Without Proper Code Validation, Mac App Store Downloads Are Easily Bootlegged

Copy the App Store receipt from any legit Mac App Store download — including from any free app — and paste it into a bootleg download of Angry Birds, and it’ll run.

This isn’t true for all paid Mac App Store apps. For apps that follow Apple’s advice on validating App Store receipts, this simple technique will not work. But, alas, it appears that many apps don’t perform any validation whatsoever, or do so incorrectly, like Angry Birds. (Angry Birds checks for a valid receipt, but doesn’t check to see that the bundle ID for the receipt matches its own bundle ID.)

Apple should test for this in the review process, and reject paid apps that are susceptible to this simple technique.

Thursday, 6 January 2011