On Sunday we reported details of how one specific app developer had managed to hack iTunes users accounts and use them to purchase his own apps – making it to the top of the iTunes charts.

As the story has developed, the problem has grown far more serious than initially thought – not just that one particular developer and his apps - the Apple App store is filled with App Farms being used to steal.

Yes but Apple will stamp on this hard. It might slow up the approvals process.

It's not really anything to do with the approval process. It's the user's accounts that are being hacked and used to present 'false positives' on the apps traffic levels to boost them up the 'most popular' tables. There's no viable method for this to be stopped at the approval stage for the app - all they can do is ban the app & developer when they find out it's happened. What they need is a much more robust way for people to report their accounts being hijacked and a way to 'roll back' any purchases made with those accounts once it has happened. And maybe some sophisticated analysis of buying patterns i.e. raise an alert when they see spikes in app sales that don't seem 'right'.

Jon

Yes but how are the accounts being hacked? If it is via the apps then the approvals process will be a problem.

Yes but how are the accounts being hacked? If it is via the apps then the approvals process will be a problem. Many people have passwords that are far too easy to hack or use the same passwords for everything.

It might help if Apple emailed people to inform them that suspicious activity had be detected on their account.

Quite. I'm fairly sure it's bad password security rather than trojan apps. The fraudsters have become quite clever about cross-checking this kind of stuff whereas Apple do have automated tools that check when apps are passing data out via the internet. That's how they found out about the analytics stuff they got in such a tizzy about recently.

Yup, I'm not sure how good they are at that, if they do it at all.

Jon

Paul Thurrot got stung a 2 weeks back. His kids downloaded a free app onto their iPod Touches (Tap Fish), which then lets the user buy fish in game. Even though the kids didn't have his password (it was only authorised on his PC, which was used to sync the iPods), they still managed to download nearly $1,000 in fish in-game!

Apple refunded the money without any fuss, and said that he wasn't the first to complain.

I am still bemused how the app can charge anything to his account without authorisation. Did he have his account set up for one click purchases which might explain.

Then a serious hole in the system exists. I wonder how many will actually notice?

Considering the packs of fish cost up to $200 a pop, I guess people will notice that fairly quickly - I get an e-mail from Apple for each purchase, if they started sending me notifications of $200 transactions, I'd spot that quickly!