Apple tries to block iOS in-app purchase hack, fails

Apple is working hard to fight the hacking of its In-App Purchase program for iOS. So far though, the company's attempts have not deterred Russian developer Alexey Borodin who apparently wants Cupertino to fix the underlying problem rather than just trying to block his in-appstore.com service.
Written by Emil Protalinski, Contributor

Update on July 18 - Apple adds unique identifiers to fight iOS in-app purchase hack

Apple tries to block iOS in-app purchase hack, fails

Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later), allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple confirmed the workaround and said it was investigating the issue. Ever since, Cupertino has been working hard to stop the attack, but it has yet to succeed.

First, Apple blocked the IP address of the server used by the Russian hacker. Next, the company issued a takedown request on the hacker's web server and contacted PayPal to prevent users from making donations for keeping the service running. Last but not least, the electronics giant served up a copyright claim against the hacker's video.

Unfortunately for Apple, all of that wasn't enough. Borodin switched to a server located in another country (the first was located in Russia), started taking donations via BitCoin ("PayPal sucks. BitCoin here! 15GCBL7gHbf2p8bapozSrZhNaXdrKUWRFF") as well as ads on in-appstore.com, and uploaded a new video.

He also declared he wants Apple to fix the problem by either changing its APIs or placing new blocks on its service. Borodin told The Next Web that Apple has not contacted him about the issue, and so he is continuing to toy with Cupertino.

The worst part about this hack is that iOS developers have no way of protecting their apps. Using store receipts does not work as Borodin says his service simply needs a single donated receipt, which it can then use to authenticate anyone's purchase requests. His circumvention technique relies on installing certificates (for a fake in-app purchase server and a custom DNS server), changing DNS settings to allow the authentication of "purchases," and finally emulating the receipt verification server on the Apple App Store.

The iOS apps treat Borodin's server as an official communication because of how Apple authenticates a purchase. There is nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. In short, this hack means in-app purchase requests are being re-routed as well as approved.

Last but certainly not least, Cupertino is transmitting its customers' Apple IDs and passwords in clear text (Apple assumed it would only ever be communicating with its own server). The following information is transferred from your device to Borodin's server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. Whoever operates in-appstore.com could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack.

If that's not enough to deter your from using this hack, please think of the developers. You are stealing the majority of revenues from them (70 percent versus Apple's 30 percent cut).

Update on July 18 - Apple adds unique identifiers to fight iOS in-app purchase hack

See also:

Editorial standards