Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

[applesith]

Do you honestly believe he used his own credentials for this address?

Who cares. Out of all the emails to choose. Go with yahoo. It's easy to do shady stuff from there.

 

[firewood]

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

A developer can't exploit a single user who knows those berrydots (or whatever) are NOT worth their silly price, and just stops playing their stupid little app. Consider those freemium items a excellent tax on stupidity and a wasted life.

 

[KPOM]

Property is theft and theft is property.

Without property rights, all other rights are meaningless.

 

[Justim]

What about those that are £34.99, £69.99 & £99.99? I've got no problem paying a few pounds but many developers exploit the freemium model.

Thank you! One thing I love about the app store is that developers can easily provide apps while cutting down on cost of advertising. While there are hackers, few are able to penetrate into the app store. This results in lower priced software. I think apps over $9.99 should be approved through Apple under a fair and reasonable pricing negotiation. In-app purchases should be covered under the same standards. A specific example are games that charge $49.99+ for "coins" or "tokens". This is unreasonable. These purchases add no extra features for the app and should be emlinated. Most current in-app purchases are stifling innovation. The developers are simply looking for more money, and it's unfair. These purchases are too tempting and deploy what I like to call a "casino effect" where you pay your money and get nothing more than a few fun hours out of the app.

Apart from the consumers that understand how these things work, most blindly pay money for relatively nothing.

I know I'm a bit of an extremist. But I'd be willing to meet in the middle.

On a different note, I wish Apple would drop support for iPhone apps on the iPad with iOS 6. These apps look terrible. It may force developers to release an iPad version. But that's a different subject entirely.

 

[Swordylove]

Passwords sent in plain text??
Unacceptable. If not for this Russian hacker, we wouldn't have known about this. I'd like to thank him for that.

 

[troop231]

The Russians are coming!

What? It makes no sense that the dialog and the right "Like" button are in English, but the left Cancel one is in Russian..

 

[dazed]

Agreed that some in app purchases are a big con but then the best way to combat this is to simple not buy them. This will send a message to the developers that we won't put up with their crap.

All this hack does is hurt the honest developers.

 

[Hawkeye411]

Works great!!! Thanks!!!

 

[Rocketman]

I think it is kinda cool someone without malicious intent did this first (if it even is the first), then made it as widely public as possible, even giving interviews. It will help Apple to plug this hole and also to think along these lines for other issues.

Rocketman

 

[samdev]

Whenever you make an IAP purchase, your Apple ID and password is sent.

So, if you use this hack, you will have a truckload of Russian hackers logging into your Apple account
in the next few days. Great.

I don't think a lot of people will be reading the instructions too closely om this hack.
All they see is FREE COINS, FREE COINS!

 

[hogo]

Whenever you make an IAP purchase, your Apple ID and password is sent.

So, if you use this hack, you will have a truckload of Russian hackers logging into your Apple account
in the next few days. Great.

I don't think a lot of people will be reading the instructions too closely om this hack.
All they see is FREE COINS, FREE COINS!

Unless you immediately change your password after(stealing) shopping.

 

[gnasher729]

Works great!!! Thanks!!!

I thought a little bit about how this hack works. And while I don't know whether this hacker intended to defraud only app developers, or if he intended to defraud gullible users as well, it is quite obvious that this hack opens users like Hawkeye411 to massive fraud.

Here's what the hack does (not technically accurate, but the principle is correct): Whenever a user wants to do an in-app purchase, the in-app purchase code on your iPhone or iPad talks to a server at Apple, lets say at inapppurchases.apple.com. As a user, you modified settings on your device so that all web traffic to inapppurchases.apple.com goes to inapppurchases.russianhackers.com instead. However, that wouldn't just work, because your device wants a certificate for "inapppurchases.apple.com", and only Apple can produce this. Here's where the second step comes in: The user also modifies their certificate store, so that any certificate issued by www,russianhackers.com is automatically trusted.

Now you are wide open to fraud: First, your Apple ID and password are sent. Normally, they would be sent to inapppurchases.apple.com, safely encrypted with a key that only Apple has, so only Apple can read them. But now they are sent to inapppurchases.russianhackers.com, safely encrypted with a key that only the russian hackers have, so only they can read it... I guess you see what the problem is.

Another problem is that your device has now been changed to trust anyhing with a certificate created by www,russianhackers.com. So if you go to the Amazon website, or your banks website, then someone can redirect your web traffic to go to a fake site (which is difficult, but not impossible), and if that fake site has a certificate that says "this is www,amazon.com, signed by: www.russianhackers.com", then your device will trust that fake site!

