How to protect your app from the Apple iOS in-app purchase hack

How to protect your app from the Apple iOS in-app purchase hack

Summary: If you're an iOS app developer who uses Apple's In-App Purchase program, you may want to protect your work. A new hack that does not require first jailbreaking the device lets users circumvent the in-app payment process.

SHARE:
11

Update - This method does not work. Apple needs to provide a fix. Details here: Apple investigating iOS in-app purchase hack

How to protect your app from the Apple iOS in-app purchase hack

News broke today that a Russian developer has hacked Apple's In-App Purchase program for iOS, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Users don't even have to jailbreak their device. While Apple has still not gotten back to my request for comment, I've done a little digging on how app developers can protect a very important source of revenue, especially for authors of free apps.

It would appear (I have not been able to personally confirm) that app makers can prevent this hack by adding three lines of code to their source as described by the "Verifying Store Receipts" webpage over at the iOS Developer Library. Here's the crux of it:

Your application should perform the additional step of verifying that the receipt you received from Store Kit came from Apple. This is particularly important when your application relies on a separate server to provide subscriptions, services, or downloadable content. Verifying receipts on your server ensures that requests from your application are valid.

This would explain why some apps are not working with the hack in question while others are having their in-app content stolen without a hitch. If you believe this is being caused by something else, do let me know.

Important: I do not own an iOS device nor am I an iOS app developer. Furthermore, I do not condone this in-app purchase hack. As such, I have not verified if modifying an app in this way will protect you from this circumvention. If you are an iOS app developer and can provide further insight, feel free to drop me a line.

Update - This method does not work. Apple needs to provide a fix. Details here: Apple investigating iOS in-app purchase hack

See also:

Topics: Apple, Apps, iOS, iPhone, Piracy, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • So, basically only developers who were lousy enough to ignore official ...

    ... Apple's guide lines risk their software to be "bought" through hacked way. Lousy developers deserve the punishment.

    That said, Apple has to fix this specific vulnerability as soon as possible.
    DDERSSS
    • Yup, this is the new standard

      OS's are not meant to provide security. The new standard* states that security must be handled by 3rd party application developers on any platform.

      *This standard is set to expire the next time any issue crops up with a non Apple OS.
      toddbottom3
      • This has nothing to do with OS

        Lame troll attempt.
        DDERSSS
        • It has everything to do with the OS

          You wouldn't be here defending this exact same issue if this was happening on a non-Apple OS. In fact, you would be encouraging people to switch to Apple.

          Like I said: this has EVERYTHING to do with the OS when it comes to your posts.
          toddbottom3
          • Nothing to do with OS

            @toddbottom3: the OS can not implement functionality that can only be done by application.

            And I would say the same thing no matter which OS it was about -- especially if it has nothing to do with OS, whatever it could be, at all.
            DDERSSS
          • William "toddbottom3" Farrel is thinking...

            Of his employer's best interests. I don't want to confuse anyone, he's am Astroturfer, paid minimum wage to surf the web and disparage Non Microsoft companies.
            Jumpin Jack Flash
    • That said???

      That said, Apple has to fix this specific vulnerability as soon as possible?? say what?

      every single app that has in-app purchasing that simply followed the steps, can not be hacked in this way... so basically all of them except for a few who appeared to not have coded their app correctly... so in otherwords, it is not a security breach when an app doesn't do their in-app correctly, no one but the app developer is to blame...
      honkj
  • You coded it wrong

    Typical Steve Jobs response, blame the user.
    toddbottom3
    • You know the fact is your employer

      Is the one that blames everyone else. The real question is: Is your mind too far gone to see the truth?
      Jumpin Jack Flash
  • verify receipt at backend is safe from this hack

    If you do verify receipt, and at backend. You will not be affected by this hack.

    The DNS change will NOT affect how your backend server communicate with Apple, and you will contact to the real apple server.

    You can also filter out the duplicated orders at backend by apple unique order id. And you can also save all purchased related information at backend (kind of DRM, so you will not worried about user change their client to get the premium content)

    In essence, this is really a breach for careful developers. Apple can not do much about it, except for forcing apps verify at backend.

    There is a famous saying: "Anything on frontend (user side) can not be trusted".
    coltzhao
    • correction

      sorry, should be "In essence, this is not really a breach for careful developers. Apple can not do much about it, except for forcing apps verify at backend."
      coltzhao