Apple tries to block iOS in-app purchase hack, fails

Apple tries to block iOS in-app purchase hack, fails

Summary: Apple is working hard to fight the hacking of its In-App Purchase program for iOS. So far though, the company's attempts have not deterred Russian developer Alexey Borodin who apparently wants Cupertino to fix the underlying problem rather than just trying to block his in-appstore.com service.

SHARE:
46

Update on July 18 - Apple adds unique identifiers to fight iOS in-app purchase hack

Apple tries to block iOS in-app purchase hack, fails

Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later), allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and said it was investigating the issue. Ever since, Cupertino has been working hard to stop the attack, but it has yet to succeed.

First, Apple blocked the IP address of the server used by the Russian hacker. Next, the company issued a takedown request on the hacker's web server and contacted PayPal to prevent users from making donations for keeping the service running. Last but not least, the electronics giant served up a copyright claim against the hacker's video.

Unfortunately for Apple, all of that wasn't enough. Borodin switched to a server located in another country (the first was located in Russia), started taking donations via BitCoin ("PayPal sucks. BitCoin here! 15GCBL7gHbf2p8bapozSrZhNaXdrKUWRFF") as well as ads on in-appstore.com, and uploaded a new video.

He also declared he wants Apple to fix the problem by either changing its APIs or placing new blocks on its service. Borodin told The Next Web that Apple has not contacted him about the issue, and so he is continuing to toy with Cupertino.

The worst part about this hack is that iOS developers have no way of protecting their apps. Using store receipts does not work as Borodin says his service simply needs a single donated receipt, which it can then use to authenticate anyone's purchase requests. His circumvention technique relies on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store.

The iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. There is nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. In short, this hack means in-app purchase requests are being re-routed as well as approved.

Last but certainly not least, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack.

If that's not enough to deter your from using this hack, please think of the developers. You are stealing the majority of revenues from them (70 percent versus Apple's 30 percent cut).

Update on July 18 - Apple adds unique identifiers to fight iOS in-app purchase hack

See also:

Topics: Apple, Apps, iOS, iPhone, Piracy, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Time to fix it, Apple

    This is not a Borodin issue. This is a design issue and it's systemic.

    EPIC FAIL for Apple!
    CaviarBlack
    • Why? I view Apple as I do the RIAA

      You know how the RIAA rips the artists off - they get the bulk of the money, the artists get not much of what's left.
      If the RIAA wasn't so greedy, people wouldn't be forced to steal songs.


      Apple's the same way. they take 30% of everything that a programmer sells. They get the bulk of the money, the programmers get not much of what's left after paying their employess, rent, heathcare costs, ect,
      Well, if Apple wasn't so greedy, people wouldn't be forced to steal app via something like this.
      William Farrel
      • That is a poor comparison

        The RIAA has a history of needing its books audited just to get a fair accounting.
        70% of the price paid is very fair for the initial purchase. Compare it to retail purchase
        of software for example which not only has similar markups but you have to pay for
        manufacturing of the media and shipping costs.

        Your reasoning that because Apple makes a lot of money that it OK to steal is just idiotic. The in-app purchases are what really fuel the profit for many companies. They need the revenue from the premium items to make money. The initial purchase is not usually enough, and Apple is still getting their cut from that.
        richard233
        • It was called sarcasm

          ;)
          William Farrel
          • It's called stupidity

            Something you practice quite well.

            :)
            CaviarBlack
      • *No one* is forced to steal music, only criminals steal music.

        What a stupid thing to say. Forced my back arse.
        balsover
        • Wilie Farrel is an RIAA wanna-be

          Never mind that I didn't even mention the RIAA to begin with. That's just one of his usual spastic, knee jerk reactions to anything Apple.
          CaviarBlack
      • Wow

        "If the RIAA wasn't so greedy, people wouldn't be forced to steal songs."

        MOST STUPID THING I'VE READ IN A LONG TIME.

        And now, the real dumb:

        "Apple's the same way. they take 30% of everything that a programmer sells. They get the bulk of the money,[...]"

        30% is in no way "the bulk of the money," and further proof of this is the fact that the App and iTunes stores don't even make a blip on Apple's balance sheet. Just ridiculous!
        lelandhendrix@...
      • Yes - people are "forced" to steal

        So, how exactly does the way the record industry work, or the Apple store for that matter, force you to do anything. Since the launch of the iTunes store, songs have been about 99 cents, so it's hard to say they aren't affordable to the average consumer. They also broke the "buy the album to get a few songs" model, which actually saves you $$$ vs. the CD model. Same thing for the app store. The majority of apps are sub $5, so it's not like they're out of reach for the average consumer.

        Look, I'm not advocating the practices of the record labels or Apple. I'm just saying don't use it as an excuse to legitimize your piracy. You act like the artists and developers are somehow benefiting from piracy when the truth is, the only person that benefits from the piracy is you. Which hurts the developer more, Apple taking a 30% or not getting the 70% at all when someone pirates their software?

