we don’t trust. If you Google “itunes credit card” you’ll find plenty of examples over the years of people claiming that Apple allowed fraudulent iTunes transactions, took the money, and refused to refund, using a legal loophole to keep the cash. While it’s unlikely they ever held the money forever, I’ve met several people in person who’ve made the same claims for themselves, and the sheer volume of complaints strongly suggest Apple’s procedure on this has been less than fair.

So, what to do?

You could setup a secondary bank-account just for iTunes payments (I know a lot of peoople who’ve done that – IIRC, I first heard from one of those who got hacked and had trouble getting Apple to refund or even take it seriously). Or, even less effort, iTunes gift cards are available everywhere – I highly recommend them.

Developer notes

The basic attack here has been possible since the iPhone App Store went live:

Buy multiple iTunes accounts (say 1,000 of them), and buy one copy of your app on each.

This drives you up to the top-10 lists, earning you masses of free publicity and hence sales (plus it allows you to write a thousand 5-star reviews, to similar effect).

It works for two reasons.

Firstly, Apple’s own safeguards against black-hat SEO techniques are surprisingly weak. They’ve made some shockingly naive design decisions on the App Store, e.g. the “rate this app automatically BUT ONLY WHEN YOU DELETE IT” idiocy.

Secondly, Apple’s apparent paranoia and hatred of all things “open” has lead to keeping the App Store a private walled-garden, away from the Internet. This has ensured that *none* of the existing forms of marketing and direct promotion would work. It was only very recently that Apple finally “allowed” normal web browsers to view the pages of the App Store (the pages were always there, that’s how iTunes works – behind the scenes, it’s a web browser).

Net effect: black hat techniques are often not only possible, but also the only option available.

Personally, I believe Apple is changing this for the better. The decision to allow web browsers access to the App Store was huge, and has made it a much better place – e.g. you can now Google your favourite app, instead of using iTunes in-built broken search feature.

But, historically, a lot of people have been pushed into adopting black hat techniques, and it will take a while for them to revert to the mainstream…

Post to Twitter

This entry was posted on Wednesday, July 7th, 2010 at 8:15 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

 

Summary of this site

There are now approx. 100,000 iPhone applications available on the App Store. Apple has a secret, undocumented, unquestionable, semi-random process for deciding which applications to “allow” onto the deck.

This site aims to document and share all known examples of what is ACTUALLY rejected