Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

lilo777 said:
I guess it's official now that Apple is absolutely worst company among its peers when it comes to security.
Click to expand...

www .theregister.com reported this week that some rogue Android app caused some hundred thousand Android users to involuntarily buy apps from some store in China. That's hundred thousand Android users who lost money. So come again.

-20 down vote for you, since the buttons are gone.


atzeX said:
This is totally wrong. You can ask Apple’s servers if the receipt you get is a real buy. We do it that way and have no fraud so far (In fact people try but will not get through)
Click to expand...

Just curious: Would you know if someone tried to get your in-app purchases for free? If yes, do you have any statistics?
 
People don't realize that when using a proxy server, all their traffic gets intercepted and logged.
The hacker could have used this strategy to retrieve thousands of AppStore accounts, credit card information and who knows what else.

To those who tried this, you better call your bank and change all your passwords.
 
....

hahah !! +1 i'm aware of the above .... :) fully aware.

Sweet .. :)

Neat hack.

People aren't waiting these days for IOS updates to be 'officially' been released anymore...... I wonder if Apple is aware of this. :apple:
 
My little brother made the game in the video - Highway Rider. I should beat this hacker up for trying to steal from him!
 
ArtOfWarfare said:
As a developer, I have to say I'm glad MacRumors has reported this. It's just a final nail in the coffin for IAP, I say.

1 - It generates almost no money (in my experience, anyways.)
2 - It's painfully difficult to implement and test and verify.
And now,
3 - It's hackable.

I had actually been considering making a game guide available as an IAP, but now that I see it's hackable, I'm reconsidering. Maybe I'll make it an iBook instead and advertise it in my game, the same as I'd planned on advertising the IAP?
Click to expand...

Your statements are flat-out wrong.

1. I make most of my revenue from IAPs.

2. No, you just need to get better at development.

3. It will be fixed shortly.

And for everyone else, please don't steal with this hack. It will hurt many 1 and 2-man software shops like mine. It's what I do for a living. You wouldn't want someone coming to your workplace and stealing money out of your pocket, would you?

if you feel like an IAP is priced too high, don't buy it and find an app that competes for cheaper. Simple as that.
 
NewAnger said:
Device security may be tops but speaking in terms of their own store security, it just plain sucks. I posted something in this thread on how someone I know was able to open hundreds of accounts and buy $4700 in HD downloads and in app purchases using prepaid debit cards and numerous iPhones and not pay a dime of that $4700.
Click to expand...
Did you notify the authorities of this grand theft?

----------
Eadfrith said:
...and I bet your bank account will be cleared out in a few weeks time too.
Click to expand...
If this hack can obtain your banking info from your phone Apple has a more serious problem here than we thought.
 
Devs, just use the free MKStoreKit open source code to manage all of your IAPs. It's super easy and will read receipts for you. You will not be affected by this hack.
 
If you're using this to get "full" games from trial apps, shame on you. If you're using this to get coins, donuts and smurfberries, or any other virtual currency, I say go nuts.

If you have a paid app, like I do and it requires IAP to proceed at any reasonable rate of time, again, go nuts!
 
Good thing I dont have any IAP on my apps! (not that anyone would wanna steal anything from mine lol)


I feel bad for the indie devs that have all these IAP tho. Apple has been pushing devs to go the free/IAP route.


I do think its funny what its going to do to the economies of all those with friends games lol.

----------
ethana said:
Your statements are flat-out wrong.

1. I make most of my revenue from IAPs.

2. No, you just need to get better at development.

3. It will be fixed shortly.

And for everyone else, please don't steal with this hack. It will hurt many 1 and 2-man software shops like mine. It's what I do for a living. You wouldn't want someone coming to your workplace and stealing money out of your pocket, would you?

if you feel like an IAP is priced too high, don't buy it and find an app that competes for cheaper. Simple as that.
Click to expand...

It will be really interesting to see what it does to revenue rankings. It might be a loss right now but if they are registering as real buys in the ranking systems it will be some good advertising for the apps that shoot up to the top of the revenue charts.
 
Mad-B-One said:
Just kidding. But really, how can foreign language look scary? Scared of the unknown?
Click to expand...

russian always looks like "alien" to me, reminds me of the Transformers writing ^^

it does look cool however

IPA suck, ill never spent money on more "coins" or some crap just to finish the game faster
 
I posted this on Gizmodo, but it's worth repeating.

