Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jul 13, 2012.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    As noted by 9to5Mac, a Russian hacker has developed a relatively simple method to allow users to bypass Apple's In App Purchase mechanism on many iOS apps, allowing users to obtain the content for free.

    [​IMG]


    Alternate In App Purchase confirmation button seen on hacked devices
    The method, which does not require jailbreaking, involves installing a pair of certificates on the user's device and then using a custom DNS entry. Users can then perform in-app purchases as usual and automatically be redirected through the hacked system.

    Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method.

    The hacker has already been evicted from his original host and had reportedly moved to a new one, but the site is currently down. It is unclear whether it is down simply due to high traffic or if other steps are being taken to hinder his activities.

    Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

    Update: The Next Web takes a closer look at the method developed by Alexey Borodin, which actually can not be prevented simply by employing receipt validation.
    Addressing the issue will ultimately require changes by Apple, which could enhance the API used for In App Purchases to provide for uniquely signed receipts that could not be duplicated on a mass basis as with Borodin's service.

    The Next Web also interviewed Borodin, who noted that he has turned over operation of the site to a third party in order to avoid trouble and will be deleting any information he obtained from running the operation. According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

    Update 2: Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.
    Update 3: Apple has issued a brief statement to The Loop acknowledging that it is aware of and investigating the issue.
    Article Link: Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]
     
  2. macrumors 6502

    johnparjr

    Joined:
    May 10, 2005
    Location:
    Earth
    #2
    Yeah free advertisement for hack sites
     
  3. macrumors 6502

    Joined:
    May 14, 2012
    Location:
    Sydney
    #3
    Why would you report this on the front page? If it were in the forums it would have been closed instantly.
     
  4. macrumors 603

    troop231

    Joined:
    Jan 20, 2010
    #4
    This button looks scary [​IMG]
     
  5. macrumors 6502a

    Serelus

    Joined:
    Aug 11, 2009
    Location:
    Vm9pZA
    #5
    Wait what? Let the piracy debate begin.
     
  6. macrumors 68000

    Joined:
    Jan 28, 2009
    #6
    I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.
     
  7. macrumors 68020

    applesith

    Joined:
    Jun 11, 2007
    #7
    His paypal address is @me.com. lol why use apple's email to steel from their developers?
     
  8. macrumors 65816

    lifeinhd

    Joined:
    Mar 26, 2008
    Location:
    127.0.0.1
    #8
    I saw this on 9to5, was kind of hoping you wouldn't post it.
     
  9. macrumors member

    Joined:
    Jul 22, 2011
    Location:
    Champaign, IL
    #9
    I WANT! :eek:
     
  10. macrumors 65816

    autrefois

    Joined:
    Oct 22, 2003
    Location:
    Somewhere in the USA
    #10
    To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.
     
  11. macrumors 6502

    Joined:
    Mar 5, 2012
    #11
    yaaaay for free apps :)

    ... just curious, what makes people think that if he is stealing from apple, he is not also stealing info from your phone or mobile device?
     
  12. macrumors 603

    ChazUK

    Joined:
    Feb 3, 2008
    Location:
    Essex (UK)
    #12
    It means "cancel".

    EDIT:
    LULz at anyone who has their data stolen using this type of hack. You deserve it! :D
     

    Attached Files:

  13. macrumors member

    Joined:
    May 26, 2011
    #13
    Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.
     
  14. macrumors 6502a

    Joined:
    Jun 25, 2008
    #14
    Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!
     
  15. macrumors 65816

    Fraaaa

    Joined:
    Mar 22, 2010
    Location:
    London, UK
    #15
    Because of this:

    The method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method
     
  16. macrumors 603

    troop231

    Joined:
    Jan 20, 2010
    #16
    No, really? :rolleyes: I said it "looked" scary
     
  17. macrumors 603

    ChazUK

    Joined:
    Feb 3, 2008
    Location:
    Essex (UK)
    #17
    You are scared of typography? Strange.....
     
  18. macrumors member

    Joined:
    May 26, 2011
    #18
    What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.
     
  19. macrumors 6502

    Joined:
    Sep 25, 2011
    #19
    how do i give you a downvote?

    ----------

    right, like people don't know how to google search..yeah, it doesn't matter. other sites do so, why would MR post an incomplete article?
     
  20. macrumors 6502a

    coder12

    Joined:
    Jun 28, 2010
    #20
    That's the teleport button!


    Press it!
     
  21. macrumors member

    Joined:
    Feb 3, 2004
    Location:
    Providence, RI
    #21
    Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.
     
  22. macrumors 6502a

    george-brooks

    Joined:
    Oct 31, 2011
    Location:
    Brooklyn, NY
    #22
    I wish this wasn't so risky!
     
  23. macrumors 65816

    lifeinhd

    Joined:
    Mar 26, 2008
    Location:
    127.0.0.1
    #23
    Heh, sadly that is pretty much the case these days :rolleyes:
     
  24. macrumors 6502a

    foodog

    Joined:
    Sep 6, 2006
    Location:
    Atlanta, GA
    #24
    So don't buy them.
     
  25. macrumors regular

    Joined:
    Jun 13, 2012
    #25
    Through his logins to Game Centre to each specific game he can be traced by Apple fairly quickly.

    On Beta 3 (soon to be released), his bypass will be fixed.
     

Share This Page