Newsflash: How to fuck up 40 million USD – The New York Times paywall and its iPad app

This will be a story in development, which is kinda of funny taking in account the target in question. I might be wrong on all this but my instinct is hinting me that I’m not.

After the Contract Killer post I got very much interested in verifying these kind of implementations in other apps. This morning I had a flash into my mind about checking what happened with the NY Times app. The so-called paywall was implemented very recently although very ineffectively judging by quite a few hacks around it and some articles questioning the $40 million investment in this system. If the web implementation has problems, I thought that the apps could also have some, so it’s time to research.

As usual I disassembled the binary and started looking around to have a general view of the implementation. GDB seems to have problems disassembling the binary (alignment issues?) because it doesn’t correctly recognize the instructions 😦.
Anyway, after flagging some interesting methods and execute some initial tests, I remembered to verify how were the articles stored inside the app. Well, they are inside a sqlite3 database and to my surprise, all articles are downloaded in full! I did a database dump and could find all restricted articles, with full text. I need to have at least one more day to verify if more issues will be downloaded in full. I would dare to say YES!

What needs to be done is to bypass the two protections: allow to scroll to other pages inside each section (you are restricted to first page inside each section) and allow to read any article inside the restricted sections (a registration required pop up appears and you can’t read everything or change pages). As a bonus, it should also be fun to remove the ads (and the damn usual spyware analytics).

Once again, there is blind trust in the app. Ok I have to concede that the vast majority of iOS users don’t have their devices jailbroken BUT they can still access the filesystem, grab the sqlite3 database, parse it and voila, game over. This is a bad security model! And it’s not that hard in this case to control the data that is sent to the legit subscriber and to non-subscribers.

Back to the disassembler and debugger. Let’s prove if I’m wrong or not on this.

P.S.: No, it’s not a April’s fool joke.

My theory was correct and I am now able to read and browse all articles. The protection is more or less like most Mac applications, a boolean flag.
There are still some issues, for example in some sections I have to change iPad orientation to be able to browse the available articles. Nothing special and that can’t be fixed by wasting some more time messing around with code. I am a bit disappointed with this implementation, it is really weak and not well thought. NY Times doesn’t seem very interested in having a tight paywall. The method to patch has a suggestive name. Nothing else to see here. Next!

Update #2:
There is a new version of this App. The old version still works and downloads all the articles. I have tried to patch the new version with the same trick but some articles are deleted (database is empty for those). Without any patch, the articles are still downloaded in full, so most probably there is an additional protection somewhere. Oh well, these guys don’t even make it fun. The paywall seems to be just an excuse for something. Another interesting result. Refresh articles with original binary, then replace with the patched binary and voila, all articles in full, with the bonus that scrolling between all articles works without any further patch!