Let us suppose I am J. Random Black Hat Hacker, and I am in possession of a zero-day iphone exploit.
How do I get it into lots of people's hands?
Solution: write an innocuous-looking amusement app (with the exploit buried inside it), get it past Apple's testers (this is the some magic happens here stage, but from what we're hearing they don't do a hell of a lot of testing), and once it's in the store, voila: "Gift This App"!
Note: the issue here is social engineering. Ordinary people take freebies, whether honestly come by or otherwise. Consider the penetration testing experiments where USB memory sticks with malware payloads are left in car parks outside office buildings; something like 40% of the sticks were shoved straight into a PC at work without any attempt to sanitize them. "Gift this App" can be used by bad guys to provide the illusion that their targets are getting something worth having for free -- the same illusion that 419 scammers exploit.
At the very least, developers should need prior approval before being able to use "Gift this App" -- or there should be a mechanism to warn recipients that the App is from a source not connected with them.
What's to stop me from doing this right now? "Here's a free app for you, click here, this link is only for you." It's not only for you, of course, but who checks to see if the URL has a real unique ID in it? (You could always add a "?gift-code=293874" at the end of the URL anyway, the server will probably just ignore it.)
Many people proceed on the assumption that the sticker price on front of an item defines its value. If you price a widget at $199, they may look around to see if they can find it for $189 at a competitor's store, but they don't say to themselves, "hey, wait a minute, given the likely bill of materials, shouldn't this sell for $30?" They take it on trust that price reflects value, to a first approximation.
(Incidentally, this is a major problem facing the adoption of free software, because it works in reverse: "if it's free, doesn't that mean it's not worth anything? So why should I bother with it?" We know what's wrong with this argument, but many non-geeks don't.)
If you want to social-engineer an exploit, I'd say making it look as if the trojan is valuable is going to help more than making it look as if the trojan is free because of the psychologial association between cost and desirability.
(Hence all those "Your computer is at risk, buy our virus scanner now!" scams cluttering up your clueless cousin's web browser.)
If you're a serious criminal and you've found a way to empty someone's bank account via their iphone, I'd say it was worth paying $10 per victim to get a better supply of victims by convincing them that your malware client is valuable and worth installing. Right?
I completely agree. Not only this, they should also let developers provide individual discount coupon codes for their apps the way you can do on your own website. We have users who are helping us with testing and we want to give them our apps at 50% or 75% off but there is no way to do it.
Good idea. Hard to keep developers from cheating and selling the discount codes or tying them to other purchases to reduce Apple's cut. Maybe developers would just obey the contract if it said you couldn't do that, and it could be tried and canceled if widely abused.
Just let them install the last beta, the RC which was submitted to the App Store. They only difference is if they never bought (or didn't use a code), they can't rate it on the App store.
What they really should add is the ability to try an app for 24 hours. I think they would see sales go up dramatically for apps, I don't buy any software for my PC without trying a demo first, should be able to do the same with my iPhone
Android lets you "return" a full app within 24 hours for a full refund. You don't have to guess if it will do what you need, you can try it and see. I guess you are out 99 cents on your credit card for a day, though, which will probably annoy someone here.
It would help promote app discovery! And since the gifter would be paying for the app (just like they would if they gifted a song), the purchased app would then be allocated to the recipient's iTunes account.
Let us suppose I am J. Random Black Hat Hacker, and I am in possession of a zero-day iphone exploit.
How do I get it into lots of people's hands?
Solution: write an innocuous-looking amusement app (with the exploit buried inside it), get it past Apple's testers (this is the some magic happens here stage, but from what we're hearing they don't do a hell of a lot of testing), and once it's in the store, voila: "Gift This App"!
Note: the issue here is social engineering. Ordinary people take freebies, whether honestly come by or otherwise. Consider the penetration testing experiments where USB memory sticks with malware payloads are left in car parks outside office buildings; something like 40% of the sticks were shoved straight into a PC at work without any attempt to sanitize them. "Gift this App" can be used by bad guys to provide the illusion that their targets are getting something worth having for free -- the same illusion that 419 scammers exploit.
At the very least, developers should need prior approval before being able to use "Gift this App" -- or there should be a mechanism to warn recipients that the App is from a source not connected with them.