It would be obviously wrong and illegal for a stranger to come into your home, secretly inventory all physical items in your possession, and then impersonate you on, say, a global TV broadcast in which you're wrongly accused of stealing things.
It should also be obviously wrong and illegal for any app secretly to inventory everything in your phone and then impersonate you on a Twitter broadcast in which you're wrongly accused of pirating things.
Evidently, the people who made this dictionary app think it's perfectly legal to do that, and must not see anything wrong with it.
Our laws, regulations, and societal norms have a long way to go before they catch up with technology.
> Our laws, regulations, and societal norms have a long way to go before they catch up with technology.
Oh, that remains to be proven. Impersonating someone else to have them describe themselves as a criminal is pretty clearly legally actionable, both in a civil and criminal sense. There's every likelihood that the laws and regulations will work just fine. And judging by this post, societal norms are also working just fine to disapprove of the behavior.
The guy has come up with a new way to violate laws/social norms, to be sure. But that doesn't actually mean they aren't working. They are flexible enough to adapt to most new situations and this is certainly one covered by them.
Well, to continue the tortured analogy, the stranger was invited into the home, they didn't break in. Then they presented a release form to the homeowner saying they could impersonate him on TV, which the homeowner signed. Only then did they go on TV and "impersonate" him, saying things he didn't expect.
I don't think it's so cut-and-dry as you are making it out.
It's definitely shady, but I dare say there's nothing illegal here.
So the current social expectation of most twitter users (app developers take note) is that an app should not post content without informing the user that they are going to do so; or without affirmative action from the user indicating that they want the app to take that action. I've seen people get outraged by apps that post without warning often enough to think that doing so breaks a fundamental bond of trust.
So the granting of permission is conditional on that permission being used responsibly, and if the app fails to work without that permission and then breaks trust with its users in that dramatic of a fashion...
I know that I won't purchase or use any Enfour inc. product in the future on the basis of this; there's plenty of easier dictionary apps that won't falsely accuse me of piracy.
I don't see where he gave permission for the app to post Tweets for him. He gave it access to his Twitter account, but that's not the same thing. To continue your analogy, the stranger was invited into his home, gave him a form to sign that said he could inventory the items there, got it signed, and then proceeded to publish the information in a way that wasn't mentioned on the form.
> I don't see where he gave permission for the app to post Tweets for him. He gave it access to his Twitter account, but that's not the same thing.
It is exactly the same thing. If you give something access to your twitter account, you are giving it the ability to post, and therefore, tacit permission to post.
Ability and permission are not often link like this in real life.
If I walk up and stand two feet infront of someone I have given them the ability to try to punch me in the face, I have not given them permission to do so.
If I utilize a computer repair service and I grant them remote access to a computer at their request I have likely given them the ability to run the equivalent to rm -rf /, but I have not given them permission to.
I can grant a friend access to my house by giving them a key that does not mean I give them the permission to do what ever they want in my house.
In the above three cases there are legal consequences for a party when overstepping their permissions.
You need to see what the permission means within the behavior of similar permissions, and that is written in application guidelines for iOS devices. Here's one way that this app violates the guidelines, hence does something unexpected with the permission:
"17. Privacy
17.1
Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used"
Not really. The Twitter API allows both read-only and read/write access. iOS, as a system-wide grant, has read/write permissions - but apparently does not allow users to specify per-app permissions to be that granular.
Moreover, the app was apparently locking out paid users from any access at all unless permissions were granted, which in itself shouldn't have made it through Apple's vetting process in the first place (exception: twitter clients). The majority of apps will only need access to the "share sheet" for posting to twitter, which AFAIK doesn't require explicit permissions (similar to sending an email; the user must hit send)
I don't know since I don't use the app; from the description given in the blog post it seems highly doubtful that the app specifically told him it was going to post to his Twitter account on his behalf without telling him.
Also the app appears to be in violation of the iOS guidelines (see another post upthread), which means that it is not generally understood that apps can post on your behalf without telling you just because you give them access to your Twitter account.
I would claim that you are mistaken here. Ianala but I'm fairly sure there is actionable bad behavior going on.
