Two weeks ago, Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and last week announced a temporary fix and that would patch the holes with the release of iOS 6. Borodin today declared Apple's solution indeed stops his hack.
Here's what he had to say, in a post on in-appstore.com titled "It's all over... for now.":
By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
When Cupertino first tried to block the hack, it failed. Now the company finally has a proper solution, albeit temporary. We'll have to wait for iOS 6 to finally and completely block this hack.
In the meantime, Borodin says the "service will still remain operational until iOS 6 comes out." Furthermore, he's still hard at work on the Mac in-app purchase hack he disclosed last week:
The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.
The worst part about the iOS hack was that developers had no way of protecting their apps. Using store receipts didn't work as Borodin's service simply needed a single donated receipt, which it could then use to authenticate anyone's purchase requests. His circumvention technique relied on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store.
Affected iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. Until recently, there was nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt could be used again and again. In short, this hack meant in-app purchase requests were being re-routed as well as approved. Now developers can thwart the approval process as they wait for iOS 6.
Still, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale.
Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. My guess is Apple will also address this part of the hack in iOS 6, a release which Boroding has approved.
- Apple Mac in-app purchases hacked; everything free like on iOS
- Apple iOS in-app purchases hacked; everything is free (video)
- Apple investigating iOS in-app purchase hack
- Apple tries to block iOS in-app purchase hack, fails
- Apple adds unique identifiers to fight iOS in-app purchase hack
- Apple to block in-app purchase hack in iOS 6, offers interim fix
- Cross-platform Trojan attacks Windows, Intel Macs, Linux