The security of Apple's iTunes App Store is in question this week, as reports surfaced over the weekend about large-scale compromises of customer accounts and efforts to game the company's Application ecosystem for illicit profit. Props to The Next Web, which appears to have broken this story on July 4, forwarding reports about complaints from iTunes users that their accounts had been compromised and used to purchase applications through the App Store. iTunes users reported between $100 and $1,400 in illegal purchases from their accounts.
The plot thickened when The Next Web noticed that many of the applications were written by the same developers and, in fact, that those developers were laborers on larger app farms churning out hundreds of mostly useless (but pricey) programs to run on Apple mobile devices such as the iPhone or iPod Touch. The illicit traffic was enough to boost a couple dozen of the bogus apps to the top of the App Store's Books category.
[ Stay up on tech news and reviews from your smartphone at infoworldmobile.com. | Get the best iPhone and iPad apps for pros with our business iPhone apps finder. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]
According to reports, there are a number of wrinkles to this scheme. The most basic appears to involve compromised iTunes accounts being used to buy a series of applications from the same developer. Some of these were low-cost applications, but others were pricey, fetching $90 or more. In at least one case, according to The Next Web, a free application was used to broker bogus application purchases after it was downloaded.
Apple has yet to comment on the reports (TechWatch has a call in requesting comment and will update this post when we hear a response), but a few questions need to be answered:
First and foremost is the question about the origin of the breach. Has the iTunes App Store itself been compromised and, with it, account information on millions (hundreds of millions?) of App Store users? Or are criminal groups merely harvesting iTunes login information from among the information of millions of individual consumers and reselling that to interested parties connected with the App Farms?
The bigger question is how Apple will respond to address what is, if not a flaw in its App Store ecosystem, at least a truck-sized loophole. Just like any marketplace, it's reasonable to expect that both sterling and shady vendors will set up a storefront. There's little that Apple can do to prevent that, though it might need to start policing its application providers more carefully, especially those with sudden spikes in traffic/commerce that seem otherwise inexplicable.