Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack

[gnasher729]

This hacker sounds pretty smart, perhaps smart enough to keep an eye on Macrumors to find out the latest moves from Apple and stay one step ahead of the game...

Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

 

[mikelove]

The Next Web are reporting this is NOT the same as the UDID:

http://thenextweb.com/2012/07/18/ap...pts-not-udid-may-be-related-to-recent-breach/

Our iPhone app hasn't been updated since Apple's UDID ban came into effect and still collects UDIDs, and the unique_identifier in our receipts matches the UDID perfectly in every purchase we've gotten since they started including unique_identifier - I'm not sure where TNW got their information but for us at least the IDs do match.

 

[ranReloaded]

Tying a device UDID to a purchase is not the solution (some people have more than one device, move to a new device and resell, etc.).

What Apple should provide developers is some sort of 'Account ID', that is unique to each AppleID/iTunes Account, but anonymous (i.e., impossible to figure out the actual AppleID/e-mail address of the user from this proposed ID)

----------

As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.

* It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.

Hey, it's not such a big deal. I'm a total php/sysadmin noob and yet got it running relatively quick. I believe I nailed it quite robustly, too.

There is lots of sample code. The hard part is perhaps getting a hosting service with performance suiting your live needs (reliability, bandwith) without being a rip-off, and setting up SSL certificates.

 

[madmin]

Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

I wasn't saying he's wise, simply wondering if it's a good idea to announce these counter measures on a well read website.

Who knows what job opportunities are available where he lives, somewhere in Russia presumably. Perhaps he's too young to work or has some other handicap preventing him from honest employment. Whatever, I agree he shouldn't be doing this, but all this attention probably isn't helping matters IMO.

 

[BC2009]

It's encrypted. Nobody except the intended recipient can read it. If someone out of greed and in order to cheat developers out of their earnings redirects traffic from the Apple Store to some russian hacker, that's not a vulnerability, that is stupidity. And obviously Apple has no reason to help people cheating safely.

That's what I was trying to say. It's only clear text for the hacker who hosts the servers because he has forced false certificates onto the device and therefore has the power to decrypt whatever the iPhone is encrypting.

 

[blow45]

So let me get this right...

Apple has enough money in the bank to take the whole of Europe out of the financial crises, buy a few countries up, send a few tens of expeditions in outer space, end poverty for a considerable part of Africa, etc. etc.

Ok.

Now, recently, they are being repeatedly taken to the cleaners by hackers. And then, if we are lucky enough, they react to that. Be it with 500,000 users data stolen or with less damage. Of course most security issues that are reported but not widely reported and don't constitute an immediate pr threat are simply put under the rug.

Recently, I read they asked kaspersky for advice....


Now, my question is, seeing as they could buy every kasperky in the solar system, and quite a few of them in inhabited planets in the galaxy....


Why the heck aren't they doing it?

When are they going to start being proactive?

When are they going to start justifying their 50% margins in an industry that right now operates with razor thin margins?

 

[fahlman]

Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.

Because sometimes stealing is okay...as long as it's from a greedy American. Oh, that's right there are iOS developers all over the world who use their time away from their family and friends to create apps and expect to be compensated for that time so they can feed their families. Do you get paid for the job function you perform? Thought so, unless you're an unemployed leech.

 

[gkpm]

Our iPhone app hasn't been updated since Apple's UDID ban came into effect and still collects UDIDs, and the unique_identifier in our receipts matches the UDID perfectly in every purchase we've gotten since they started including unique_identifier - I'm not sure where TNW got their information but for us at least the IDs do match.

The Next Web has an update:

The source who contacted Macrumors also got in touch with us. They say that a UDID is definitely showing in that slot for them, but they also have not updated their app to remove references to the UDID, something that Apple has been recommending for some time. Developers that have been submitting app updates recently have found the apps being rejected for using the identifying string. This new use of an identifier may be Apple implementing its recommended UUID standard for new devices while still allowing apps running on older versions of the OS to use a UDID.

 

[Mjmar]

Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.

There's a difference between fretting and having a conversation. 🙄

 

[gnasher729]

Now, recently, they are being repeatedly taken to the cleaners by hackers. And then, if we are lucky enough, they react to that. Be it with 500,000 users data stolen or with less damage.

Excuse me...

But where did you find that data of 500,000 users was stolen from Apple?

Tying a device UDID to a purchase is not the solution (some people have more than one device, move to a new device and resell, etc.).

