Developer Finds Security Flaws in Apple’s News+ Magazine Service
Toggle Dark Mode
Apple’s new Premium News+ Service offers hundreds of magazines for a single monthly subscription, but it appears that strong copy protection is not among the benefits Apple has offered its partners.
While many expected that the magazine service would take advantage of Apple’s FairPlay Digital Rights Management — the same technology used for iBooks, Movies, and TV Shows — to prevent magazines from being copied and shared with non-subscribers, developer Steve Troughton-Smith has discovered that this is actually not the case.
Troughton-Smith notes that not only are the magazines not copy protected in any way, but in the case of PDF-based issues, Apple is preloading the first few pages — no doubt for performance reasons — even for those users who don’t subscribe to Apple’s News+ service.
While the nature of iOS precludes users from easily accessing the cached magazines, users on macOS would be able to extract them from the cache and rebuild the original PDF. Troughton-Smith refers to this as “kinda irresponsible” on the part of Apple, and adds that with a full subscription, there is nothing to prevent a user from accessing the entire source PDF of an Apple News Magazine and sharing it online.
While the original Texture service that Apple has built News+ on top of didn’t offer any kind of copy protection either, many expected that Apple would offer the same FairPlay protection it uses for iBooks to the magazine industry, providing them with better security for their content. That said, Apple chose to remove FairPlay DRM from music years ago, and has generally shown a reluctant to implement its digital rights management technology unless copyright holders demand it — something that book publishing, movie, and television industries clearly do.
Of course, magazine publishers offered up their content in Texture for years without any concerns for copy protecting their content, so it seems likely that this has never been a priority for them, and is therefore not something Apple likely needed to add. Most magazines are funded more by ads than subscriptions anyway, and have a limited shelf life beyond their publication date, so there’s little motivation for users to share them.
Still, Apple seems to have put very little effort into securing the News+ Magazine content it’s offering, with Troughton-Smith noting that there is a method to download an entire magazine issue, page by page, even for users without a subscription. Troughton-Smith demonstrates this by downloading a complete PDF of an issue of National Geographic
As a publisher, I would be pretty disappointed. There’s a comedy of errors here with things that would have been easily preventable, if anybody thought to consider them. Clearly, nobody expected anybody to look. Apple knows better; all of its other services use FairPlay & authSteve Troughton-Smith, via Twitter
While the methods for doing this aren’t easily accessible by the average user, Troughton-Smith’s point is that it would be very easy for a developer to create a tool — one that could be used by anybody — to effectively bypass the need for users to pay for an Apple News+ subscription to access specific content.
Whether this is an oversight on Apple’s part or something that publishers truly aren’t concerned with is an open question, however there are actually two separate issues here. The first — that downloaded Apple News+ Magazines live on the Mac in unprotected form — is probably not a very serious problem. The second issue, however, which allows anybody to download a magazine from Apple’s servers, even if they’re not an Apple News+ subscriber (or even an Apple News user), is something that should be of a lot more concern to both Apple and its publishers.