        To be perfectly honest, I'm pretty indifferent to piracy. It just annoys me when people try and make political arguments to justify their actions when 99.9% of pirates do it so they can get stuff for free.
        TroyMcClure
    • LOL

      This is awesome...it just shows how weak Apple is when it comes to security. They truly are 10 years behind in security.

      Sending passwords and accounts in plain txt? Are you kidding me?

      I'm laughing as I wait for MS to open up Surface Pre-Orders.
      Rob.sharp
      • Sending accounts and passwords in plain text

        Over an encrypted connection... about the same that Microsoft will do.
        Not much different than what the industry does.
        danbi
        • not quite correct there

          Microsoft is NOT allowed to transmit clear text user ID's passwords, or uniquely identifying information over any type of connection, per the antitrust ruling against them from 2 decades ago... Good try though. I hope the world (individually of course, US, EU, ...) sues Apple finally an regulates their monopolistic policies. IT is real easy to gain market share when the largest competitor is limited in their actions due to antitrust lawsuits from before they even entered the market...

          just a note, I am not FOR Microsoft, I avoid them AND Apple as much as possible. I just do not find Apple's business practices to be anything but one sided.
          aiellenon
  • Learn more about the history of app sales before posting trash

    30% is actually very fair for the devs. In fact, Google takes 30% as well.
    Drew Duncan
    • Why is that price fair?

      Just because Apple set it and everyone else copied it (though I think Microsoft charges a little less?) does not make it fair, it just makes it an industry standard. Rather like company stores in the mining era (C18) would take a large proportion of their miners salaries, this was an industry practice, it was not fair but it was standard.
      Personally I think it sounds high especially given Apples profit margins, the volume of users and the number of sales v the work they do for the developers it would seem that they are gouging people.
      chinashaw
      • While I have issues with the program, its pretty fair.

        Apple makes a lot of money on this, no doubt, but have you compared it to the costs to the programmers if they sell via retail outlets? My main objection with Apple's system is
        they get the same cut for any additional purchases, which seems a bit unfair.

        The mining comparison is just wrong. The mines charged unreasonable rental and basically paid you in store credit. You had no choices if you wanted to work, and the
        monopoly was what made it unreasonable. The problem with Apple is that they do not allow for other ways to install legit software. In either case, stealing from the programmers by using the logic the Apple is stealing from them is idiotic.
        richard233
      • The price is fair because developers

        are willing to agree to it. You see, in the real world, a fair price is one in which the buyer and seller are both satisfied at the time of the transaction. As a non-involved third-party, your opinions on the matter are totally irrelevant.
        baggins_z
        • That reasoning works under perfect competition, but ...

          ... the mobile platform market is very far from being perfectly competitive. It is essentially an Apple/Google duopoly on the platform side, which gives Apple and Google substantial market power. Moreover, there are switching costs for developers moving between iOS and Android, which gives Apple/Google even more power. On the developer side, there is a huge number of small developers, which means an individual developer has essentially no market power. As a result, the market is heavily tilted in favour of Apple and Google, and against developers.

          As an aside, I think Apple's policy is reasonable/fair, given what the iOS platform provides. Nevertheless, the 'market price' argument doesn't work without a market that is close to perfectly competitive. The easiest way to understand this is to think of a monopoly. In a monopoly market, the monopolist has absolute power to set prices, so can set them to anything it likes. If you accept the 'market price = fair' argument in a monopoly market, you are essentially arguing that any price is fair.
          WilErz
        • Another thing that is "fair" ...

          ... is men beating their wives because they are willing to agree to it.

          Or NOT.

          Agreement does not equal fairness. It means somebody compared the alternatives and picked one - there is nothing that says that alternative isn't equally bad, or worse. And if that alternative was picked because if threats (even implied ones) kept her from picking the other options, it's even less fair.

          So, how this relates to Apple - trying to circumvent them will give you a major legal PITA, and avoiding them entirely is haaard. To accept their terms under those circumstances do NEVER imply fairness.
          Natanael_L
          • Yeah...

            The Apple App Store is the equivalent of an abusive husband. That's a fair comparison.

            I wonder what all these small, independent developers think about the rates. Take a look at app sales numbers in Apple's store vs. the Google Market and all the other 3rd party Android app stores. Time and time again, you see news stories about how much more people spend in Apple's app store vs. others. It's the same reason electronic makers put their stuff in Best Buy stores. Sure, Best Buy gets a cut, but they also help them move more volume vs. selling direct from their own websites, catalogs, etc.

            Wonder if the guys from Instagram are grumbling over Apple getting a 30% cut?
            TroyMcClure
          • Apple App store/Android market

            I believe the main reason consumers spend more in the Apple App Store is because of the convinience of having iTunes prepaid cards that can be bought at any retail store POS rack. the Androind Market by comparisson does not have an equivalent system in place instead to buy apps it requires you to use an actual creditcard.
            Jimrx7