Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Fighting Back Against In App Purchase Hack, But Service Still Operational
- Thread starter MacRumors
- Start date
- Sort by reaction score
Or Apple wasn't. Think about it, this takes money from them. You think they would know about it for months, lose money for months and do nothing. No, they would have come up with a fix, demanded all apps use it etc never with a word of why it is so importanr
I'm wondering how many of you using big words like "thieves" and "criminals" have never illegally downloaded music or a movie before.
Either all the Saints of the Internet are on this single forum, or we have a bunch of hypocrites here.
Either all the Saints of the Internet are on this single forum, or we have a bunch of hypocrites here.
You are, of course, happy to say that to the original artists of this music, right? To their faces?
What's the point of this comment? It's pretty obvious that what this guy is doing is wrong. It's pretty obvious that people using a hack to get out of paying for something is basically stealing. Is it your argument that what this guy is doing is fine? Based on the fact that a lot of people take advantage of it?
And because I'm sure it will get brought up again, no, I haven't ever illegally downloaded music, a movie, or an app. There's a lot of us in this world that believe in paying for what we want instead of stealing it. If others can steal and it doesn't bother their conscience, so be it.
Broader Implications
It's interesting to read through some of the posts over there:
http://www.in-appstore.com/
People there are basically divided in the same way as folks in this forum, with no one talking about the real problem or long-term solution. Everyone seems to be praising piracy or condemning it, or going off-topic on things like taxes.
This is really NAPSTER all over again. In the past, people stole music like mad because there was no popular legal means to get that music in a convenient, modern way like the iTunes Music Store. Now most people in deveoped countries buy their music (including myself) rather than stealing it. That's true not because NAPSTER's flame was extinguished but because Apple provided a convenient and reasonably priced solution.
But with app buying, you don't always know what your getting until you pay, and then you don't get your money back if you don't like what you paid for. Hence this Russian Developer, on some level, is to be praised as much as they are to be condemned, not unlike NAPSTER was to be praised not for encouraging theft, but for allowing people to Try Before We Buy, and to put pressure on the app industry (i.e., Apple) to change the status quo and give app buyers Trials and give developers App Upgrades in the app store.
We can howl and cry all we want about right and wrong, but these naughty guys often do more good than bad in the end, especially if we legitimate buyers of apps keep up the pressure in Apple to enacted improvements to the app buying experience:
http://www.apple.com/feedback/iphone.html
or
http://www.apple.com/feedback/ipad.html
It's interesting to read through some of the posts over there:
http://www.in-appstore.com/
People there are basically divided in the same way as folks in this forum, with no one talking about the real problem or long-term solution. Everyone seems to be praising piracy or condemning it, or going off-topic on things like taxes.
This is really NAPSTER all over again. In the past, people stole music like mad because there was no popular legal means to get that music in a convenient, modern way like the iTunes Music Store. Now most people in deveoped countries buy their music (including myself) rather than stealing it. That's true not because NAPSTER's flame was extinguished but because Apple provided a convenient and reasonably priced solution.
But with app buying, you don't always know what your getting until you pay, and then you don't get your money back if you don't like what you paid for. Hence this Russian Developer, on some level, is to be praised as much as they are to be condemned, not unlike NAPSTER was to be praised not for encouraging theft, but for allowing people to Try Before We Buy, and to put pressure on the app industry (i.e., Apple) to change the status quo and give app buyers Trials and give developers App Upgrades in the app store.
We can howl and cry all we want about right and wrong, but these naughty guys often do more good than bad in the end, especially if we legitimate buyers of apps keep up the pressure in Apple to enacted improvements to the app buying experience:
http://www.apple.com/feedback/iphone.html
or
http://www.apple.com/feedback/ipad.html
I actually don't see anyone in here praising piracy. Most of the debate here centers around whether news sites should or should have reported on this. But since I like where you're going, I'll let the comparison slide
I'm with you so far...
And you lost me. The problem with allowing this guy to represent your nice idea, is that he is letting you "try" in app software upgrades or new content. You already HAVE tried the app at the point where this Russian steps up to the plate.
Try before you buy Apps would be a great thing. I don't know if I've ever bought traditional desktop software without using a demo/shareware version. The exception would be computer games, but in that case I watch minutes upon minutes of in game preview video to get a good feel for if this is the kind of experience I want. iPhone apps DO have this mechanism to a degree. You can have a "free" app that has most of the content hidden away as an in App purchase. It's actually a concept that works okay if you know what's going on. The problem is that this Russian is actually ruining the only try-before-you-buy system that we DO have.
And noone's angry at Apple? I'm glad they got hacked, 'cause it proves that Apple did some bull-feces work on security. The hack sounds like the classic man-in-the-middle attack, which has been around for ages.
