Apple iOS in-app purchases hacked; everything is free (video)

Apple iOS in-app purchases hacked; everything is free (video)

Summary: A Russian developer has hacked Apple's In-App Purchase program for iOS, allowing users to circumvent the payment process. This means you can purchase in-app content without actually paying. Most importantly, jailbreaking your device is not required.

SHARE:
93

Update at 2:30PM PST - Apple investigating iOS in-app purchase hack

Russian developer ZonD80 has figured out how to circumvent Apple's iOS In-App Purchase program, allowing iPhone, iPad, and iPod touch users to grab digital game items, upgrade to full versions of apps, and purchase additional content for free. As first spotted by Russian blog i-ekb, the video above shows an "in-app proxy" (no jailbreak required!) that lets you make in-app purchases without actually making a purchase.

The hack reportedly works on all Apple devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later). That being said, certain in-app purchases do not work in specific regions around the world (possibly because the developers properly protected their apps). To use this "trick" yourself, you need to perform the following steps (for the record, I do not recommend doing this, especially given that you have to hand over your login credentials, and I do not condone it either, as it is stealing):

  • Install two certificates: cacert.pem and itcert.pem.
  • Connect via Wi-Fi network and change the DNS to 62.76.189.117 (update: he's changed it to 91.224.160.136).
  • Press the Like button, enter your Apple ID and password.

Essentially, this circumvention technique relies on installing certificates for a fake in-app purchase server as well as a custom DNS server. The latter's IP address is then mapped to the former, which in turn allows all "purchases" to go through. What's really worrying, however, is that ZonD80 could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. In other words, this is not a good hack to try.

ZonD80 runs a website called In-AppStore.com where everything is hosted for the hack to work, and he is accepting donations to support the development of the project as well as keep the servers up and running, according to 9to5Mac. The webpage does not load for me, but it does for my colleagues. Given the nature of this news, the server may be under additional stress. Either way, if you can't access the site, you can't try this hack because it requires files from the server.

I have contacted Apple about this issue and will update you if I hear back. iOS developers should be wary of losing revenue from fake in-app purchases until Cupertino fixes this security flaw. Users of this hack should be wary that they are handing over their data to an unknown individual.

Update at 9:30AM PST - The site is now loading for me and ZonD80 has posted the following message:

Hi everyone. I moved info site go blogspot. Currently service is down due to high load. Currently we have VPS with 512mb memory aboard, and there is no way to satisfy everyone with such hardware. Apple is a big company, I am not. If you want to help me to buy really dedicated 4-quad core server with at least 4gbytes of ram - donate to paypal account zond80@me.com Setup of dedicated server usually took 2-3 days. Sorry, guys.

Something tells me Apple will get to him before he gets the new server up.

Update at 2:30PM PST - Apple investigating iOS in-app purchase hack

See also:

Topics: Security, Apple, Apps, iOS, iPhone, Piracy

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

93 comments
Log in or register to join the discussion
  • Apple iOS in-app purchases hacked; everything is free (video)

    The best part about this is seeing if Apple will deny if any problem exists or if they will fix it immediately which would be much faster than regular OSX updates.
    Loverock Davidson-
    • Already fixed, in fact, never broken

      Apple had a fix for this from day 1.

      http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html

      Just because some dev's can't be bothered to add three lines of code to verify purchases does not mean Apple doesn't have a solution. If you go back and re-read this article you will see that it states that this will not work some apps. This is the reason why. Apple has provided locks for the doors, the dev's just need to use them.
      jayfehr
      • This is Apple ...

        ... so why does the door not ALWAYS have the lock?
        Natanael_L
        • Because

          Apple is not responsible for the developer's app as far as security *within* the app. IF this affected the OS I'm sure Apple would have it locked down... and the only way to bypass that lockdown would be jailbreaking.

          Sorry to make your Anti-Apple rant irrelevant but this really has nothing to do with Apple's security as much as it does with the developer's security within the app.
          athynz
          • Isn't the big advantage of the Apple Store

            That they properly check each app to make sure it's secure before adding it to the store? Or is that only an advantage when Apple fans want it to be?
            dsa791
          • That's what we're told,

            but there've been one or two articles that tell of Apple removing apps... not many, but a web search will reveal more...
            HypnoToad72
          • @dsa791 has a point

            If those three lines of code (that @Jason Fehr mentioned up above) aren't a requirement for admission to the app store, then this is big security hole.

