How to protect your app from the Apple iOS in-app purchase hack

Summary:If you're an iOS app developer who uses Apple's In-App Purchase program, you may want to protect your work. A new hack that does not require first jailbreaking the device lets users circumvent the in-app payment process.

Update - This method does not work. Apple needs to provide a fix. Details here: Apple investigating iOS in-app purchase hack

How to protect your app from the Apple iOS in-app purchase hack

News broke today that a Russian developer has hacked Apple's In-App Purchase program for iOS , allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Users don't even have to jailbreak their device. While Apple has still not gotten back to my request for comment, I've done a little digging on how app developers can protect a very important source of revenue, especially for authors of free apps.

It would appear (I have not been able to personally confirm) that app makers can prevent this hack by adding three lines of code to their source as described by the "Verifying Store Receipts" webpage over at the iOS Developer Library. Here's the crux of it:

Your application should perform the additional step of verifying that the receipt you received from Store Kit came from Apple. This is particularly important when your application relies on a separate server to provide subscriptions, services, or downloadable content. Verifying receipts on your server ensures that requests from your application are valid.

This would explain why some apps are not working with the hack in question while others are having their in-app content stolen without a hitch. If you believe this is being caused by something else, do let me know.

Important: I do not own an iOS device nor am I an iOS app developer. Furthermore, I do not condone this in-app purchase hack. As such, I have not verified if modifying an app in this way will protect you from this circumvention. If you are an iOS app developer and can provide further insight, feel free to drop me a line.

Update - This method does not work. Apple needs to provide a fix. Details here: Apple investigating iOS in-app purchase hack

See also:

Topics: Apple, Apps, iOS, iPhone, Piracy, Security

About

Emil is a freelance journalist writing for CNET and ZDNet. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.