Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

[geoffm33]

What's interesting to me isn't so much this story. I expect we'll continue to see more and more security related news from Apple until they finally get serious about their security.

Rather, it's interesting how the majority of the posts on this forum is about whether posting this story was right or wrong. Or about the morality and potential fall out for people who used this hack.

Kinda missing the white elephant in the room there people.

Likely because not many of the posters in this thread consider this a security issue, myself included. A security issue would be the ability to download a rogue app from the app store, or someone hijacking your iPhone by visiting a seemingly innocuos site.

This is a loophole that allows the user to bypass the need to purchase in-app upgrades/purchases. With security related issues, the user is the victim. Here, the user is the perpetrator.

 

[Colpeas]

According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

You can't expect the thieves to pay. Sad true.

 

[26139]

What the hell?

How is this okay and why are news sites publicizing it?

It's theft, stealing, infringement, or unauthorized, right?

The dude that created the exploit handed off the site so he didn't go to jail? What a jerk.

----------

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

THEN DON'T BUY THEIR APPS.

Just because you can't afford it doesn't mean it's okay to steal.

 

[montclaire]

His paypal address is @me.com. lol why use apple's email to steel from their developers?

Do you honestly believe he used his own credentials for this address?

 

[firewood]

Tool for bank theft!

This bypass tool will be a great path to serious financial theft. Once a user starts installing DNS certificates from foreign sites, there's bound to be a bunch of these certificates re-routing DNS for the user's bank password login page to interesting foreign countries. Steal a 99 cent in-app-purchase and get your bank account emptied to Nigeria. Deserved?

 

[CGagnon]

As a developer myself, I hope this is a wake-up call to developers (specifically of games), who try to get away with ripping off users. Charging well over $20 for something as meaningless as "coins" that can only be used in the game is a joke. But I'm sure they make tons of money off kids with their parents credit cards.

Makes me want to add ridiculous in-app purchases in my apps just to see how dump people really are.

 

[MacinDoc]

How is this okay and why are news sites publicizing it?

It's theft, stealing, infringement, or unauthorized, right?

The dude that created the exploit handed off the site so he didn't go to jail? What a jerk.

----------



THEN DON'T BUY THEIR APPS.

Just because you can't afford it doesn't mean it's okay to steal.

Exactly, this guy is publicly distributing tools for theft, and promoting them for exactly that purpose. But of course such a scumbag would be too cowardly to take responsibility for his actions. Hopefully the rest of us do take responsible action by not using these tools.

And I agree that no matter how overpriced someone thinks an in-app purchase is, using these tools to generate a receipt for something you didn't purchase is still stealing, just as much as it would be if you robbed Tiffany's and then tried to return the stolen merchandise for a refund using a forged receipt. Just because Tiffany's is overpriced doesn't give anyone the right to steal from them, and the same applies to developers with overpriced in-app purchases (which, BTW, I believe are for the most part overpriced).

 

[StyxMaker]

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

So, you're saying it's ok to steal anything you think is over priced? Awfully convenient morals.

 

[s15119]

Why does this site continue to encourage piracy?

 

[faroZ06]

Wait, they didn't already have this?? I normally hate piracy, but I like it if people steal FarmCoinz or whatever for those stupid games that want you to pay real money for fake points.

----------

Why does this site continue to encourage piracy?

Do news sites encourage murder when they report murders?

 

[geoffm33]

So, you're saying it's ok to steal anything you think is over priced? Awfully convenient morals.

But all they are stealing are bits and bytes, no real products!!!!!

/sarc

 

[StyxMaker]

I wish this wasn't so risky!

Because stealing should be safe?

 

[s15119]

how do i give you a downvote?

----------



right, like people don't know how to google search..yeah, it doesn't matter. other sites do so, why would MR post an incomplete article?

because it would be the responsible thing to do.

 

[mabhatter]

Thanks MacRumors for posting this on your front page. This is a significant news story and warrants that people who use IOS devices are made aware. Surprising that a few people think that this story should be hidden somewhere.

It is not that significant, because as a user you are not going to use this "accidentally". It's just s free stuff scam.

As a developer, there is some interest because some people are going to take advantage of the IAP... And when these servers go down a bunch of kids are going to cry because they cant reload their stolen content from the PAID developer server.

 

[Cenobite]

thenextweb.com did an interview with the "developer" of that hack (link). The most important part of the article is this:

[...] which he says gathers no personal information from its users, though those using the hack do transmit their Apple ID and password to the service when using it. That alone should deter any potential users."

 

[staypuffinpc]

IAP done right

1 - It generates almost no money (in my experience, anyways.)

Just to counter that argument, I was speaking last Friday with an inside person at Chair and they told me that over half of the revenue generated from the Infinity Blade series has come from IAP. Considering that EPIC games recently declared that the Infinity Blade series has been their most profitable to date, I'd say there is reason to believe that IAP done correctly can be quite profitable.

Just sayin'

 

[koban4max]

If app developers have problem with this...well, that's their problem. What? They tried to go around Apple's app system (30% thing) and charge us, the customers, the freakin' in-app for a high price even when many of us buy the full game for whatever price. So, I support this method, but hate the information being sent out.

