A day or two ago one user has come up showing a dialog that Downie threatened to delete random files on their computer. As this has caused a wave of uproar, I’ve decided to address this with this blog post.
I’ve always believed in transparency and have always tried to be as open about everything as I could be – be it privacy, how I operate, etc. I know that this past incident has undermined my credibility and has caused many to question whether they can trust me, but I am writing this with the best intentions to be as forward and transparent as possible.
Let me say upfront that no one’s data was ever in jeopardy, it was just a message and Downie did not access and did not delete any data.
I deeply apologize for this entire incident, there is no excuse for this and as of now, the most recent Downie build already has all of this removed. I ask for your forgiveness – if I could go back in time, I would have never done something like this ever. It was a mistake, it was immature and irresponsible. And I am fully and painfully aware of this.
I would like to go into more detail below as to what lead to this particular moment from my initial motivation, to detailed explanation what exactly did Downie do. I fully understand that you can read each sentence with a smirk and a question why should you trust anything I have to say, but all of this can be verified – and there have been some security researchers out there that have verified this (though they ammended a false claim – see below).
I started this company over 10 years ago as a student who wished to create something people would enjoy using and something I’d enjoy creating. The first few years were really tough – it was not easy to create something out of nothing and mainly to make a living out of it. I had to find other part-time jobs in the meantime to support myself.
During this time, I was receiving reports from people running cracked versions of my apps and it was hurtful to me and my efforts. I’ve always tried to contact those users and try to convince them to use a genuine version. Many of such users do not see the effort behind the development and that it is (in the early years) matter of survival for the company.
There were, however, users running cracked versions of Downie that used fake email addresses for their reports and even included insults in their messages. Unfortunately, my mind came up with the idea that Downie would include a list these email addresses and would show a message to these users. In what you can call lack of judgement, I’ve included a message that suggested that Downie may have deleted random files, appended with a “Or am I kidding?” question. It was meant in jest (though it was very irresponsible of me) – I would never dare touch the user’s files, no matter whether genuine or cracked version. This is a line I would never cross, whether you believe it or not.
Years have gone by and I haven’t touched this code with this message in many many years now. It was a mistake ever adding it, but it was there and I simply did not think about it anymore. If a thief keeps passing your house and you set up a booby trap and the thief stops coming around, it is entirely possible that you just forget to remove the booby trap until a visiting friend falls in.
Unfortunately, one user entered the email address 1@1.com into Downie as their email addres. This email address was used in one such fake-email report. This user, however, was using a genuine version, but unfortunately, the booby trap was triggered. As of writing, I do not have a direct contact for this user, but from all my heart, I am truly and deeply sorry about this and I would like to express my apologies directly to that user. If you are reading it, please contact me.
I have since removed this offending code so that it cannot happen to anyone ever again.
There have also been some inaccurate accusations that Downie reads the list of email address from the Mail app. While the path to the .plist file can be found in Downie’s code, it is part of dead code (meaning that it does not get invoked from anywhere). Years ago (7+), in case the app was licensed as “TNT” which is a signature of the cracking team and the user was submitting a report, Downie would try to get the “real” email this way. This means that this would never get invoked in the genuine version. This was part of my effort to talk to people running cracked versions of my app. Again, well-intentioned, but definitely wrong and it was removed 5+ years ago in a sense that it no longer gets invoked. Unfortunately, some of the code was left behind – it was not deleted.
In either case, please note that the past macOS releases restrict access to this file and even if Downie did try this, it would fail. But again – while the method that refers this file remained in the code, it never gets invoked.
I had mentioned that this all can be verified and I would like to tell you how. While it is not something that an average user will do, you can:
- • run
otool -tV
on Downie’s binary and get assembly code for all the methods. If you search forcheckForPreviousFakeEmailReports
, you will get the method that’s responsible for the offending dialog and you can see that there’s a check + alert display, but no other execution or marking any variables, etc. - • similarly, you can run
otool -tV
on CMLicensing framework and you can find a methodgetEmailApplicationStateItems
which has reference to the mail .plist file, but you can search all you want, but this method doesn’t get invoked anywhere.
All this said, I do not expect the above to be my “excuse” for doing this. It should have never been done in the first place. I am truly sorry for what I did, I fully admit that I made a mistake and I will do all I can to fix this. I’ve already released a new build of Downie which has all of the above removed. I wish I could go back and not do any of the above, but the damage is already done. All I can do is ask for forgiveness and apologize again not just to the user who experienced this, but to all my users whose trust I’ve broken this way.