Yeah, it sucks that people steal. But if I handed my products to a retailer that didn't care to check whether customers passed by the clerk to pay for the stuff on their way out, I would sure as hell be unhappy with the re-seller. Or as in this case, customers entering the store, picking something up and showing the clerk a fake receipt.
Very unprofessional, Apple. Very. Unprofessional.
Yeah, it sucks that people steal. But if I handed my products to a retailer that didn't care to check whether customers passed by the clerk to pay for the stuff on their way out, I would sure as hell be unhappy with the re-seller. Or as in this case, customers entering the store, picking something up and showing the clerk a fake receipt.
Very unprofessional, Apple. Very. Unprofessional.
I totally, agree. I think iOS apps pricing is competitive and reasonable enough to make them apps accessible for the people and at the same time compensating the developers to keep on producing useful apps.
I wouldn't know about Windows pricing anymore though. Been using pirated stuff since I learned how to use Demonoid.
No, it doesn't "prove" Apple did some "bull-feces" work on security. Could it be better? Of course, all security can. Is there no security at all? Not at all. The existence of a hole in security, unless we're talking about an NSA Bunker, does not prove the security is crap. The only thing it proves is that the security is not perfect.
Almost every form of attack has been around for ages. It's the implementation that is always tricky and different.
How many stores that check receipts could spot a fake? I'm pretty sure I could walk down to the local grocery store, grab an apple, and walk out. Security can only be so good, and usually only serves to detour thieves, not make it impossible.
Unprofessional would be if Apple did nothing. Apple is doing something, lots of things in fact, on multiple fronts. I think it would be interesting to see a running total of the current number of employees and dollars per hour that apple is burning up to resolve this is a quick and professional manor.
You lock your home when you leave it, right? Have you installed unbreakable glass as well? You haven't? How unprofessional of you
Well... It may not be catastrophic, but it seems to be very far from perfect.
I mean, who does that? Who in their right minds treat secrets like that?
Alright. My bad. But that's a problem with physical stores that shouldn't exist in this case, since e-stores really shouldn't rely on the client telling the truth without some thorough checking.
And sure, you could go down there and just steal an apple, but that scenario isn't really applicable here.
As for the rest of what you wrote, I think will leave you without an answer. This thread is already overloaded with shaky metaphors. Metaphors works fine as a pedagogical tool to reinforce an explanation, not as arguments themselves. Of course I lock my doors. I have normal windows. I don't care about most of my stuff, but I have an insurance if anything should happen to it.
Anyways. I hope they solve it fast. Not just by stopping the info on how to steal from them, but by actually solving the security issues.
QFT.
There has to be some system for trial of an app for a period of time, both in the ios and the mac app store. That's the way it's always been for software.
There are countless times when you use an app and feel you've been ripped off.
Returning a purchase is also a worldwide buyers right in most every item sold.
Why not apps then?
I wish the russian guy all the best, he's making a valid point. I am 100% against ripping devs off but I am 100% against getting ripped by them too.
Wow, great, just great, another security fiasco from apple. With all that money they have one would think they'd be more responsible with their users data... How about starting to cough it up to buy Kaspersky or a few of these Russians that are routinely taking them to the cleaners?
Depends on your definition of "far"
Users still have to hack their own phone in order to get this to work, and it only works on in-app purchases, not store purchases. Far from good, but far from perfect?
Let me continue to quote him:
According to Tabini, though, Apple presumes its talking to its own server with a valid security certificate.
Source.
Perhaps I don't understand everything, so correct me if you understand it better.
The iphone usually creates a secure SSL connection with an Apple server, which it then uses to communicate information. The connection as a whole *IS* encrypted. The information within the encryption line is not encrypted a second time.
This is ONLY a problem you hack your own phone, and tell your phone to create a secure connection with someone ELSE. Of course the person on the other end can see the "in the clear" information. This is not a problem for the Russian, and it's not a problem for someone that hacks their own phone and sets up their own server. This is only a problem if you hack your own phone, and then connect to someone else's shady server.
When I call my bank from my cell phone, I don't speak in code, because the call its self is encrypted. If I decide to call someone that is not my bank, I do not start talking about my financial information, because I am not an idiot. If I hack my phone to talk to a store that is not the Apple store, I would be stupid to give that store my login and password.
It's not as if you can "sniff out" this "in the clear" information just by observing the comms. You literally have to send the data to the guy. Working in software myself, I can just see how this conversation went down in the meeting room:
SE 1: "Hey guys, I think we should spend a bunch more money and time to encrypt the information inside the encrypted communication stream"
SE 2: "What's the use case? Wouldn't that only effect a user if they hacked their own phone, and directed the phone to connect to some other server?"
SE 1: "...yes".
SE 2: "Putting aside that they're hacking their own phone, is there a legitimate reason why a user would redirect store communication to a third party server?"