You may find it surprising but it is actually illegal to trick someone into agreeing to something that harms them. You can't just say "Can I do this to you" if the person you're doing something to can't reasonably be expected to know the implication of "this". That's why we use phrases like "informed consent".
i believe the user agreed access to his tv channel, and not that he could be impersonated on tv. maybe that was in the fine print, but i'm pretty sure nobody would sign this agreement knowing such impersonation was an option
> Our laws, regulations, and societal norms have a long way to go before they catch up with technology.
I wouldn't say that what this app is doing is within societal norms. Just like laws, societal norms get broken, which is what happened here. The publisher will suffer consequences (both from Apple and potential customers), as they should.
Your analogy should be narrowed according to the facts of this case. Assuming that the author's guesses about the app's behavior are correct, this is a case of software checking for one specific tool — a tool that's strongly associated with piracy. A defendant in the physical world wouldn't necessarily have a reasonable expectation of privacy if there were indications that he or she was engaging in unlawful conduct. So it's unfair to say the app's behavior would be obviously illegal or that it's comparable to a secret inventory of all of someone's physical items. That said, I'm not justifying the hijacking of the author's Twitter. That's not an appropriate remedy by any standard.
It's one thing to have other people learn that you own a crowbar. It's another thing to have someone else declare, using your name, that you've used that crowbar for breaking into houses.
Most likely, their "piracy detector" was nothing more than checking for "MobileSubstrate" (a library present in all jailbroken phones) under the silly assumption that jailbroken = pirated.
Booby trapped software is NEVER a good idea. No matter how clever you think you are, you're not clever enough.
That sounds good, as long as you don't go on the internet and talk shit about the user if it is detected.
Popping a message like this would be good: "Sorry, this section of the app is incompatible with IAPCracker. Please contact support if you have received this message in error."
The users will still post on your forum and claim they don't know what iapcracker is. and argue incessantly despite having crash reports that logged it in memory
Jailbreaking and installing those hacks is difficult enough that your losses from it are likely to be low. So the question comes down to what your motivations are. Money-wise, it doesn't make much sense to tack on any more anti-piracy measures than there are already. You'd effectively be working for pennies designing and implementing your schemes with the amount of revenue they'd likely generate vs your losses from goodwill in the inevitable anti-piracy screw ups.
Personally, I prefer the pragmatic approach to the idealist. It's far less stressful.
Well he didn't disable the app and he also didn't say something that wasn't technically true.
> How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession
If you have a jailbroken iPhone, odds are that you did so to pirate "iOS apps" and are hence a "software pirate". That sentence looks like it was carefully crafted to be correct and generalizable.
This is probably not good for the dev's PR though, because accusing customers of being criminals doesn't go down too well (Music/Film) - unless of course you are a lawyer (MPAA/RIAA) - then you make fat stacks.
I have a jailbroken phone and I don't use it to pirate. Cydia is an alternate app store for apps that Apple rejected. Jailbreaking is also a step to unlocking, which allows me to use my phone with my Softbank account when I travel to Japan. For those that fit these categories and use this dictionary app, the author has stepped right into the legal minefield of libel.
Collateral damage is not a justification for this.
I have a jailbroken iPhone, because I want SBSettings and Winterboard. That's it. I want to be able to skin my phone the way I want (it's mine, after all), and I want quick access to things like brightness and wifi on/off that doesn't require jumping through multiple menus in the Settings app.
Even if both are true, the app still may not have been pirated. I wouldn't take any action based on this information beyond perhaps gathering statistics (and keep in mind that those statistics could be way off).
Apple explicitly suggest an exit(173) if the certificate check fails for Mac App Store apps.
Although I've definitely had non pirate users report this error to me because they've drag and dropped the app onto another machine instead of reinstalling from the App Store -- so you're right, it's not a guarantee that they're a pirate in an absolute sense.
Apple suggests it for Mac apps because you can copy a purchased app to another computer manually, and the exit(173) signals the system to go do an authorization check and re-authorize that copy to run on its new computer if it passes. iOS has no equivalent mechanism.