So hawkeye, enjoy as long as there is money in your bank account.

This is one of the first things I did after jailbreaking. Call it "theft" if you like, but it's petty digital content (in contrast with music, books, movies, etc.), and the developers are dirty rotten scumbags for putting this kind of thing in apps. Especially if I've already paid for the stinkin' app!

-10 downvote. Think very, very hard about who are the dirty rotten scumbags here. And nobody will cry any tears for you if your bank account is emptied.

According to [developer Marco] Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

No, Marco. If a user is dishonest enough to try to get in-app purchases for free, and stupid enough to install certificates from an unknown hacker, then they only get what they deserve. The Apple ID and password are sent safely to the intended recipient, and nobody but the intended recipient can read them. It's not Apple's fault if a user redirects the data to some hacker.

 

[sonovale]

So we should discover and implement anti hack policy.

 

[samdev]

Unless you immediately change your password after(stealing) shopping.

So, you think you can out-smart the Russian hacker by giving them a fake Apple ID and password?
Lol. You're still installing some untrusted certificates. Who knows what worms that will open.

 

[blueroom]

Do you think all jailbreakers are thieves?

I think all installous users are thieves.

 

[NewAnger]

I think all installous users are thieves.

There is one truly good usage for installous. There was a time when I was using an original iPhone and accidentally upgraded an app which no longer gave support to 3.1.3 which I think the original iPhone ran that last time I owned one. Of course that app no longer would run on the original and I no longer had the version that would so I would go and grab the old version that last ran on the iOS version. In that case, I was not a thief, just wanting an app version that would still run on my old original iPhone.

 

[Colpeas]

Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.

Easy fix - set up a brand new free iTunes Account and use that one instead for in-app "purchasing". No one will be then able to obtain your real information.

 

[Sixtafoua]

I'm all for jailbreaking and customizing your device to make it your own, but when it comes to stealing from developers, that's where you have to draw the line.

 

[B777Forevar]

Why am I not surprised something like this comes out of Russia?

 

[Fruit Cake]

In soviet Russia, you don't download app, app downloads you!

 

[26139]

Uh...

Wait, they didn't already have this?? I normally hate piracy, but I like it if people steal FarmCoinz or whatever for those stupid games that want you to pay real money for fake points.

----------



Do news sites encourage murder when they report murders?

No, but they don't publish step by step instructions on how to get away with murdering people.

 

[faroZ06]

No, but they don't publish step by step instructions on how to get away with murdering people.

They typically do explain how the criminal committed the crime if they have details on it.

 

[Cod3rror]

I don't support this, but I hate in-app purchasing, it's a good for developers to nickel and dime users. I payed for the app right? Give me a full version.

 

[koban4max]

You don't know what you're talking about.

Firstly, the system used for In-App Purchases is provided by Apple (note the fact that you can view the most common in-app purchases for an app directly from the app's page on the app store. Additionally, in-app purchases factor into an app's ranking on the top grossing chart.)

Secondly, Apple charges developers 30% for any in-app purchases, as well.

Thirdly, Apple forbids developers from including links in their app that take users to pages outside the app that allow additional content. (That's why, for example, you can't sign up for a subscription to Netflix directly from Netflix's app.)




SOURCE: http://gigaom.com/apple/how-much-did-you-spend-on-apps-this-year/

In what world is $4 the full price for a full game? Last time I checked, full games cost at least $20 if you want to buy it in a retail store. Fact of the matter is, most users don't pay a "high price" for a "full game".

To supplement that small income (and it is small. I could easily make more money at McDonald's rather than working as an independent developer. I do it because I love it. Also because I just got hired to do it for a lot more than I was making when I did it alone) developers offer In-App purchases. A few extra colors in Draw Something are by no means an essential feature. You can play the game without them. Asking for a measly... what is it, $2 for a pack of 5 colors... seems perfectly reasonable to me.

Personally, I'm planning to sell a game guide for my next game for $3, for a $7 game. I think it's perfectly reasonable... physical game guides generally cost $20 for a $50 game.

If i buy a game..I expect the apps not to be selling me in-app crap. Secondly, regardless how much the app cost..it's still money.

 

[lifeinhd]

Why? Because you like the idea of what's happening here?

It's good in that it's revealed a weakness in Apple's system.
It's bad because it creates a false sense of entitlement for users.

Realistically, which do you think there will be more of as a result of this article being published, developers getting rid of in-app purchases or consumers stealing in-app content?