Apple investigating iOS in-app purchase hack

Apple investigating iOS in-app purchase hack

Summary: Apple is investigating the hacking of its In-App Purchase program for iOS. The hacker, Alexey Borodin, has also come forward to say that iOS app developers can't use receipts to protect their apps and that Apple is transmitting user credentials in clear text.

SHARE:
10

Update on July 16 - Apple tries to block iOS in-app purchase hack, fails

Apple investigating iOS in-app purchase hack

News broke today that Russian developer Alexey Borodin has hacked Apple's In-App Purchase program for iOS, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple has confirmed it is now investigating the issue.

"The security of the App Store is incredibly important to us and the developer community," an Apple spokesperson told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

That's not all. It turns out that my suggestion to use store receipts (How to protect your app from the Apple iOS in-app purchase hack) was wrong. Borodin told The Next Web that all his service needs is a single donated receipt, which it can then use to authenticate anyone's purchase requests. Borodin has spent several hundred dollars on in-app purchases testing and generating receipts.

His circumvention technique thus relies on more than just installing certificates (for a fake in-app purchase server and a custom DNS server) to allow "purchases" to go through. Since he is essentially emulating the receipt verification server on the Apple App Store, the app treats Borodin's server as an official communication.

The problem lies in how Apple authenticates a purchase. There is nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. In short, this hack means in-app purchase requests are being re-routed as well as approved.

Last but certainly not least, Borodin says Cupertino is transmitting its customers' Apple IDs and passwords in clear text, although he notes he can't see credit card information. The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale.

Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. The Terms of Service have this rather reassuring message (typos left intact):

We newer collect your password or any of your personal and accesible data, such as appleID, temporary auth key and other .

Borodin told Macworld he was "shocked" that passwords were passed in plain text and not encrypted. Apple of course presumed its iOS software would only be talking to the official in-app purchase server with a valid security certificate. That's a very poor assumption to make, as Borodin's hack has clearly shown.

Update on July 16 - Apple tries to block iOS in-app purchase hack, fails

See also:

Topics: Apple, Apps, iOS, iPhone, Piracy, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Isn't this just a man-in-the middle attack

    where you basically have to give this guy your iTunes account information (like I'm going to do that) in order for this hack to work?
    baggins_z
    • :)

      I am a single biker woman. My friend told me about___seekingbikers.com___she told me it is the best place for bikers to find Friendship, Love, and Romance! I have tried, it is fantastic, hundreds of thousands of hot biker men and biker babes are there. Come in and give it a shot, you will find your biker match to share the passion for motorbikes! :)
      ChristinaSpears
    • Of course it is.

      And it's not just your AppleID credentials, you also load some dodgy certificates and redirect your DNS requests. This isn't a "hack" so much as a voluntary invitation to be abused.
      matthew_maurice
  • In-app purchases are abused

    I wish they'd get a handle on these in-app purchases. There are hundreds of apps that claim to do something, are priced as free, and if you look into it you find the one thing they claim to do costs money via an in-app purchase. It's a sophisticated bait & switch, and while tech-savvy people are going to know to beware of it, I have to believe there are many many people confused when their "free" app doesn't do anything.
    Brett Burnes
    • IAP is not evil, if properly used.

      Well, if you really expect your app do good things for you for FREE - you should switch from iOS to Android or whatever.

      It takes time and money to develop good app and it's no surprise, developers wants some money back.

      IAP itself is not evil. It is good, since it allows you to try for free some content, and then pay, if you like it.
      I never buy apps based on AppStore screenshots and I do appreciate to try for FREE some limited app content, and buy full version via IAP inside the FREE version, if I like it. If I don't, I just delete FREE version and story ends.
      IAP is exactly what I need as active iOS user, who has more than 200 apps on iPad.
      Yury Prokashev
  • Apple app store

    is the main reason I switched to the Windows Marketplace. So much abuse in the Apple store with bait & switch, malware possibilities and complete lack of trust in the content and infomation exchange of Apple apps.
    doggiebites
  • I'm shocked, shocked I tell you

    We were reassured by dozens of paid Apple marketeers yesterday in the ZDNet talkbacks that:
    a) this wasn't broken
    b) even if it was broken, it was all the developer's fault for not coding their app properly

    Now it turns out that it was broken AND even if the developer's coded their app properly, they could still end up getting paid only once for their IAP.

    I'll smugly restate what I wrote yesterday: Apple will fix this immediately. 30% tax revenues are on the line.

    "Cupertino is transmitting its customers' Apple IDs and passwords in clear text"

    Amateur hour at 1 Infinite Loop.
    toddbottom3
  • WHY!?!?

    Why would anyone anywhere near their right mind buy anything from these people?

    ZuneResurection.blogspot.com
    Ballmerfeld
    • You are kidding.... Right?

      Based on how much you can spend on IA on a lot of these apps, you would wonder why people would look to this? Why do you think there is a significant business in iTune card fraud?
      There are apps where users have spent thousand per day on IA purchases. The less fluid user can't so will look for alternative methods to keep up.
      rhonin
      • Tried to post a good article link

        But this "revised" site seems to have an issue with links now.
        Another change that makes you ask wth?!?
        rhonin