x PhoneArena is looking for new authors! To view all available positions, click here.
  • Home
  • News
  • Hacker exposes iOS in-app purchase flaw, circumvents the system with own server

Hacker exposes iOS in-app purchase flaw, circumvents the system with own server

Posted: , by Victor H.

Tags:

Hacker exposes iOS in-app purchase flaw, circumvents the system with own server
One of the most profitable monetization models recently, in-app purchases, is attracting not only the biggest developers on iOS, but also the attention of a Russian hacker Alexey Borodin who found an easy way to circumvent the system and purchase stuff inside apps without actually paying.

The hack works on all iOS devices running versions from iOS 3.0 to iOS 6.0. While some will be tempted to say that the developer broke Apple’s system, truth is that he simply wrote an alternative store and defends his point by saying that this will only help developers and Apple tighten up their security.

Simply put, to bypass Apple’s servers, Borodin built his own server. In-app purchases are then directed to that server, which in turn delivers a purchase receipt to the device without actually charging users real money. To make this possible, Borodin himself studied hundreds of receipts and spend a few hundred dollars, but finally the system worked.

Going deeper into the technicalities, this method requires a CA certificate and profile for connection with iTunes, and it requires that a user’s Internet connection goes through a Domain Name Server system, set up to intercept requests. With this, you simply need to press the purchase button and the transaction goes through Borodin’s server.

While this unfolds, Apple has quickly issued a warning its investigating the issue:

“The security of the App Store is incredibly important to us and the developer community,” Apple rep Natalie Harrison said for The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”

source: i-ekb via TNW, 9to5Mac

9 Comments
  • Options
    Close




posted on 16 Jul 2012, 03:09 11

1. B3BLW29 (Posts: 237; Member since: 02 Mar 2012)


We all know what apple's going to do with the poor guy, but seriously they should award him for finding this flaw and hire his services.

posted on 16 Jul 2012, 04:23 3

5. haseebzahid (Posts: 1812; Member since: 22 Feb 2012)


what a noob why he gave that to apple who dont even bother what he has done for them just for good will

posted on 16 Jul 2012, 03:14 12

2. BattleBrat (Posts: 1057; Member since: 26 Oct 2011)


"In Soviet Russia, you don't buy app, app buys you!"
Sorry, couldn't resist.
I hope they don't send the apple gustapo (SP) after this guy.

posted on 16 Jul 2012, 03:22 5

3. SonyFTW2020 (Posts: 305; Member since: 03 May 2012)


ROFLMAOO!

posted on 16 Jul 2012, 04:22 12

4. wendygarett (unregistered)


If this world doesnt have android...
I rather pick RIM over iPhone :)

posted on 16 Jul 2012, 04:25 11

6. haseebzahid (Posts: 1812; Member since: 22 Feb 2012)


and if nothing is there but apple i would still pickup the BRICK instead of apple

posted on 16 Jul 2012, 06:59

7. theBankRobber (Posts: 645; Member since: 22 Sep 2011)


I think Apple might want to play nice with this guy. The secret is out and other devs or hackers could use this to find more flaws and do more damage then just in app purchases.

posted on 16 Jul 2012, 11:02

8. bustervic (Posts: 22; Member since: 13 Feb 2012)


So they will chase this guy down but they won't stop companies from making free games aimed at kids with in-app purchases if $20, $50 or $99. Crooks. I hope more people use this workaround.

posted on 16 Jul 2012, 11:46

9. taco50 (banned) (Posts: 5506; Member since: 08 Oct 2009)


Everyone has in app purchases now, not just Apple. If you can't stop your kids from buying games then that's a parenting issue.

Want to comment? Please login or register.

Latest stories