Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,473
11,861



As noted by 9to5Mac, a Russian hacker has developed a relatively simple method to allow users to bypass Apple's In App Purchase mechanism on many iOS apps, allowing users to obtain the content for free.




Alternate In App Purchase confirmation button seen on hacked devices
The method, which does not require jailbreaking, involves installing a pair of certificates on the user's device and then using a custom DNS entry. Users can then perform in-app purchases as usual and automatically be redirected through the hacked system.

Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method.

The hacker has already been evicted from his original host and had reportedly moved to a new one, but the site is currently down. It is unclear whether it is down simply due to high traffic or if other steps are being taken to hinder his activities.

Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

Update: The Next Web takes a closer look at the method developed by Alexey Borodin, which actually can not be prevented simply by employing receipt validation.
All Borodin's service needs is a single donated receipt, which it can then use to authenticate anyone's purchase requests. Many of those receipts have been donated by Borodin himself, who has spent several hundred dollars on in-app purchases testing and generating receipts. [...]

Because the bypass emulates the receipt verification server on the App Store, the app treats it as an official communication, period.
Addressing the issue will ultimately require changes by Apple, which could enhance the API used for In App Purchases to provide for uniquely signed receipts that could not be duplicated on a mass basis as with Borodin's service.

The Next Web also interviewed Borodin, who noted that he has turned over operation of the site to a third party in order to avoid trouble and will be deleting any information he obtained from running the operation. According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

Update 2: Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.
"I can see the Apple ID and password," for accounts that try the hack, Borodin told Macworld. "But not the credit card information." Borodin said that he was "shocked" that passwords were passed in plain text and not encrypted.

According to [developer Marco] Tabini, though, "Apple presumes it's talking to its own server with a valid security certificate." But that was clearly a mistake--"This is entirely Apple's fault," Tabini added.
Update 3: Apple has issued a brief statement to The Loop acknowledging that it is aware of and investigating the issue.
"The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

Article Link: Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]
 

-Ryan-

macrumors 68000
Jan 28, 2009
1,583
124
Yeah free advertisement for hack sites
I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.
 

autrefois

macrumors 65816
Oct 22, 2003
1,388
1,118
Somewhere in the USA
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

To inform people that there's a vulnerability in the App Store, it was in fact exploited, and warn people about the possible dangers of trying to use the hack. Millions of people use iOS and the App Store daily. Seems to me like more than valid reasons to report on it.
 

doobybiggs

macrumors 6502a
Mar 5, 2012
540
18
yaaaay for free apps :)

... just curious, what makes people think that if he is stealing from apple, he is not also stealing info from your phone or mobile device?
 

ChazUK

macrumors 603
Feb 3, 2008
5,390
24
Essex (UK)
This button looks scary Image

It means "cancel".

EDIT:
Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process.

LULz at anyone who has their data stolen using this type of hack. You deserve it! :D
 

Attachments

  • Screenshot_2012-07-13-15-18-57.png
    Screenshot_2012-07-13-15-18-57.png
    75.7 KB · Views: 266

jordanhuxley

macrumors member
May 26, 2011
37
0
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.
 

HarryKeogh

macrumors 6502a
Jun 25, 2008
594
747
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!
 

Fraaaa

macrumors 65816
Mar 22, 2010
1,081
0
London, UK
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

Because of this:

The method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method
 

jordanhuxley

macrumors member
May 26, 2011
37
0
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.
 

hakuna-matata

macrumors 6502
Sep 25, 2011
260
2
Why would you report this on the front page? If it were in the forums it would have been closed instantly.

how do i give you a downvote?

----------

I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.

right, like people don't know how to google search..yeah, it doesn't matter. other sites do so, why would MR post an incomplete article?
 

jazzkids

macrumors member
Feb 3, 2004
79
0
Providence, RI
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.
 

lifeinhd

macrumors 65816
Mar 26, 2008
1,398
19
127.0.0.1
um, MacRumors takes everything 9to5 posts...and re-posts it on their site. i actually think MR just keeps hitting refresh on their web browsers all day long, watching 9to5, and when a new story gets posted there, they immediately repost here. :rolleyes:

Heh, sadly that is pretty much the case these days :rolleyes:
 

UmbraDiaboli

macrumors regular
Jun 13, 2012
100
0
Through his logins to Game Centre to each specific game he can be traced by Apple fairly quickly.

On Beta 3 (soon to be released), his bypass will be fixed.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.