You can normally read from outside the sandbox on iOS: there are data in /usr/lib and /usr/share that are important to libraries shipped as part of the dyld cache (also incidentally found outside of the app container.)
The main question is: what exactly lays outside the sandbox? A good thing to search for could be Cydia, but there are alternative package managers. MobileSubstrate isn't a sure bet either, but I suppose it's a far cry safer than Cydia. An additional method could be trying to map a page you can both write to and execute, which should fail unless specific kernel patches indicative of a jailbreak have been applied (or you're a webview with Nitro enabled.)
The best method, however, is to not care, because if you do it's for the sake of either tracking/analytics or screwing over your users.
The files you're reading are already cached by the OS (to perform the exact same work). The only processing involved is computing a hashes and a small RSA encryption.
Booby trapped software. Very clever, except for when it blows up in your face.
At least they only posted to twitter instead of [1] something a lot worse (think file deletion, etc).
Generally a bad idea, if you're of the leet warez d00d type, to give any illicitly acquired app your credentials to anything important, at least until you've verified that it's safe.
The armchair lawyer in me wonders if someone could get a libel/defamation suit going because of this. The average user wouldn't probably have much to go on, but the head of a company perhaps.. yikes.
No, that's exactly what that particular permission is (from a technical standpoint). What's at issue here is that the tweet the software generated wasn't exactly an authorized use of the account.
What's at issue here is that the tweet the software generated wasn't exactly an authorized use of the account.
Which means that, regardless of the technical point that "access to the Twitter account" gives the app the ability to post, the user did not give the app permission to post.
Something we see discussed on occasion is a call for app developers to explain in detail why they request certain permissions. If this developer were required to explain (and the user required to acknowledge) the requested permission, it may have prevented the whole episode.
No it wouldn't have. The app required permission, or he couldn't use the thing he paid $50 for. The is a (stunning) app store review failure. A dictionary app that requires permission to post to your twitter should be rejected, period.
Yeah, if they're going to put honest developers through bullshit and make them delay releases to change their apps according to the arbitrary whims of the reviewers, you'd think they could at least catch something like this.
Not that surprising a failure to me. You'd only see the behavior on a phone that tripped their check for piracy. As long as the Apple reviewer didn't use such a phone, no obnoxious behavior.
I am sure that Apple has a standard checklist, and am not surprised that this is not on it.
The fact that the developer would only allow the app to run if the user granted access to their twitter feed would be very annoying to me. This scenario is exactly what Apple tried to help users avoid with Twitter permissions. I understand the developers wishes to stop piracy - but this is the wrong way. Simply checking for Installous is an incredibly lazy hack to check for piracy.
"I would add that this problem seems to be happening with many, if not all of the Enfour dictionary apps, not just the Oxford app that this story is about. And Enfour seems to be attacking customers who post low reviews on their App Store pages.
And this has nothing to do with having a jail broken iPad or iPhone. It is happening to everyone."
".. Enfour is attacking people leaving bad reviews in the App Store, but not by triggering their Twitter accounts. Enfour is actually responding to the bad reviews by posting negative comments about the reviewers themselves on the description pages of Enfour’s apps. You can see these when you access the iPad store, but you have to click “more” for them to appear. I don’t think they show up in the iPhone app store."
"Bug" my arse...someone was trying to prove a point / make a statement and it bit them. Hard.
They will have to do some heavy backpedaling for me to believe it was a bug. I'm a developer. Ive created bugs and fixed bugs. This is not a bug. This is a "feature".
No, you see, triggering it for a legitimate user was a bug. In other words, they are unrepentant for including this feature in the first place, even though it's totally scummy and possibly illegal even when targeted at someone who really did pirate the software.
It may well have been a "fun thing" they added in there, but never intended to release to the public. The "bug" could well have been that it was enabled in the public release.
So, it's a feature, but the bug could have been that it was unintentionally 'enabled'.
What a repulsive link. Those images are really distasteful.... Not the pregnancy part but the staging of it. As if your entire being revolves around your stomach, and therefor so should everyone elses.
Sorry, I'm sensitive to this kind of thing. As if her life suddenly has meaning, so now she has to compensate for all the lost time. Congratulations, though.