Chances are very good that the author of the article is just confused and mistook a UUID (unique universal identifier) for a UDID (unique device identifier).

 

[faroZ06]

How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? 😕😕😕

All of your FarmPointz or whatever will suddenly stop being genuine 😱

----------

So let me get this right...

Apple has enough money in the bank to take the whole of Europe out of the financial crises, buy a few countries up, send a few tens of expeditions in outer space, end poverty for a considerable part of Africa, etc. etc.

Once I read this sentence, I knew what this was going to be about. "Apple should spread the wealth!" or something.

They've already justified their setup by becoming the largest company in the world after being almost bankrupt.

----------

Smart? Socially maladjusted, and not a bit of sense. Guess how much money his smartness has made him so far. He could have got himself a proper job, and he would have made more in the time it takes walking to the coffee machine and back.

Yeah, hackers = losers. I got the IP of a guy who hacked some Yahoo! accounts, and... oops, entering the "ban" zone.

Also, am I the only one who finds it odd that hackforums.net is not constantly attacked? I can't believe a site like that is allowed to exist, but I guess it's "freedom of expression".

 

[visor]

just identify the person we're dealing with

I don't understand why Apple does not give out the id's of the person buying a product from me. After all - Apple is just a 3rd party in the deal, right? Why should one of the actors not know who the other one is? It's not share holders dealing here.

 

[blow45]

Excuse me...

But where did you find that data of 500,000 users was stolen from Apple?

not from apple, from apple users, flashback trojan, get your facts straight. 🙂

 

[gjwfoasfsaevg]

Apple just needs to update iOS to make sure that the connection to the apple server was signed with the correct certificate, problem solved.

 

[gnasher729]

not from apple, from apple users, flashback trojan, get your facts straight. 🙂

Get your facts straight. Flashback trojan didn't steal anything from any Mac users. And it wasn't very good at stealing from anyone else either.

And let me just see if I got this right: You make a post that clearly claims that Apple is taken to the cleaners with 500,000 users' data stolen. That means that these users' data was stolen from Apple, since you said _Apple_ was taken to the cleaners, not the users. I ask for proof. You then turn around, change your story to "data stolen from users", and you tell me to get my facts straight when you can't even stick to the same story for five minutes?

I don't understand why Apple does not give out the id's of the person buying a product from me. After all - Apple is just a 3rd party in the deal, right? Why should one of the actors not know who the other one is? It's not share holders dealing here.

If you think you need to know my AppleID before you are willing to sell to me, then you can keep whatever you are selling.

 

[blow45]

Get your facts straight. Flashback trojan didn't steal anything from any Mac users. And it wasn't very good at stealing from anyone else either.

And let me just see if I got this right: You make a post that clearly claims that Apple is taken to the cleaners with 500,000 users' data stolen. That means that these users' data was stolen from Apple, since you said _Apple_ was taken to the cleaners, not the users. I ask for proof. You then turn around, change your story to "data stolen from users", and you tell me to get my facts straight when you can't even stick to the same story for five minutes?

If you think you need to know my AppleID before you are willing to sell to me, then you can keep whatever you are selling.

Oh, yeah, it didn't steal anything? Why? Cause you 've personally checked all of the at least 600,000 infected macs? Or cause you say so as an apple apologist and we have to take your word for it?

http://mashable.com/2012/04/11/mac-flashback-trojan-effects/

No, when I say apple is taken to the cleaners, I mean their os is taken to the cleaners via malware and that results to user's data being compromised. Perfectly clear, and perfectly simple. If you can't get your facts straight at least don't misconstrue what others are saying.

 

[orthorim]

No, when I say apple is taken to the cleaners, I mean their os is taken to the cleaners via malware...

Taken to the cleaners - I don't think it means what you think it means, somehow.

Flashback didn't really do much and it's now dead. I am sure we'll see more exploits and more malware but so far nobody was taken to the cleaners. By and large Flashback required users to download the malware and enter their admin password.... what's horrific is that Adobe's official Flash updater works in the exact same way, but that will hopefully come to an end with sandboxing in Mountain Lion. Why you'd write your software to work exactly like a piece of malware is beyond me... but that's Adobe for you 😕

Back on topic not sure I am too happy about this - I don't really understand enough about it but I do wonder why the UDID is necessary, I sure hope Apple doesn't go all Nazi and starts tracking UDIDs. A class action lawsuit is going to come anyways but if they did collect data it would have merit, too.