----------

Just to counter that argument, I was speaking last Friday with an inside person at Chair and they told me that over half of the revenue generated from the Infinity Blade series has come from IAP. Considering that EPIC games recently declared that the Infinity Blade series has been their most profitable to date, I'd say there is reason to believe that IAP done correctly can be quite profitable.

Just sayin'

However, you sound like you support IAP. Others shouldn't be charged with in-app stuff when they purchased the game full price..or full game.

 

[coolfactor]

I saw this on 9to5, was kind of hoping you wouldn't post it.

Why? Because you like the idea of what's happening here?

It's good in that it's revealed a weakness in Apple's system.
It's bad because it creates a false sense of entitlement for users.

----------

I'm disgusted to read that passwords are passed through as cleartext... if that is true, Apple deserves a serious slap on the hand. Purely irresponsible. The password should be securely hashed *on the device* before sent across the wire or over the air.

 

[NewAnger]

Did you notify the authorities of this grand theft?

----------


If this hack can obtain your banking info from your phone Apple has a more serious problem here than we thought.

Apple already found about it and chose to do nothing. This was back in October. All they did was suspend the guys real account so he could not buy anything. He has since sold all of his Macs because they banned them also from buying from the iTunes store. He bought new Macs and is now using the store again but honestly this time.

 

[ArtOfWarfare]

If app developers have problem with this...well, that's their problem. What? They tried to go around Apple's app system (30% thing)

You don't know what you're talking about.

Firstly, the system used for In-App Purchases is provided by Apple (note the fact that you can view the most common in-app purchases for an app directly from the app's page on the app store. Additionally, in-app purchases factor into an app's ranking on the top grossing chart.)

Secondly, Apple charges developers 30% for any in-app purchases, as well.

Thirdly, Apple forbids developers from including links in their app that take users to pages outside the app that allow additional content. (That's why, for example, you can't sign up for a subscription to Netflix directly from Netflix's app.)

and charge us, the customers, the freakin' in-app for a high price even when many of us buy the full game for whatever price. So, I support this method, but hate the information being sent out.

iOS users spend a little over $4 each month on apps

SOURCE: http://gigaom.com/apple/how-much-did-you-spend-on-apps-this-year/

In what world is $4 the full price for a full game? Last time I checked, full games cost at least $20 if you want to buy it in a retail store. Fact of the matter is, most users don't pay a "high price" for a "full game".

To supplement that small income (and it is small. I could easily make more money at McDonald's rather than working as an independent developer. I do it because I love it. Also because I just got hired to do it for a lot more than I was making when I did it alone) developers offer In-App purchases. A few extra colors in Draw Something are by no means an essential feature. You can play the game without them. Asking for a measly... what is it, $2 for a pack of 5 colors... seems perfectly reasonable to me.

Personally, I'm planning to sell a game guide for my next game for $3, for a $7 game. I think it's perfectly reasonable... physical game guides generally cost $20 for a $50 game.

 

[StyxMaker]

And most of us don't. Doesn't change the fact. If you have kids, you will soon realize that you might not be the one who wants to have Farmville cash - or what ever that is called. (I don't have Farmville.) Just for software updates, teenage kids might have the iTunes password of their parents - and of course, it is the same account because you don't want to pay for content several times.

It really doesn't matter who 'wants' the product, if it costs too much don't buy it. You can't tell your kids 'no' when they want something?

 

[3dflyboy1]

This is one of the first things I did after jailbreaking. Call it "theft" if you like, but it's petty digital content (in contrast with music, books, movies, etc.), and the developers are dirty rotten scumbags for putting this kind of thing in apps. Especially if I've already paid for the stinkin' app!

 

[netkas]

If receipt validation is done on client device - receipt can be faked too, as the process uses https connection to apple servers too. Just to fake one more https answer, and need to know inapp names.

But, if you were smart enough to make server-side receipt check on your server (which cannot be dns spoofed) and secure connection to your server from your client app, then you aRe fine. Or having user's purchase history/balance saved on your server is fine too.

Anyway, if you were smart enough to implement a proper server-side receipt check(as I did) then you are not affected by this in any way, otherwise you are dumb developer and getting your lesson right now.

 

[psingh01]

Save a couple bucks and you wind up giving the hacker your userid and password.

 

[planetawesum]

Im so over paying suffrage controlled by sociopaths for technology raped from our collective earth. Supporting middlemen/ economic terrorists is irresponsible, unsustainable. Everything will be free eventually when we grow up out of this dark age mess of immaturity and inefficiency. So we might as well get used to sharing. Sharing is caring <3 Good technology/ software is a joint venture, and our right as humans to use. The internet is a collective project. Everyone has contributed. We all use it now. It isn't free cause we haven't made it free for all. Why not? cause we're still in slave mode. Traumatized. Spineless. This fellow isn't stealing. Property is theft and theft is property. They are stealing from him and he is reclaiming what's his, what's all of ours. Apple gets rich off not paying the people that construct it's products the wage they deserve (profit share) and making it's "consumers" pay too much for it's products (price markup).

Is this ok with you all that actually know about thievery, i mean business/ economics? Who are you protecting, apple? haa.. Devs aren't getting rich for sure. I don't check apple forums much anymore but i have noticed apples' costumer service department getting much less customer friendly. The core people that keep apple going that is. Where's my profit share?