Some fair warning to those thinking about using the recently-posted hacked iAP method:

  1. You have to enter your iTunes credentials just like a real in-App purchase. Considering you're going through a stranger's proxy, you may be giving up that information into their repository. Whether they use it for their own malicious purposes, or if they turn around and expose it, the public, hackers and Apple alike can see who used it. Your account could be blacklisted by Apple, and even worse, if you're a developer, you could end up getting kicked out of the App Store yourself.
  2. The in-App purchase itself is faked, so trying to restore a purchase on another linked device or after a reinstall of the app is not going to work. If Apple or the dev comes up with an update to the software or system, they may be able to detect faked purchases.
  3. Developers do keep track of things running on your devices by means of analytics, so if one day you have 5 Smurfberries and the next day you have 5,000,000 of them, but there's no sales to prove it for that day, well, you could be basically caught. What they can do to you at that point is up to them and/or Apple.
  4. When you change your DNS, you're routing ALL your network requests to them like a proxy. There's no telling what else you're transmitting to them, like if you happen to launch your Facebook app and it authenticates, or if your iPhone is pinging the email server for new mail, or if you've logged into your bank's app for a transaction, you're basically routing all requests through them, where they could be tunneling it through another server to the respective service, all transparently. But while it's going through that proxy, they could be logging all that information quietly for their nefarious purposes.
If NOT cheating a lot of starving, aspiring developers out of chump change they're trying to earn enough to get out of their 9-to-5 jobs, or just to maintain a living for themselves and their families, perhaps the reasons above could dissuade you as well.
 
Advertising A form of Theft...Nice.

Wow...just another form of theft. I hope Apple closes this door ASAP. Not that I dont like free stuff, but this theft of developers hard work. I really feel this is counterproductive and in the long run bad for the Apple ecosystem. These forms of theft should be left for the jailbreakers and never reported on for mainstream use.
 
bluebirddaze said:
Wow...just another form of theft. I hope Apple closes this door ASAP. Not that I dont like free stuff, but this theft of developers hard work. I really feel this is counterproductive and in the long run bad for the Apple ecosystem. These forms of theft should be left for the jailbreakers and never reported on for mainstream use.
Click to expand...

Do you think all jailbreakers are thieves? :eek:
 
madfelon said:
I just picked up BarMax NY for Ipad, cost 999.99 in store my price free!!!!! :eek:
Click to expand...

Wonderful.

You should be ashamed that you reported this, MR. You could post that the security flaw existed, you did NOT have to mention specific methods and embed a youtube of how to do it. I agree with everyone that says if this garbage was posted in the forum, it would be closed.

I just hope you remove this article instead of moving comments to a thread in the politics forum.
 
orthorim said:
Closure of me.com account in 3, 2, 1.... disabling of PayPal account in 3, 2, 1... as clever as the guy was to get around the in app purchasing security, he didn't think this through very well :D

Kind of baffling Apple would allow this kind of hack... don't apps use HTTPS to talk to Apple servers? Even if you DNS spoof the address - and this is obviously always possible, if not on the device then in your local router - the software should still find the certificate incorrect. That's the whole reason for the certificate system.

I have been wondering if DNS spoofing would possibly get around HTTPS certificate checks - as in what if I spoof both the receiving server, and the certificate authority server, and bless my own faulty certificates as correct from my own fake cert server.... - but I have to believe they thought of that. Haven't they?

Anyway with Apple's own ironclad security this should be an easy fix.
Click to expand...

Apple does use HTTPS. The two profiles that need to be installed onto a phone redirect DNS to a different server and then add a certificate so that the fake server looks real (has a valid cert, since you just installed it).

Now using HTTPS, you have a "secure" connection to a fake IAP server.

Everybody involved in designing this stuff has thought about it because it's just the way HTTPS works because it's the same process as setting up an HTTPS server in the first place. And they expect it to happen. Which is why Apple provides a way for an app to validate purchases. Unless you plan on living on the fake server for life, the app will eventually need to contact the real server do a validation check for all the purchases and decide what to do then.

If the IAP server happens to be used for another vital service, then doing this hack might break that too, further making it harder to stay on a fake server forever.

If you're an app developer and wanna grab some statistics, have a server setup that you can push reciept validation failures to and let us know the results! I'd be interested in hearing about it and I'm sure a lot of others would too.
 
Rafagon said:
Lazy Developers deserve getting shafted...
The articles states that "Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps."

So it is the fault of developers not doing things correctly in the first place. I do not feel sorry for them at all.
Click to expand...

So with this thinking then you and your family deserve to get robbed and killed. Because you don't hire a private armed security team to watch over you day and night.

Get a clue! Get a life! And stop trying to justify yourself in being a thief!
 
Last edited:
What's interesting to me isn't so much this story. I expect we'll continue to see more and more security related news from Apple until they finally get serious about their security.

Rather, it's interesting how the majority of the posts on this forum is about whether posting this story was right or wrong. Or about the morality and potential fall out for people who used this hack.

Kinda missing the white elephant in the room there people.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back