The way to prevent a man in the middle attack is by using cryptography. This is what any kind of public key system and even HTTPS is designed for. It should be possible for Apple to implement in app purchases in a way that the phone can be sure it's actually talking to Apple servers?!

 

[ERIC273]

Also, am I the only one who finds it odd that hackforums.net is not constantly attacked? I can't believe a site like that is allowed to exist, but I guess it's "freedom of expression".

No. HF is a grey hat website, we help people, more than we hurt people, and we're a NO FRAUD forum. We pay our taxes, we're a US REGISTERED BUSINESS. Believe me, we would not risk our 400,000 active member database.

PM me for forums that exist, that include credit card fraud that shouldn't.
ALSO, we get DDoSed all the ****ing time.

 

[faroZ06]

No. HF is a grey hat website, we help people, more than we hurt people, and we're a NO FRAUD forum. We pay our taxes, we're a US REGISTERED BUSINESS. Believe me, we would not risk our 400,000 active member database.

PM me for forums that exist, that include credit card fraud that shouldn't.
ALSO, we get DDoSed all the ****ing time.

Sorry, I'm going to have to call BS on that. Well, I guess you do help people hurt other people:

If that site has been DDOS'd, that's good to hear. And it looks like some good hackers are hacking the bad hackers: http://seclists.org/fulldisclosure/2009/Jul/164. But since you're paying taxes, I'm sorry that I can't give a little tax money to the US since I don't see any ads.

If anyone cares to see more:

Well at least they closed down the "manipulation" section.

 

[ERIC273]

Sorry, I'm going to have to call BS on that. Well, I guess you do help people hurt other people:

Image

If that site has been DDOS'd, that's good to hear. And it looks like some good hackers are hacking the bad hackers: http://seclists.org/fulldisclosure/2009/Jul/164. But since you're paying taxes, I'm sorry that I can't give a little tax money to the US since I don't see any ads.

If anyone cares to see more:

Image

Well at least they closed down the "manipulation" section.

All of those sections are for information purposes. The Manipulation section is closed because people were committing fraud, we're a no fraud forum.
I understand we have some risqué sections, but believe me, the good outweighs the bad.

If you look through our entire site you won't find one infected link.

We pay A LOT of taxes, we receive hundreds of dollars of donations daily.
An official group costs 4,000 cash, and we have at least 1 new group monthly.

We were even once BlackListed my Malware Bytes.


Look at the owners success "Omniscient" or Jesse Labrocca (Owner of HackForums)
http://forums.malwarebytes.org//index.php?showtopic=36808

We ended up getting nasty legally, all 300,000 members of HF got free pro memberships to malware bytes.

We're not the bad guys.

Check out

alboraaq.com

 

[faroZ06]

All of those sections are for information purposes. The Manipulation section is closed because people were committing fraud, we're a no fraud forum.
I understand we have some risqué sections, but believe me, the good outweighs the bad.
Image

If you look through our entire site you won't find one infected link.

We pay A LOT of taxes, we receive hundreds of dollars of donations daily.
An official group costs 4,000 cash, and we have at least 1 new group monthly.

We were even once BlackListed my Malware Bytes.


Look at the owners success "Omniscient" or Jesse Labrocca (Owner of HackForums)
http://forums.malwarebytes.org//index.php?showtopic=36808

We ended up getting nasty legally, all 300,000 members of HF got free pro memberships to malware bytes.

We're not the bad guys.

Check out

alboraaq.com

So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

 

[ERIC273]

So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

Again, we teach, 99% of the people whom claim to have defaced an website leave messages like secure your server. We're not the target for a reason, the government would prefer a forum our size hosted on short, that they have to reason to seize, over all the carding forums which are close to our size, hosted offshore. Our forum contains more people who kiss the admins ass for 24x24 pixel awards, than actual hackers.

----------

So you're claiming that this site is completely good-natured with so many sections dedicated to exploiting servers? I understand that there are good sections and that the site itself is not dangerous, but it harbors malicious hackers in its forums and has sections for tutorials on how to hack servers. That's unacceptable.

Though we're not 100% goodnatured, we're not illegal, what the members do is not our problem, as long as they don't do anything fraud relating, claiming to, or showing how to access a server is not illegal, and purely informational.

99% of website that are breached, are just to show the owners to secure their ****.