What a repulsive reaction. This is how babies are made (albeit not with the "stomach", sigh...). Your mother looked like that too, and might very well have a few shots like this in a flip book somewhere waiting to horrify you.
And what's wrong with "staging" a photo? Pregnancy is a pretty big deal, some people feel it's worth celebrating. I don't see anything wrong there at all.
Good job. I came to this thread ready to crucify this woman and her company based on their unbelievably bad design decision. Now I feel like I need to defend her from sexist creeps...
Oy, I should have known better :) I know how pregnancy works, and I'm not repulsed by that in and of itself at all. My younger brother was born at home so I have experienced it quite closely. Further, I hope to have several children myself one day, being present at their birth and all that follows. The biggest fear in my life, and i mean that with every cell in my body, is that this wont be realized for one reason or another.
I'm sorry if I offended you guys, especially the poster (I see why you picked the link, and it's totally fine with me). I know how this seems like another excellent example of "HN going downhill with rudeness".
To clarify my post: The article seems entirely lacking of substance with fluffy self-helpy answers, with no point but for her to needlessly glorify her pregnancy. Further, it fits with a recent fad, by "helping" you making that old-school-biological-baggage of yours fit with your fast paced modern lifestyle, a subject I really do not appreciate as the articles regarding it are, as the piece in question examplifies, usually just fluff for pageviews. "How to cook excellently in 3 min", "How to raise a family and be a CEO" etc...
My point regarding self esteem, stems from the third photo. There is no reason for you as pregnant woman to wear a bellyshirt, unless you're desperately attempting to call attention to yourself. I feel it does it overly so, which I trace to some insecurity in other areas of life. When I see stereotypical behaviour like that, i have a need to call it out. Perhaps to feel superior and establish my dominance or whatever....
(Of course she could be wearing it because the photografer asked for it. For the staging part. To me, it looks unnatural and stupid if that is the case, leading back to the aesthetics part)
I thought of deleting my post, as I did not want to make anyones day worse but this is indirectly a discussion about me, and, as such, an opportunity for me to learn more about myself, how i should improve. Social life hacking if you will. Please flag the post, if you feel it is the right thing to do, though.
Sorry everyone, at least I sparked some discussion, making up for the poor form through this post i hope.
> Further, it fits with a recent fad, by "helping" you making that old-school-biological-baggage of yours fit with your fast paced modern lifestyle, a subject I really do not appreciate as the articles regarding it are, as the piece in question examplifies, usually just fluff for pageviews. "How to cook excellently in 3 min", "How to raise a family and be a CEO" etc...
We live in a day and age where in order to make ends meet, both parents need to work. Not only that, but some women actually have aspirations outside of just being a mother and they have every right to do so. If women need to make blog posts about shortcuts they've found in order to streamline their lifestyles, so be it. This woman's blog is also probably how she connects with family and friends, not a place for some random passerby to make a judgment on her life.
Moreover, pregnancy is a huge ordeal mentally, physically and emotionally. In the grand scheme of time, it's also relatively recently that we've been able to ensure you won't die from it. Some people find giving birth to be the very purpose of life, so she has every right to "glorify" it.
Ok, to me, a bellyshirt seems to have two functions: Comfort and/or as a device to appear more attractive, perhaps explicitly so. Attractiveness is understandably important to her (It's not like pregnancy makes you not-human), but to me, a belly shirt at least borders on being a sexual incentive, which is why i feel it is out of place. Comfort could indeed be the answer, and if that is the case, well, alright, my analysis was bullshit. (I would try to keep my baby warm, but I guess it can get pretty hot in Japan)
Sorry. I only linked that because it is the first thing that came up in my google results and offers a fairly credible level of "proof" (since it has her name, photo, and the company's name).
If she had something more professional I would have linked that and will happily edit my post with something like a LinkedIn profile or similar. I wasn't trying to embarrass or show up their spokesman, she just Tweeted from a non-company twitter account and frankly she could have been "anyone." So I wanted to verify that this person could speak for that company and share my findings.
I think the jab was more about making a deliberately inflammatory statement like that, on a complete tangent to the discussion, based on what seems to be a clear distaste of the whole concept of pregnancy, and then misidentifying the organ involved.
