Hacker on Apple's iOS in-app purchase fix: 'Game is over'

Hacker on Apple's iOS in-app purchase fix: 'Game is over'

Summary: Apple recently announced iOS 6 will block the hacking of its In-App Purchase program. The Russian hacker behind the attack has declared that Apple's fix will indeed block his circumvention technique. He's leaving his service open until iOS 6 is released, however, and pushing onwards with his Mac in-app hack.

Hacker on Apple's iOS in-app purchase fix: 'Game is over'

Two weeks ago, Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and last week announced a temporary fix and that would patch the holes with the release of iOS 6. Borodin today declared Apple's solution indeed stops his hack.

Here's what he had to say, in a post on in-appstore.com titled "It's all over... for now.":

By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.

When Cupertino first tried to block the hack, it failed. Now the company finally has a proper solution, albeit temporary. We'll have to wait for iOS 6 to finally and completely block this hack.

In the meantime, Borodin says the "service will still remain operational until iOS 6 comes out." Furthermore, he's still hard at work on the Mac in-app purchase hack he disclosed last week:

The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.

The worst part about the iOS hack was that developers had no way of protecting their apps. Using store receipts didn't work as Borodin's service simply needed a single donated receipt, which it could then use to authenticate anyone's purchase requests. His circumvention technique relied on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store.

Affected iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. Until recently, there was nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt could be used again and again. In short, this hack meant in-app purchase requests were being re-routed as well as approved. Now developers can thwart the approval process as they wait for iOS 6.

Still, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale.

Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. My guess is Apple will also address this part of the hack in iOS 6, a release which Boroding has approved.

See also:

Topics: Security, Apple, Apps, iOS, iPhone, Piracy

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In-app purchases suck

    I'm glad it's broken. If you want to nickle and dime people you should have decency to do it up front instead of luring them to installing your app only to discover that they have to keep dolling out money to get the full experience.
    • Entitled much?

      When you get an app and see that you need to make in-app purchases to get a full experience you could just decide if the content is worth the price, and then either pay for it and be happy or delete the app and move on. Not sure where you're getting the idea that since you don't like the way the developer is charging, you get to just steal the content.
      • as are you...

        But I'll let you simmer over possible details... but a lot of people do have that sentiment, even you...
      • ok, here is a hint

        The only ones allowed are those who set the value of your work and time, get taxpayer funds in return for offshoring jobs to prop up themselves with, and lobby for other free rides
      • I agree with the TiOracle

        In that you should be told up front that for full experience you need to buy upgrades, time and or "in game materials" then they can make an informed decision BEFORE they waste time, bandwidth and money.
        But I agree with you, while it may be crappy marketing, once you know you have to pay for minutes/material/updates/levels, whatever, to play the game, then pay it. You must see value in it so let the poor slobs that created it make a couple (million?) bucks off their work.. maybe the next version will have more for free.. and more you can waste your time and money on.
        • Purchases

          You can see before you purchase an app if you need In App purchases to play the game or to reach higher levels, etc. The one that PO'd me the most this year was RICH Angry Birds Space, full purchase, requires you to buy in app purchases. I don't buy them. I'll go as far as I can and that's it. If I try a "lite" version or a free version of an app, and like it. I'll buy it, and I do mostly buy my apps. I am not going to buy an app where I will keep having to buy coins for example but that is common to many games, not just on Apple, Google and the Amazon stores. There are some superb apps out there that are free, and many free or lite versions just suck but it's your choice I wouldn't try this hack that this guy provided. That's just cheap as well as illegal, also not very cool being that he is a developer. I'd like someone to do that to his site or apps if he has any.
    • What exactly did you expect?

      I'd think you had a point if someone paid the $20-$30 a game that was prevalent
      until recently, but at the price points that are currently in place, there is no way to
      cover costs let alone turn a profit.

      The better games use the in game purchase only as a short cut.
      That is to say, its possible to get to the same place over time, but in game purchases
      get you there a whole lot faster.

      A number of online games work that way. You get coins for every so many levels and
      the occasional additional one as a prize, but you can buy the coins directly if you want
      to power up early on. Me? I take the long road and treat the use of bought coins as
      a "cheat", but I know that without some impatient people buying them that the whole
      ecosystem would collapse.
      • no way to turn a profit?

        What planet are you from? At .99 cents a copy.. it is NOT costing the author a single cent to "make more copies to sell", (ain't bits great?).. and while $.99 is not a lot.. when you have a global audience that will buy 200,000 copies a day.. and you tell me they cannot make any money? Even if they pay Apple the exhorbitant fee I hear they want.. sell a million copies, if they take 30% (totally rediculous), that is still nearly $666,000 for the authors.. simple Math.. not even that new fangled "new math" we have been hearing about since I was in high school back in the stone age.
  • I called this

    When gaping Java vulnerabilities exist in Apple's software, they take years to get around to distributing fixes that others have already created for them.

    But when a vulnerability threatens Apple's 30% tax, it gets top priority.

    I called this last week. I was right.

    Good job fixing vulnerabilities that affect you Apple. Next time, try to put as big a priority on vulnerabilities that affect your customers.
    • When you actually know the difference between a tax and a commission

      you may gain some credibility in this discussion.
      • He has a point

        Apple takes their time fixing an issue that affects end users directly, but waste no time fixing an issue that affects Apple directly.
        William Farrel
      • He knows the difference.

        A number of people refer to it as a tax because apple it ensuring that they will
        always get a piece of the pie even from sales they did not directly assist and
        because Apple does not allow for purchases outside of their ecosystem.

        There is some benefit for buyers and sellers in this, but mainly its for Apple's
        own benefit. I have to wonder if Apple could be held libel. If I take items
        on commission and give them away to a whole bunch of different people holding
        the identical receipt, I would get a big bill, especially since I'm the one that issued
        the first receipt in the first place.

        No doubt few will go this route out of fear of retaliation by Apple.
  • Blame the victim mentality seems to be

    particularly pronounced in the computer industry. Borodin is conspiring to commit theft, a criminal offense, yet everyone is dumping all over Apple because a criminal, Borodin, was able to successfully pick a lock to commit his crime.
    • This is the way to do security nowadays; who calls for Charlie Miller's ...

      ... jailtime?

      No one; he, as well as Borodin, did not abuse the vulnerability for personal profit, but yet what he did was formally illegal.
      • Oh, I get it...

        So if I break into your house, steal your money it's not bad as long as I give the stolen money away and don't make a profit?
        • A regular Robin' Hood

          Rob from the rich, and give to the poor!
          William Farrel
          • The Robin Hood fate

            The 'authorities' (typically, those with *more* money) will do what they always did: prosecute Robin Hood, so that others won't dare do the same.

            Many such 'brave' fellows stop right there - I would not be surprised if we see Borodin mentioned as "security researcher" very soon... just as the likes of Kaspersky are already :)
          • The poor?

            This isn't being given to the poor; it's given to anyone that downloads the particular app(s). If your one of those developers that is squeaking out a living because you can do decent coding and figure you can make money at it, Borodin is saying screw you and Apple too.
        • This is the way how Miller and Borodin see themselves

          They are Robin Hoods of security.

          (Notice that this is not my opinion.)
      • Miller and Borodin not the same...

        If I understand both correctly, Miller's was simply a proof of concept that he never actually took advantage of (or gave to others to use) other than to tranfer a harmless file. Borodin actually put his into action and gave away instructions on how to take advantage of it. That translates to real revenue lost by both Apple and the 3rd party developers leveraging in-app purchases.