Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

[WildCowboy]

I purposely did not link directly to the site or to the specific installation instructions, although it's obviously easy to get there...when the site is working. And the service is currently down.

The post had already been picked up by Techmeme, and it's going to get wide coverage no matter what. Bringing visibility to the dangers is a good thing in my view.

 

[Takeo]

Hopefully Apple will find a way to patch this vulnerability quickly.

 

[jordanhuxley]

Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.

I agree. I'll pay for a quality game. But I'm not paying for the app, then paying for more.

 

[habubauza]

Thanks MacRumors for posting this on your front page. This is a significant news story and warrants that people who use IOS devices are made aware. Surprising that a few people think that this story should be hidden somewhere.

 

[ArtOfWarfare]

As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?

 

[al0513]

Actually you are stealing ~70 cents from the dev and ~30 cents from Apple on a 99 cent app.

As someone mentioned above, I wouldn't trust any "app" that steals from Apple. A few dollars isn't worth losing all of my information. I'm sure most of you have emails, banking apps, shoot - credit card info on your Apple account.

Not worth it at all. Plus stealing is baaaadd.

 

[iZac]

I wonder why people who want to do this don't just jailbreak and live 'off grid'?

As for posting it, I think by raising it, it makes people aware and if they are stupid enough to pass their account and CC details onto a hacker, then fine. On the plus side it also makes damn sure that Apple get off their asses and plug the hole.

 

[notjustjay]

So a Russian hacker who obviously has no problems with theft is offering to help me steal too, and all I have to do is send their site my own account data?

What could possibly go wrong?

 

[hakuna-matata]

Nobody forces you to download. However, I do agree that when I pay for a game, I do not want in-app's as well. Was going to get the new Spiderman game for my son for $6.99 till I also see that you need in-app upgrades. I'd rather pay $9.99 or more and just be done with it.

10$ or more to play a game on fricking 3-4" screen in this economy..people are out of their mind!! never.

 

[Gib]

I WANT!

Hey, what happened to the Downvote buttons?

 

[T. Durden]

yaaaay for free apps

... just curious, what makes people think that if he is stealing from apple, he is not also stealing info from your phone or mobile device?

The App Store is a virtual storefront. Apple takes a 30% cut from all apps or in-store app purchases sold.

This is no different from someone walking into a Best Buy and stealing an expansion pack for The Sims and justifying it because they already bought the original Sims software. You're stealing from Best Buy and the developer.

Unfortunately, because you can easily steal from the comfort of your own home and there isn't anyone policing it, people think it's okay

 

[Mad-B-One]

No, really? I said it "looked" scary

You must be American. Everything non-English is scary, I know. Don't worry. You can put the 38 Special down again. It didn't come with a turban like all these scary Al Kaida Hidus.

Just kidding. But really, how can foreign language look scary? Scared of the unknown?

 

[ChazUK]

10$ or more to play a game on fricking 3-4" screen in this economy..

On a phone worth hundreds of dollars...

 

[Macman45]

This button looks scary Image

Yep, and you'd have to be a little crazy to install this at all, but I'm afraid that if there is a way around do it the right way, than a minority will use it.

If people find personal information etc. has been compromised, then don't come whining about it.

 

[johncrab]

This looks like an irresistible carrot, designed to get greedy, unscrupulous people to bite at the stolen content without thinking about what this could do in terms of allowing account numbers and passwords to be grabbed in the process. Anyone who installs this and then has his/her bank account drained need not look to me for sympathy. Oh yeah, and I'm tired of paying for all of the shoplifters in this world and that's just what this is.

 

[Zerotolerance]

Apple should hurry up and release an update permanently bricking any iDevice that has this installed.

 

[orthorim]

His paypal address is @me.com. lol why use apple's email to steel from their developers?

Closure of me.com account in 3, 2, 1.... disabling of PayPal account in 3, 2, 1... as clever as the guy was to get around the in app purchasing security, he didn't think this through very well

Kind of baffling Apple would allow this kind of hack... don't apps use HTTPS to talk to Apple servers? Even if you DNS spoof the address - and this is obviously always possible, if not on the device then in your local router - the software should still find the certificate incorrect. That's the whole reason for the certificate system.

I have been wondering if DNS spoofing would possibly get around HTTPS certificate checks - as in what if I spoof both the receiving server, and the certificate authority server, and bless my own faulty certificates as correct from my own fake cert server.... - but I have to believe they thought of that. Haven't they?

Anyway with Apple's own ironclad security this should be an easy fix.

 

[NewAnger]

This is similar to the hack that was in Cydia last year that allowed people to use the Zynga Farmville app to buy Farmcash, as much as you wanted and not get charged for it. People had millions in Farmcash and Zynga caught on suspended those people's accounts.

 

[Kaibelf]

Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.

Frankly, that's not your decision to make is it? It's the dev's, and if you don't like something's price, you don't just act like a jerk and take things.

 

[lifeinhd]

Hey, what happened to the Downvote buttons?

In today's world, everyone's a winner.

 

[Kaibelf]

10$ or more to play a game on fricking 3-4" screen in this economy..people are out of their mind!! never.

Guess you never heard of a GameBoy?

 

[hakuna-matata]

Hey, what happened to the Downvote buttons?

you are getting it.

 

[zoonyx]

Woah this is amazing!!!! I'm so buying shed loads of in app content now. Great news!

 

[T. Durden]

So don't buy them.

This.

If you don't like the model, don't buy it. You can view in-app purchases from the App Store before you buy the game.

Also, most games with this model are free. There is no risk imposed by downloading it. If you download it and see it's too tempting to buy extra coins or upgrade or whatever, delete the game. That's much easier than using this hacker method to steal, IMO.

 

[GenesisST]

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

I ignore those apps, pure and simple. I don't want to pay? I don't use it!

/holierthanthou