Yes, you can get away with calling a uterus a "stomach" in some contexts. If you're going to flame about it, get it right.
Yup, as the deleted poster explained, I just used stomach to describe the general area. Belly would perhaps have been more precise. I try my best but I am a foreigner, and that has its price (I suck at commas as well).
They're using iOS's built-in Twitter functionality, which I believe Twitter sees as simply coming from iOS. Twitter might possibly have a way to block this stuff, but I don't believe it shows up as a separate authorized app for the users to deny.
Apple needs to burn these people to the ground as an example to others. Pull their apps, refund their customers, and ban them from all Apple platforms for life. If Apple doesn't severely punish this sort of thing, then just what good is their fancy walled garden?
That is exactly what I was trying to imply. Apple and Apple fans are constantly telling us that the walled garden is four our own good. If Apple doesn't take severe action here, then they'll be all but admitting that our protection has nothing to do with it.
A walled garden may do a perfect job of keeping rabbits from eating crops. Yet despite completely fulfilling its purpose, it still can't prevent vegetables from rotting.
Well, they've been, illegally, pursuing their own interest exactly as the people using the app without paying. I don't see anything excessive here; I'm not saying that I justify them of course.
It's distressing to see such colossally poor judgment on the part of Enfour. Besides developing the ODE app from TFA, they also produce the American Heritage Dictionary app, which is one of the better if not the best name-brand dictionary app for iOS. I would like to support this app because I don't care to see the professionally edited dictionary go the way of the encyclopedia, but nonsense like this is hard to pardon.
I don't have this particular app, but I have Longman's Dictionary of Contemporary English (5th ed.), also by Enfour, Inc. that I bought last year for, I don't remember, $50 I think (at the time, now they've dropped the price).
The latest version displays "I'm a software thief" as a notification, says to run the app in safe mode and then crashes.
I've got Collins Gem Malay <-> English dictionary, which requests Twitter access, then when denied throws up a dialog saying 'Run in Safe Mode!' and crashes.
This is just the kind of thing comes along with the philosophy that the user shouldn't be the ultimate owner and controller of their computer.
Why isn't the app given an opaque 'twitter handle', which may be a real account, a no-op, or has a moderated posting ability? And why is the app allowed to view general properties of the system, looking for system software which it deems unfavorable?
Because Apple decided that instead of implementing the above security features (and giving their UI designers the task of making such capabilities understandable and non-overwhelming), they would simply only allow "good" apps. Well guess what - "good" doesn't scale.
Sloppy effort on behalf of the developers. Andreas (author of the blog post) was right to deny it permission to use his Twitter account the first few times but gave in eventually because of the nagging.
If there was a way to see expanded permissions before allowing a program to update perhaps he would have not updated at all?
The short, glib answer is that if you have to ask why you would want to pay for a dictionary, then you aren't the kind of person who needs to pay for a dictionary.
The long answer is that good dictionaries, such as American Heritage Dictionary, the Shorter Oxford English Dictionary, and the OED itself, are produced by scholars and experts, guided by editorial panels comprised of scholars and experts, require a great deal of work to produce (the first edition of the OED took something like 71 years to complete!), and contain more data (i.e., more words and more definitions per word) and generally higher quality data than free dictionaries. You're probably willing to pay $50 for software that solves your problems, because you probably make software yourself, and you know that it costs money to create software; an analogy can be made here. But if a barebones dictionary works for you, then it works for you, and don't worry about it.
So what is a good dictionary? Here's a tentative answer. A good dictionary provides pithy, useful definitions that reflect the words' differing meanings over time and differing contexts. Most good dictionaries also provide style and usage guidelines (e.g., "When should I use 'lie' and when should I use 'lay'?"), and a good dictionary will also provide a word's etymology. Many free dictionary apps use data from WordNet, which is an amazing resource, but its focus is on tagging words with taxonomic properties (sorry, a better phrase isn't coming to me right now) and defining the relationships between those words, all of which is very useful for general linguistics and NLP research. The quality of the definitions fall short, and you should be able to confirm this by comparing just about any WordNet definition to a definition from a good dictionary at your library.
