Apple to Block In-App Purchase Hack for iOS6
Hacker says block actually works, won't be able to skirt issue.
Web2Carz Contributing Writer
Published: July 25th, 2012
hose pesky in-app purchases are in almost every app we use these days, especially the games, and 99 cents here or $1.99 there can add up pretty quickly if you're not really paying attention. Enter Russian developer Alexey Borodin, who created a hack for said purchases that allows users to essentially steal in-app content. Now, though, Apple says that in iOS6, that hack will be blocked. And Borodin agrees—as he sees it, his hack will be effectively shut down with Apple's changes to the OS.
On July 16, Apple confirmed that there had been a hack allowing users to gain access to all app features for free, and that they were working on fixing it. Their first line of defense proved highly unsuccessful—they contacted the hacker's web server and issued a takedown request and contacted PayPal to prevent users from making donations to the hacker's service. They also served up a copyright claim against Borodin's initial video, but all Borodin did was set up a new server located in a different country, start taking donations on BitCoin, and uploaded a new video.
Apple says that the vulnerability in iOS5.1 will be remedied in iOS6 and that the hack will be blocked.
Borodin says he wants Apple to change their APIs or place new blocks on its service, essentially making the whole setup more secure, which they have yet to do.
Apple says that with iOS6, the vulnerability that iOS5.1 has will be remedied. A statement reads:
"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack."
This week, Apple started including unique identifiers in the validation receipts for in-app purchases, and while the money that developers lost to this hack is gone forever, it's a step in the right direction for not only making the system more secure, but for allowing developers to make money for the work they do.