Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jul 18, 2012.

  1. macrumors bot

    MacRumors

    #1
    [​IMG]


    [​IMG]

    Following last week's launch of a hack that allowed users to obtain In App Purchase content free of charge by routing their purchase requests through a server run by a Russian hacker, Apple began taking steps to thwart the method. The hacker has, however, continued to develop his method to skirt around Apple's roadblocks.

    One of the suggestions for a method by which Apple could improve the security of In App Purchasing was to include a unique identifier in validation receipts, and we've received word that developers are now seeing something along those lines coming from receipts issued by Apple since late yesterday. The receipts carry a new field called "unique_identifer" that appears to include the Unique Device Identifier (UDID) for the device making the In App Purchase.

    As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.

    Article Link: Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack
     
  2. macrumors 6502

    Rudy69

    #2
    They might allow developers to use it to check if the purchase is valid. There's a huge difference between that and developers using it to track users and possibly logging these IDs on their own servers
     
  3. macrumors regular

    #3
    Mulitple devices/replacement devices

    How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:
     
  4. macrumors 6502a

    #4
    i could see this as being extremely useful if you have problems downloading the app (legitimately, of course.)
     
  5. macrumors 68000

    BC2009

    #5
    Not if they do it right. They can record the purchase with your account so a "restore purchases" event would trigger that your other devices get their own authorization to run the app. If done right it should create a serious hurdle for the hack.

    I'd like to know if they have fixed the sending of the credentials in clear text. I am not sure if there was really a vulnerability here since the overall communication is encrypted according to the installed certificates on the device, but the hacker seemed surprised or disappointed that faking the certs gave him access to the credentials of any user exploiting his hack. I'm not sure if another layer of encryption would make sense here (i.e.: using a public key from Apple with Apple being the only holder of the private key -- then again, that public key would still have to be stored among the device certificates so I am not really seeing any additional layer of protection -- I am seeing that as being a good way to use the hack without exposing your credentials to the hacker's server).
     
  6. macrumors 6502a

    Baklava

    #6
    Apple, that was fast!
     
  7. macrumors G5

    gnasher729

    #7
    It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.
     
  8. macrumors 68020

    #8
    I wish Apple would send them a nice good virus. Same to the hacker.
     
  9. macrumors 603

    roland.g

    #9
    Maybe a UK judge can require the hacker to include the text "this receipt is a copy of a legitimate and cool receipt" for the next 6 months on all receipts and on his website.
     
  10. macrumors newbie

    Uncle Ruckus

    #10
    I don think this will change anything.

    Uncle Ruckus no relations
     
  11. macrumors member

    #11
    check mate

    This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...
     
  12. macrumors 65816

    #12
    It's a shame that Apple even needs to do this. The world we live in today...
     
  13. macrumors 68040

    iSee

    #13
    I thought we won the cold war! But now Russia is crushing our corrupt capitalist country, just like they said they would!!! ;)
     
  14. macrumors 65816

    #14
    I think this is encrypted

    What I'm sure the unique identifier with be used for is validating a certificate. No one will actually see the number, I'll bet. It's hashed multiple times to make your private id. The public id, the hashed and encrypted bundle, will also validate the certificate. Thus every purchase is through the certificate belonging to that app. The developer can offer a deal and the known customer can make a purchase through Apple.

    If I know your private, unique identifier somehow, then I'd still have to get past some tough encryption to make out the token.

    It's part of a paradox of privacy. The only way to be private is to show yourself to someone trusted. Although here, if your iPhone does the initial hash before it sends this field to Apple, it's still safe, especially since all purchases are through SSL.
     
  15. macrumors 6502

    #15
    Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.
     
  16. macrumors 65816

    SpyderBite

    #16
    Yah. Cause a fan site would be the most current source for a hacker to keep on top of source code. :rolleyes:
     
  17. macrumors 6502

    #17
    Pretty sure this was sarcasm...
     
  18. macrumors 6502a

    Mad-B-One

    #18
    That happened to me already - because the old system had sometimes setups where this wasn't tracked. In my opinion, in-App-purchases should be handled the same way App purchases are. Put it on the "purchased" list in the App store.
     
  19. macrumors 6502

    #19
    Agreed. I've never understood why this wasn't the case from day one.
     
  20. macrumors 6502a

    Mad-B-One

    #20
    I understand it but don't agree with it: More potential revenue. Well, that didn't work out that well, did it? Ultimately, it caused the vulnerability. :cool:
     
  21. macrumors 6502

    #21
    As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

    * It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.
     
  22. macrumors 6502

    #22
    if apple is using it to follow the users getting the free apps along with the hacker ... what is apple going to do? Cancel their account or make them pay for the apps?
     
  23. macrumors 68000

    #23
    Perhaps it's to know who got ripped off so that Apple can provide it for free or register the purchase on their servers.
     
  24. macrumors 6502

    gkpm

    #24
    The Next Web are reporting this is NOT the same as the UDID:

    http://thenextweb.com/2012/07/18/ap...pts-not-udid-may-be-related-to-recent-breach/

    ----------

    If you can't run your validation server, check out these guys who seem to do it for free:

    http://thenextweb.com/apple/2012/07...free-in-app-purchase-validation-for-ios-apps/
     
  25. macrumors newbie

    #25
    Signatures ...

    It seems that this would be very easy for Apple to fix with an iOS update, but of course that doesn't help with existing customers. Just sign the receipts with an App Store certificate, and then ensure that the receipts are signed.

    But it also seems strange that Apple didn't do this in the first place.
     

Share This Page