Holes in the Walled Garden: Has the App Store Been Hacked?

This is a developing story, and not all of the facts are out yet, but if what is being reported on The Next Web and by developer Alexandru Brie turn out to be true, it may be prudent to stop reading this now and remove your credit or debit card from your iTunes account. I did, purely as a precautionary measure until this is sorted out.

The Next Web has been running a series of articles that detail how corrupt app developers have been using what they describe as “app farms” to hack into users accounts and purchase their own apps. Since originally posting the article, the first developer mentioned, “Thuat Nguyen,” has been removed from the app store, but The Next Web is reporting several other suspiciously successful developers who may be running the same kind of scam. Several users are reporting unauthorized iTunes purchases in the comments.

[inline-ad align=”right”]Alexandru Brie first reported on his blog how his app (Self Help Classics) had lost its position in the top 20 in the books category to a group of “badly coded Vietnamese manga apps.” All but one without reviews, and all by the same developer, Thuat Nguyen. After being in touch with the app store team, and hearing from Phil Schiller himself that Apple was looking into the problem, Alexandru posted an update to his original story that highlighted several other suspicious developers in the top 200 apps in the books category.

In contrast, Arnold Kim wrote on MacRumors that the issue of hacked iTunes accounts is not new, and points to a running thread they’ve had open since January 2008. Kim notes that the Books category is one of the smallest, representing a tiny amount of sales compared to the millions of iTunes accounts.

Right now, there are a lot of unknowns, and some good reasons to be suspicious of how widespread the problem really is. We don’t know if the code of the app store has truly been hacked, or if the crooked developers have been using password guessing and targeting users with weak passwords. If the app store really has been “hacked,” then the strength of your password won’t matter, but I think this is unlikely. A brute force password-guessing attack goes after the weakest link: the users.

No matter how widespread the problem is, Apple should be taking it seriously. It is apparent that there are still holes in the curated “walled garden” and that the overall problem of the app store, the approval process, is still broken. How can these crooked, worthless apps get in, when some truly useful apps do not?

Post in the comments if you’ve seen any unauthorized charges on your iTunes account.