Cracking the code behind Apple’s App Store promo cards

Equinux blog:

Apple is known for doing things with more attention to detail than most companies. So it should come as no surprise that even App Store gift cards with their promo codes have a few secret details that help make the experience more Apple-like.

So what powers the simple App Store promo codes? Secret fonts, special dimensions, and many more.

Today, we uncover these secrets.

And:

Apple’s App Store gift cards have a special trick: you can simply hold one up to your iPhone or Mac’s camera and it’ll automatically scan in the code and redeem the card for you. As developers, we thought it’d be cool to print some of our own promo code cards to give away at events, so we tried to create our own scannable cards. Turns out, there’s more to it than meets the eye…

This is some fascinating reverse engineering. My concern is that the post exposes font details that might be used to break Apple’s carefully built promo card system. If so, I’d expect a pretty rapid response by Apple.



  • Mo

    Interesting.

  • The Cappy

    Is there a non-fraudelent application to these guys’ investigations? Because all I can think of are shady ones.

    • Colin Mattson

      Exactly the one mentioned in their piece: Developers can generate App Store promo codes to give away their apps. There is, however, no frictionless way to take those promo codes and hand them out at a trade show (or the like).

      There’s not much in the way of fraudulent applications here; promo codes are assigned, not calculated, and a code’s a code’s a code, regardless of how it’s entered. ABC123 is ABC123, no matter if you scan it or type it in by hand.

      If you wanted to brute force your way to free apps (or even store credit, which is also checked against a database rather than being a simple algorithmic “license key”), this is a really crappy and overly-involved way to do it when you already have a desktop computer in front of you.

      • The Cappy

        Thanks for the explanation. Sometimes you’ll see an explanation that sounds good except that it’s just a thin excuse for someone actually attempting to defraud somebody. I see articles where devs mentioned the high percentage of users of their apps who somehow aren’t paying, but it’s never clear how they did that. This seemed like it might be one of those angles.