A Russian hacker recently developed a method that allows users to obtain in-app purchases for free. The hack was created with a combination of developer certificates and bypassing Apple’s authentication servers. Over 8,460,017 free purchase transactions have been made so far using this method.
Apple has taken steps to combat the issue, but nothing has proved to be a certain fix thus far. In a new support document for developers, Apple made their own in-app purchase servers available for developer use as a temporary fix. The use of their servers with an encrypted purchase receipt will prevent apps from being vulnerable to the hack.
Apple also confirmed this hack will be obsolete in iOS 6:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Cupertino has also given the following statement to CNET on the matter:
We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases. This will also be addressed with iOS 6.
It’s sad that this issue continues to be a problem. Developers already have it hard worrying about app pirating, and recently in-app purchases being compromised as well. I’d recommend staying away from this hack as there’s no telling what information is being collected as you transmit data to a Russian server to get free in-app purchases.
Plus… it’s just wrong.
Source: CNETFollow @macgasm