SE 1: "No, there is no reason for a user to do that for legitimate means"
SE 2: "And even for illegitimate reasons, why would a user connect to a server they don't trust?!"
SE 1: "You're right, there is no reason to spend money on that problem".
Apple should most definitely patch the ability for users to hack their own phones in this way. But once you start connecting to Russian hacker servers to do your internet shopping, all bets are off. Apple PR can't laugh, but I bet you there are a bunch of Apple devs laughing like me at any dope that would connect to a shady server.
The client does thourough checking. In this case though, you have kidnapped the client (the iPhone) and are forcing it to do business with an illegal server. I have a metaphore for you...
Great! Then you'll love this one!
Apple is Greyhound, the iPhone is a bus, and the App store is your local legal drug store.
Greyhound (Apple) should try and prevent the users from high jacking the bus (iPhone). That much is obvious. But, if you manage to hijack the bus, and drive down to the local crack dealer to score a hit, don't be surprised if the dealer robs you blind. And if the dealer does rob you, don't blame Greyhound because they didn't have security in place to protect you AFTER you hijacked their damn bus!
Stellar analogy, right?
Thank God there are people like Alexey Borodin. Not because you can get non-free apps for free, but because he made everyone aware of the flaw in the In App Purchase's security. Passwords sent in plain text? Really? (Refer to a previous article.) People should be cursing Apple, and not him.
Heck, Apple should probably even hire him as a security tester (or what ever they're usually called). That's what lawful hackers do... they help corporations and banks to improve the security of their systems.
Really? (Refer to a previous article.) People should be cursing Apple, and not him. Heck, Apple should probably even hire him as a security tester (or what ever they're usually called). That's what lawful hackers do... they help corporations and banks to improve the security of their systems.
Last edited:
I'm curious. Going to try out this hack and report back.
He was clever to figure it out. Maybe he wanted to share how smart he was? More likely he wanted to make a bit of money from donations I think Time will tell if it'll cost him. People do stupid things, take risks...especially for money.
edit: Nevermind..found a video showing it. You don't have to enter your Apple ID and password but there still are risks (some might consider them slight, others would be the opposite)
He was clever to figure it out. Maybe he wanted to share how smart he was? More likely he wanted to make a bit of money from donations I think
Time will tell if it'll cost him. People do stupid things, take risks...especially for money.edit: Nevermind..found a video showing it. You don't have to enter your Apple ID and password but there still are risks (some might consider them slight, others would be the opposite)
Last edited:
But it's ok to use torrent to steal from corperations & musicians.
Did I say that at all? Nope. I agree that the tormenting of music, software whatever's not acceptable. That's kind of my point really.
But it's ok to use torrent to steal from corperations & musicians.
No it's not, next question
I would, and I have.
I would also tell them that this is the sole reason I started listening to that band which enabled me to pay tickets for their gigs and buy their merchandise (which is a much bigger income source for the artists, at least in metal anyway). If I hadn't downloaded their songs none of that would have happened.
----------
Yeah someone circumventing a $0.99 in-app purchase which is an obvious money grab is a criminal. They should be hung along with child molesters.
Poor Apple, being attacked by a vicious terrorist with no morals. In fact I'm going to open a donation fund to help Apple catch this terrorist.
/sarcasm off
Thank God there are people like Alexey Borodin. Not because you can get non-free apps for free, but because he made everyone aware of the flaw in the In App Purchase's security. Passwords sent in plain text?
I shall refer to you a previous post in this thread, and quote it in part:
The iPhone usually creates a secure SSL connection with an Apple server, which it then uses to communicate information. The connection as a whole *IS* encrypted. The information within the encryption line is not encrypted a second time.
This is ONLY a problem [if] you hack your own phone, and tell your phone to create a secure connection with someone ELSE. Of course the person on the other end can see the "in the clear" information. This is not a problem for the Russian, and it's not a problem for someone that hacks their own phone and sets up their own server. This is only a problem if you hack your own phone, and then connect to someone else's shady server.
When I call my bank from my cell phone, I don't speak in code, because the call its self is encrypted. If I decide to call someone that is not my bank, I do not start talking about my financial information, because I am not an idiot. If I hack my phone to talk to a store that is not the Apple store, I would be stupid to give that store my login and password.
It's not as if you can "sniff out" this "in the clear" information just by observing the comms. You literally have to send the data to the guy.
Given that, why should Apple spent resources to doubly encrypt information, when the only (afaik) way for this to be a problem is if you hack your own phone, tell it to connect to an illegal server, and than voluntarily send them your login and password?!
That's what lawful hackers do... he has not shown himself to be a lawful hacker yet, has he?
The authentication system for buying Apps has not been broken. As far as anyone knows, it is still rock solid. One of the two ways of doing in app purchases has been broken, but it takes physical access to ones own phone. This security hole only directly affects Apple and iPhone dev's pocket book, not the end user.