Posted by Zack | Posted in Consumer Electronics | Posted on 17-07-2012
Tags: Apple, Apple iOS, In-App Purchase hack, In-App Purchases, iOS
About a week ago, Alexey Borodin, a Russian developer, hacked Apple’s In-App Purchase program for every device running anything from Apple iOS 3.0 to iOS 6.0. This allowed iPhone, iPad and iPod touch users to circumvent the payment process and basically steal any in-app content that they wanted to.
Apple confirmed the hack and stated that it was investigating the issue and, this week, tried to block the hack, though was unsuccessful. Now, Apple is starting to offer a proper solution, although it isn’t quite ready. Apple has started including unique identifiers in the validation receipts for in-app purchases. Developers recently started seeing the new receipts, which include a new field called “unique_identifier”.
According to a report from MacRumors, “As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple’s use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.”
The worst part about this hack is that iOS developers have absolutely no way of protecting their apps. Store receipts don’t work since the only thing you need to bypass this is a single donated receipt which can then be used to authenticate anyone’s purchase requests. Borodin’s circumvention technique relies on installing certificates, changing DNS settings to allow the authentication of the purchases and then emulating the receipt verification server on the Apple App Store.
The unique identifiers have set Apple on a proper path to a decent solution, though Borodin has declared that he wants the company to fix the problem by either changing its APIs or placing new blocks on its service. It seems that Apple will have to start encrypting the connection and update iOS so that it is unaware of the changes being made. In turn, this will stop apps from being able to approve false purchases.
Source: ZD Net – Apple adds unique identifiers to fight iOS in-app purchase hack