Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack

Discussion in ' News Discussion' started by MacRumors, Jul 18, 2012.

  1. MacRumors macrumors bot


    Apr 12, 2001


    Following last week's launch of a hack that allowed users to obtain In App Purchase content free of charge by routing their purchase requests through a server run by a Russian hacker, Apple began taking steps to thwart the method. The hacker has, however, continued to develop his method to skirt around Apple's roadblocks.

    One of the suggestions for a method by which Apple could improve the security of In App Purchasing was to include a unique identifier in validation receipts, and we've received word that developers are now seeing something along those lines coming from receipts issued by Apple since late yesterday. The receipts carry a new field called "unique_identifer" that appears to include the Unique Device Identifier (UDID) for the device making the In App Purchase.

    As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.

    Article Link: Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack
  2. Rudy69 macrumors 6502a


    Mar 30, 2009
    They might allow developers to use it to check if the purchase is valid. There's a huge difference between that and developers using it to track users and possibly logging these IDs on their own servers
  3. Nabby macrumors regular

    Jul 10, 2008
    Mulitple devices/replacement devices

    How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:
  4. RocketRed macrumors 6502a

    Jan 25, 2012
    i could see this as being extremely useful if you have problems downloading the app (legitimately, of course.)
  5. BC2009 macrumors 68000


    Jul 1, 2009
    Not if they do it right. They can record the purchase with your account so a "restore purchases" event would trigger that your other devices get their own authorization to run the app. If done right it should create a serious hurdle for the hack.

    I'd like to know if they have fixed the sending of the credentials in clear text. I am not sure if there was really a vulnerability here since the overall communication is encrypted according to the installed certificates on the device, but the hacker seemed surprised or disappointed that faking the certs gave him access to the credentials of any user exploiting his hack. I'm not sure if another layer of encryption would make sense here (i.e.: using a public key from Apple with Apple being the only holder of the private key -- then again, that public key would still have to be stored among the device certificates so I am not really seeing any additional layer of protection -- I am seeing that as being a good way to use the hack without exposing your credentials to the hacker's server).
  6. Baklava macrumors 6502a


    Feb 1, 2010
  7. gnasher729 macrumors P6


    Nov 25, 2005
    It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.
  8. Thunderhawks macrumors 68040

    Feb 17, 2009
    I wish Apple would send them a nice good virus. Same to the hacker.
  9. roland.g macrumors 603


    Apr 11, 2005
    One mile up and soaring
    Maybe a UK judge can require the hacker to include the text "this receipt is a copy of a legitimate and cool receipt" for the next 6 months on all receipts and on his website.
  10. Uncle Ruckus macrumors newbie

    Uncle Ruckus

    Jul 15, 2012
    I don think this will change anything.

    Uncle Ruckus no relations
  11. madmin macrumors member

    Jun 14, 2012
    check mate

    This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...
  12. Mjmar macrumors 65816

    May 20, 2008
    It's a shame that Apple even needs to do this. The world we live in today...
  13. iSee macrumors 68040


    Oct 25, 2004
    I thought we won the cold war! But now Russia is crushing our corrupt capitalist country, just like they said they would!!! ;)
  14. Swift macrumors 65816


    Feb 18, 2003
    Los Angeles
    I think this is encrypted

    What I'm sure the unique identifier with be used for is validating a certificate. No one will actually see the number, I'll bet. It's hashed multiple times to make your private id. The public id, the hashed and encrypted bundle, will also validate the certificate. Thus every purchase is through the certificate belonging to that app. The developer can offer a deal and the known customer can make a purchase through Apple.

    If I know your private, unique identifier somehow, then I'd still have to get past some tough encryption to make out the token.

    It's part of a paradox of privacy. The only way to be private is to show yourself to someone trusted. Although here, if your iPhone does the initial hash before it sends this field to Apple, it's still safe, especially since all purchases are through SSL.
  15. daxomni macrumors 6502

    Jun 24, 2009
    Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.
  16. SpyderBite macrumors 65816


    Oct 4, 2011
    Yah. Cause a fan site would be the most current source for a hacker to keep on top of source code. :rolleyes:
  17. Allenbf macrumors 6502

    Jul 7, 2012
    Elsewhere, USA
    Pretty sure this was sarcasm...
  18. Mad-B-One macrumors 6502a


    Jun 24, 2011
    Southern Plains
    That happened to me already - because the old system had sometimes setups where this wasn't tracked. In my opinion, in-App-purchases should be handled the same way App purchases are. Put it on the "purchased" list in the App store.
  19. daxomni macrumors 6502

    Jun 24, 2009
    Agreed. I've never understood why this wasn't the case from day one.
  20. Mad-B-One macrumors 6502a


    Jun 24, 2011
    Southern Plains
    I understand it but don't agree with it: More potential revenue. Well, that didn't work out that well, did it? Ultimately, it caused the vulnerability. :cool:
  21. SAIRUS macrumors 6502a

    Aug 21, 2008
    As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

    * It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.
  22. doobybiggs macrumors 6502


    Mar 5, 2012
    if apple is using it to follow the users getting the free apps along with the hacker ... what is apple going to do? Cancel their account or make them pay for the apps?
  23. JHankwitz macrumors 68000

    Oct 31, 2005
    Perhaps it's to know who got ripped off so that Apple can provide it for free or register the purchase on their servers.
  24. gkpm macrumors 6502


    Jul 15, 2010
    The Next Web are reporting this is NOT the same as the UDID:


    If you can't run your validation server, check out these guys who seem to do it for free:
  25. tarrant macrumors newbie

    Apr 16, 2009
    Signatures ...

    It seems that this would be very easy for Apple to fix with an iOS update, but of course that doesn't help with existing customers. Just sign the receipts with an App Store certificate, and then ensure that the receipts are signed.

    But it also seems strange that Apple didn't do this in the first place.

Share This Page