Apple pulls a ‘BP’ in responding to App Store hack

Apple has responded to press inquiries about the hacking of iTunes user accounts and fraudulent purchases made through its App Store, but the company has yet to come clean about the extent of the incident or the pressing questions it raises about the security of its application ecosystem.

We wrote about this incident yesterday, citing reporting from The Next Web, which broke the story on Saturday, July 3. The update, as of Wednesday, is that Apple has acknowledged the compromise. In an email response to Tech Watch, Trudy Miller, an Apple spokesperson, said that the company has removed “the developer Thuat Nguyen and his apps” from the App Store “for violating the developer Program License Agreement, including fraudulent purchase patterns.”

[ See Paul Roberts’ original post: “iTunes hack spotlights shady ‘app farms’.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Miller assured Tech Watch that “developers do not receive any iTunes confidential customer data when an app is downloaded,” though we hadn’t posed the question to the company. However, there was no direct response to the question we did ask: What was the source of the breach?

There are a couple possibilities. One is that Apple’s own servers were compromised, yielding login information for iTunes accounts that were then harnessed to buy bogus apps. The other possibility, of course, is that credentials were harvested directly from the hundreds of millions of iTunes users via spam or phishing campaigns, then resold to enterprising app developers. Price your piece of worthless iPhone warez at $25, $50, or $150, or charge for dubious “in game points,” as was the case with many of the suspect apps, and you don’t need many scalps to realize a good payday.

Whatever the case, Apple is silent on the issue of the source of the breach. As to the size of the breach, there are differing reports. One from Fox and Friends (huh?!) anchor Clayton Morris says that Apple has confirmed 400 accounts breached. The Next Web says it counts more, based on comments to its stories on the breach — an imperfect tally, at best, but one that suggests the breach could be much larger.

No matter: Apple is channeling BP CEO Tony Hayward, by noting that the size of the breach is dwarfed by the size of the App Store user base — 400 accounts is less than 0.0003 percent of iTunes’ 150 million users — just as Hayward suggested that the volume of oil released by Deepwater Horizon was dwarfed by the total volume of the Gulf of Mexico.

Finally, Apple is silent on the issue of “app farms,” which The Next Web rightly points out is the bigger question. Even with Thuat Nguyen’s applications removed, The Next Web notes many, similar bunches of suspect/worthless apps seem to be selling quite briskly; they also suggest there could be widespread gaming of the App Store ecosystem by fraudsters or unscrupulous “software” firms that have tapped into the iPhone gold mine.

This raises important questions about the ability of Apple to vet new application submissions and to monitor transactions across its network to spot bad, er, apples. As long as fraudsters can game the App Store and dominate different application categories with illicit purchases, legitimate developers will suffer — both in missed attention and from increasingly suspicious consumers.

As for redress for affected iTunes users, many of whom have incurred charges of hundreds of dollars, Apple said users can appeal to their credit card company to have the charges reversed and — oh yeah — change your iTunes password.

Apple has always been a bit prickly when it comes to responding to security questions about its products, and this incident shows the company in true form: saying little and volunteering less. We’d be hard put to comment that the lack of transparency has hurt the company, which recently surpassed Microsoft as the most valuable software company in the world. But if past incidents are any guide, Apple would do well to come clean with what it knows about the breach and take concrete steps to plug the holes that this incident has exposed, lest it die the death of a thousand cuts as more affected users step forward, corrections are issued, and faith/trust in the company diminishes.

This article, “Apple pulls a ‘BP’ in responding to App Store hack,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.