Apple adds unique identifiers to fight iOS in-app purchase hack

Apple adds unique identifiers to fight iOS in-app purchase hack

Summary: Apple is starting to provide a solution to the hacking of its In-App Purchase program for iOS. The company has added unique identifiers to the receipts of purchases but there's still more to be done before app developers are protected.


Update on July 20 - Apple to block in-app purchase hack in iOS 6, offers interim fix


Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later), allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and said it was investigating the issue. This week, Cupertino tried to block the hack but failed. Now the company is finally starting to offer a proper solution, though it's not quite there yet.

Apple has quietly started including unique identifiers in the validation receipts for in-app purchases. Yesterday, developers started seeing the new receipts, which include a new field called "unique_identifer." I say quietly because this key is not yet mentioned in the "Verifying Store Receipts" documentation on the iOS Developer Library. MacRumors has the scoop:

As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.

I would wager that it's the former. You see, the worst part about this hack is that iOS developers have no way of protecting their apps. Using store receipts does not work as Borodin says his service simply needs a single donated receipt, which it can then use to authenticate anyone's purchase requests. His circumvention technique relies on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store.

The iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. Until now, there was nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. In short, this hack means in-app purchase requests are being re-routed as well as approved.

With these new unique identifiers, Apple is on its way to offering a proper solution. Borodin has declared he wants the company to fix the problem by either changing its APIs or placing new blocks on its service. That's what this looks like to me.

Still, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. Whoever operates could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack.

From my understanding, Apple has to start encrypting the connection and update iOS so that the operating system is aware of the changes being made. This will stop from apps being able to approve false purchases. I will continue to keep you posted as this story develops.

See also:

Update on July 20 - Apple to block in-app purchase hack in iOS 6, offers interim fix

Topics: Security, Apple, Apps, iOS, iPhone, Piracy

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Apple adds unique identifiers to fight iOS in-app purchase hack

    Kudos Apple
  • And what is the appdev supposed to with the uniqueid?

    Put some kind of throttle on how many purchases any uniqueid could make in a given time interval? Make a service call to apple to verify its not just randomly generated?
    Johnny Vegas
    • re: And what is the appdev supposed to with the uniqueid?

      That will give them the ability to track down the accounts that is being used for the illegal distribution of copyrighted material. And so what if the ID is randomly generated? It will probably still be traceable by apple. In this case apple will not only protect themselves but the 3:rd party developers too.
      Peter Lex
  • I'm shocked, shocked I tell you

    And here we were assured and reassured by dozens of paid Apple Munchkins that
    a) there was nothing wrong
    b) it was all the 3rd party devs' fault

    Boy do you guys all look silly today. Where did you all go? Hello? Hello?

    • Are you bots or real shills?

      You are all out making stuff up, having a field day with the nonsense.

      Yeah this is serious and must be fixed.

      I have seen no sign of anyone claimng there wasn't a problem.

      But you enjoy the astro-turfing whilst it keeps you doing whatever it is you actually do with your life.
      • Don't feed this troll...

        But it is up to you what you chose to do with your time. If we ignore it, it will go away, like a bad haircut.
  • OOPS

    I thought Apple products couldn't be hacked. Chock another one up for the script kiddies.
    • That is what my protest is about.

      Instead of accepting and put resources to to tackle the issue, the thought you expressed is deliberately being encouraged by the lies spread by Apple, since it serves them financially, but makes their users vulnerable by not being cautious about the security. They go to the extent of dismissing the opinions of security experts that MS has learnt and 10 years ahead of Apple on security issues and ridicule those people through their bullying partners (Bloggers etc.). When the culture is of arrogance, who will introspect and accept the imperfections that all things have.
      • Again lies

        This is about fooling iOS into believing a purchase was approved by the Apple server.

        This is not about providing access to a user's device to benefit other people.

        Where is the sign of anyone attacking anyone over this?

        There was a news item saying this was possible and now there is a news item saying that Apple has instituted a first step in changing the system.

        The arrogance @ashwinipn is in your twisting reality to protect your interests at the expense of the users and of the truth.
    • You lie - You didn't think that at all

      You are pretending that APple said something it didn't or that the majority of users are digital thinkers like you want them to be.

      This isn't about 100% safety or 100% danger - it is about degrees of risk and degrees of hackability.

      Since the jailbreaking of iOS is big news everywhere, and since this is about a related attack on authenticating purchases on a device by circumventing the approval from Apple to the device your statement is just plain stupid.

      Note that so far this is about the user persuading the device that Apple says a purchase was genuine.

      This is not actually a device hack, it is a sales system hack.

      This is almost identical to the authentication server hacks used to install jailbreaking on some iOS versions, and for that purpose was well known and well documented on the net.
    • Always where!

      I don't know of much which can not be hacked, be it an apple product or not. I am just suprised no one still managed to rig the xbox360 like the old one to run games from the hdd only. Everything else was pretty much done!
  • err protecting app developers .....really protecting consumers....reall?

    Protecting their own profit generating eco system is more like it!

    Microsoft seem to be heading in a similar direction with Windows 8 they secretly envy Apples monopoly over the software distribution of their products. I have experienced the Apple app store and google play and I know which one I would rather use now. Google play do not force me to push everything their infrastructure, nor do they prevent me from dowloading free or paid apps from a number of other look alike stores. Personally I cant wait for Amazon apps to launch in the UK as they offer a window of I think 15 minutes in which you could return a full product for a refund if you dont like it.!
  • just the beginning

    This is going to turn into apple's version of virus on windows. Fix after fix after fix, always chasing never getting ahead.
    • ROFL

      Sorry this is just ridiculous. I am posting here now cause I am just seeing the artro-turfers playing mind games.

      We shall see - the step so far looks like just an exploratory step whilst the solution is implemented.

      There is no sign of a repeat of the Windows fiasco that has continued for how many years now?

      OK maybe the next step will be wrong, I don't know, but till that happens you are just hoping for disaster, and don't have a reason to predict anything.
      • Personally, I'm waiting for the guy

        collecting all the account information from people willing to use this hack to go ahead and steal their identities. Seriously, people. Give a stranger on a clandestine website your iTunes account information? Seriously? You're going to do that?
        • Not about iTunes account info

          giving away your itunes details is not the major risk here. In order to use the system a person must change their DNS settings and install to certificates from the russian server.
          Basically this allows the crook, hacker, thief to redirect your web traffic. Say for example when you try to login to your bank account.
          When an unknown person in Russia, who is obviously not the most trustworthy guy around, can gather your banking credentials...your itunes account is not so important.
  • Oh, and to all you Apple fanbois, I called this one

    I told you that unlike other security holes that Apple leaves open for months or years, Apple was going to fix this one right away. What's the difference? The other holes only left Apple consumers open to attack. This hole threatened Apple's 30% tax revenue. I called it yesterday, Apple proved me right today.
  • Receipts...

    How hard is it to have a receipt tied to an Apple ID?! Sounds like a trivial crypto exercise.
  • Apple does not care about security - unless it affects sales !

    For a platform that was as locked-in as Apple's, I have long been surprised that Apple did not take security as being something in its users' interest, rather than just protecting its sales.

    People I know who have had (registered) iPods stolen were amazed to find that their registered devices could not be identified and blocked via iTunes in the same way that a mobile phone can be.

    But if it results in a new device sale and continuing iTunes sales, what does Apple care ?
  • Really, still using plain text ID/PW combo

    Would like to hear from the person in charge of Apple's commerce application development group.
    Tired Tech