Apple Blocks iOS In-App Purchase Fraud, Hacker Admits Defeat

Posted on July 31, 2012


Apple (NASDAQ:AAPL) has successfully blocked an App Store hack that let iOS device owners make in-app purchases for free.

“Apple is doing the right thing when it comes to a business point of view. They are looking to profit from monetary exchanges happening on their platforms. Hacking is a real problem in the space. The fact that Apple is making strong headway in thwarting these threats is great news and will allow Apple to continue pursuing the goals that they have in place, as a business”, said Tim Canada, Senior Account Manager of SiteMinis.

Russian developer Alexey Borodin designed the in-app purchase hack, which installed bogus certificates on iPhones and iPads in addition to exploiting a customized DNS server to essentially trick iOS apps into believing they’re communicating with the App Store and validating user purchases. According to Borodin, “every in-app receipt is generic” and contains no direct user data, making transactions “easy to spoof.” Borodin later extended the exploit to Apple’s Mac OS X platform.

On Friday, Apple emailed registered iOS developers to explain the hack exploited vulnerabilities in iOS 5.1 and earlier. “An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker,” Apple said. “Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid. iOS 6 will address this vulnerability.”

Connection- Oriented Ethernet

In this FierceTelecom eBook we feature the perspectives a wide diversity of players representing both implementations of COE, including vendors, industry forums, and service providers. Learn more.
Sign up for our FREE newsletter for more news like this sent to your inbox!
Because consumers can continue exploiting the hack until iOS 6 is officially released later this year, Apple urged iOS developers to send all in-app purchase receipts to their personal servers for validation before sending them back to its App Store servers. The company also provided private APIs designed to help developers further safeguard their software against hacks.

Writing Monday on his In-Appstore blog, Borodin admitted defeat. “By examining [Apple’s] statement about in-app purchases in iOS 6, I can say that currently game is over,” he said. “Currently we have no way to bypass updated APIs.” Borodin added he will continue to focus on Mac OS X, stating “We have some cards in the hand. It’s good that OS X is open.”