I was hoping to find a better example, but to give yourself an idea of the research problems that can be solved with a good dictionary, consider reading this brief student's guide to using the OED:
For those living in the UK, it's probable that you can access the online master OED through your local council's library web site, using your ridiculously long library card number as username.
It's probably a bit much, but I'm going to go ahead and say...
It seems somehow fitting that a company which feels entitled to $50 for a dictionary app would also feel entitled to commandeer a supposed pirate's Twitter account for public embarrassment or do something equally smug [1].
From what I understand, piracy on iOS isn't an issue. The only place where it's really significant is China. And there are two points to keep in mind there:
1. Stopping piracy of a single app in China is very unlikely to result in increased sales of that app.
Well, what makes something an issue? There is certainly piracy on iOS... people jailbreak their phones and then pass around ipa files on the standard piracy sites.
I'd say it is similar to piracy on game consoles. It exists but you need to do something unusual to enable it, so most people don't do it.
Right. It happens, but that's not the same as being an issue. In terms of a developer efficiently using their time, chasing after the <5% of your users who pirated your app, and who in all likelihood only heard of your app because it was one of the ones they found on a piracy site, is not a good strategy.
I suspect that piracy works along the line of "product quality" / "ease of pirating a product". $50 apps and most eBooks have it a lot harder than $1 songs, even if their quality relative to their genre is the same.
Apps posting tweets without consent of the account owner is a violation of the Twitter rules [1]
Get users' permission before sending Tweets or other messages on their behalf. A user authenticating through your application does not constitute consent to send a message.
They are all similar: they are dangerous when gone wrong, damage your brand, expose paying customers as if they were sad idiots and - at worst - ensure that they are ridiculed on support boards even when they have an actual problem.
Implementing such a system shows that either the programmer or the project owner in question is a smartass that thinks of himself as more infallible and better than all the others that programmed such systems that subsequently went haywire. Sorry for the harsh words, but after being bitten multiple times by such schemes, I have no nicer ones.
This is why I think every API which gives an app access to your data / identity / etc should have a way to fake it, and track whatever it does. Using a different account is sufficient, but what about when things are integrated, like system-wide Twitter or Facebook? Just give us a black-hole option for such things - return no contacts, send no messages, and let us see what it tried to do. You'll have a lot less abuse when it's easy to find.
This is a disgusting abuse of user trust! It makes assumptions about other software and posts insinuations about you on your own twitter account!? I hope they have repercussions enough to make others considering this either think twice or be very upfront about what it intends to do.
I'm a fan of privacy so I don't understand the draw of twitter beyond the original purpose of broadcasting a message to a known list of people. Perhaps even 1-way followers if you add in celebrity types as tweet sources.
I guess the tipping point is the 'tweet back' feature. At its worst it seems like a narcissistic 'I want to have public conversations with another individual.'
If twitter id's were all anonymous I suppose it's no worse than a forum like this except that the content is most likely far more personal and far less technically valuable. I use HN to keep up on the latest technology and to some extent business trends.
One example use case I saw recently in my circle of friends: person A tweets "wow, there's a great special on sashimi bowl at the place near the university", person B tweets back "@a hey, I'll be in the area Friday, how about we go for lunch? anyone else interested?", person C (common friend) sees the conversation and tweets "@a @b hey, I'll go too". Finally a group outing is quickly organized.
Mostly I see it used for quick conversations, funny remarks, organizing small events, saying when you're going for a trip...
An example: DJB posted something about why crit-bit trees are superior to hashes, I replied asking about cache-issues with crit-bit trees and he responded back with information about how to make crit-bit trees cache aware.
That is a very useful public conversation to have; indeed 20 years ago it could have happened on usenet.
It should also be obviously wrong and illegal for any app secretly to inventory everything in your phone and then impersonate you on a Twitter broadcast in which you're wrongly accused of pirating things.
Evidently, the people who made this dictionary app think it's perfectly legal to do that, and must not see anything wrong with it.
Our laws, regulations, and societal norms have a long way to go before they catch up with technology.