            Of course things like this will never happen with the MS app store. Right, fanboys?

            ;)
            CaviarBlack
          • The big security hole

            Is in fact in app write's steady income flow.

            There are no security implications, other than using something you didn't pay for (*). No malicious code can execute, etc.

            (*) By the way, this is how you get Google services for free: you provide Google with your personal data so that they can sell it for profit. It seems like that guy is doing exactly the same. I wonder why his site is still up.
            danbi
    • Free in app purchases how to

      There is a new cydia App the allows you to get free in-app purchases find out more here http://bit.ly/NqZxQI
      SurreyStore
    • Agreed.

      no double standards, and Apple has a history of hyping up security while doing little to really put weight behind it.

      (I use Macs and Windows, and prefer OS X, but anyone telling me OS X and iOS are more secure is only going to get me to laugh... PWN2OWN is one of many resources that have done more work than Apple to show how Apple's paradigms are not secure... iTunes itself being hacked is another pesky problem...)
      HypnoToad72
  • Apple will fix this immediately

    After all, 30% of 0 is 0. Contrast that with the years it took Apple to fix horrific Java vulnerabilities that cost Apple users millions (but Apple $0).
    toddbottom3
    • Umm no...

      Apple had fraud higher than 50% and it took them 2 years to make changes to correct that. They might fix it with iOS 6 coming but that remains to be seen.
      slickjim
      • @Peter Perry

        Can you point us to something verifying your "50% fraud" claim?

        You don't mind if I still call you by your old name, do you? "Weekid" sounds like you peed in your pants.
        msalzberg
      • The Fix better not rely on iOS 6....

        ....Cause then all that is required of the user is not to update :|
        MrElectrifyer
    • Fixed beforehand

      Read the comment from Jason Fehr above. Apple has long since provided a way for devs to prevent this thievery, it's up to the devs to use the tools at their disposal.
      use_what_works_4_U
      • Glad to see a new standard has been enacted

        The new standard is that 3rd party developers of any Operating System must write their own code in order to secure their programs. Security is not the responsibility of the OS, it is the responsibility of the 3rd party developer.

        Good to know. We'll remember this new standard for the future. Well, unless you guys change it on us again. Something tells me this new standard isn't going to be evenly applied across all OSs. Just a hunch.
        toddbottom3
        • Toddy,Toddy,Toddy

          Security *within* the app IS the responsibility of the developer... this is true for ALL platforms. IOW if I write an app for iOS, Android, WP, and BB that utilizes in app purchases *I* am responsible for protecting the additional paid content I am supplying with my app - Google certainly is not or is Microsoft or RIM. Why should Apple be responsible then?
          athynz
          • Right, the in-app purchasing platform is implemented *within* apps

            Apple doesn't provide the platform in exchange for a 30% cut. Any application can, for example, provide links to their own in-app purchasing platform / book store and Apple is totally okay with that.

            Oh wait. That isn't true at all. All developers are forced to use Apple's in-app purchasing platform, a platform that is clearly broken. But Apple will fix this right away. Apple puts a far higher priority on exploits that take away their revenue streams. Fixing Java vulnerabilities that affect Apple customer revenue streams and bank balances? Not so much.
            toddbottom3
          • Perhaps you missed something

            Refer to Jason Fehr's post - Apple *already* provided the fix and has had it from day 1...

            C'mon Todd you are usually much brighter than this.
            athynz
          • I don't deny that Apple has told developers how to handle this

            Basically Apple has told developers to that it is up to them to provide security for the in-app platform that Apple forces them to use. This is a new standard for security. The old standard was that any OS that left security up to the application was a terrible OS. I'm merely highlighting the fact that the standard has changed. How long will this standard be in place for? We'll see but my prediction is that it will coincide with events on a certain other OS.

            Regardless athynz, Apple will prove me right soon enough. If Apple patches this, you will be forced to admit that Apple did *NOT* already provide a fix. After all, if Apple already provided a fix on day 1, there would be no need for Apple to provide another fix for it in the next patch. All you can do is pray and hope that the next patch is far enough away that we've all forgotten how you promised us that nothing was broken and that there was nothing for Apple to fix. Tick tock.
            toddbottom3