Hacker exposes iOS in-app purchase flaw, circumvents the system with own server
Share:
The hack works on all iOS devices running versions from iOS 3.0 to iOS 6.0. While some will be tempted to say that the developer broke Apple’s system, truth is that he simply wrote an alternative store and defends his point by saying that this will only help developers and Apple tighten up their security.
Simply put, to bypass Apple’s servers, Borodin built his own server. In-app purchases are then directed to that server, which in turn delivers a purchase receipt to the device without actually charging users real money. To make this possible, Borodin himself studied hundreds of receipts and spend a few hundred dollars, but finally the system worked.
Going deeper into the technicalities, this method requires a CA certificate and profile for connection with iTunes, and it requires that a user’s Internet connection goes through a Domain Name Server system, set up to intercept requests. With this, you simply need to press the purchase button and the transaction goes through Borodin’s server.
While this unfolds, Apple has quickly issued a warning its investigating the issue:
“The security of the App Store is incredibly important to us and the developer community,” Apple rep Natalie Harrison said for The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”
source: i-ekb via TNW, 9to5Mac
Share:
Android 4.1 Jelly Bean keyboard ported to Ice Cream Sandwich 
Windows Phone 8 might support mass storage mode, Zune sync begone 
-
Parting images and wrap-up from the last day of Google I/O
-
PhoneArena's John Velasco talks about the geek life
-
Up close demo of Epson Moverio glasses and YouTube functionality
-
Android talks and does Braille
-
Samsung officials confirm 5.9-inch Note III will come at IFA
-
Images and summary from day 2 of Google I/O
9 Comments
1. B3BLW29 posted on 16 Jul 2012, 03:09 11 0
We all know what apple's going to do with the poor guy, but seriously they should award him for finding this flaw and hire his services.
5. haseebzahid posted on 16 Jul 2012, 04:23 3 0
what a noob why he gave that to apple who dont even bother what he has done for them just for good will
2. BattleBrat posted on 16 Jul 2012, 03:14 12 0
"In Soviet Russia, you don't buy app, app buys you!"
Sorry, couldn't resist.
I hope they don't send the apple gustapo (SP) after this guy.
4. wendygarett (limited) 2 days ago posted on 16 Jul 2012, 04:22 12 2
If this world doesnt have android...
I rather pick RIM over iPhone :)
6. haseebzahid posted on 16 Jul 2012, 04:25 11 2
and if nothing is there but apple i would still pickup the BRICK instead of apple
7. theBankRobber posted on 16 Jul 2012, 06:59 0 0
I think Apple might want to play nice with this guy. The secret is out and other devs or hackers could use this to find more flaws and do more damage then just in app purchases.
8. bustervic posted on 16 Jul 2012, 11:02 0 0
So they will chase this guy down but they won't stop companies from making free games aimed at kids with in-app purchases if $20, $50 or $99. Crooks. I hope more people use this workaround.
9. taco50 (banned) posted on 16 Jul 2012, 11:46 0 1
Everyone has in app purchases now, not just Apple. If you can't stop your kids from buying games then that's a parenting issue.
