Hacker exposes iOS in-app purchase flaw, circumvents the system with own server

Hacker exposes iOS in-app purchase flaw, circumvents the system with own server
One of the most profitable monetization models recently, in-app purchases, is attracting not only the biggest developers on iOS, but also the attention of a Russian hacker Alexey Borodin who found an easy way to circumvent the system and purchase stuff inside apps without actually paying.

The hack works on all iOS devices running versions from iOS 3.0 to iOS 6.0. While some will be tempted to say that the developer broke Apple’s system, truth is that he simply wrote an alternative store and defends his point by saying that this will only help developers and Apple tighten up their security.

Simply put, to bypass Apple’s servers, Borodin built his own server. In-app purchases are then directed to that server, which in turn delivers a purchase receipt to the device without actually charging users real money. To make this possible, Borodin himself studied hundreds of receipts and spend a few hundred dollars, but finally the system worked.

Going deeper into the technicalities, this method requires a CA certificate and profile for connection with iTunes, and it requires that a user’s Internet connection goes through a Domain Name Server system, set up to intercept requests. With this, you simply need to press the purchase button and the transaction goes through Borodin’s server.

While this unfolds, Apple has quickly issued a warning its investigating the issue:

source: i-ekb via TNW, 9to5Mac



1. B3BLW29

Posts: 238; Member since: Mar 02, 2012

We all know what apple's going to do with the poor guy, but seriously they should award him for finding this flaw and hire his services.

5. haseebzahid

Posts: 1853; Member since: Feb 22, 2012

what a noob why he gave that to apple who dont even bother what he has done for them just for good will

2. BattleBrat

Posts: 1476; Member since: Oct 26, 2011

"In Soviet Russia, you don't buy app, app buys you!" Sorry, couldn't resist. I hope they don't send the apple gustapo (SP) after this guy.

3. SonyFTW2020

Posts: 311; Member since: May 03, 2012


4. wendygarett unregistered

If this world doesnt have android... I rather pick RIM over iPhone :)

6. haseebzahid

Posts: 1853; Member since: Feb 22, 2012

and if nothing is there but apple i would still pickup the BRICK instead of apple

7. theBankRobber

Posts: 682; Member since: Sep 22, 2011

I think Apple might want to play nice with this guy. The secret is out and other devs or hackers could use this to find more flaws and do more damage then just in app purchases.

8. bustervic

Posts: 26; Member since: Feb 13, 2012

So they will chase this guy down but they won't stop companies from making free games aimed at kids with in-app purchases if $20, $50 or $99. Crooks. I hope more people use this workaround.

9. taco50

Posts: 5506; Member since: Oct 08, 2009

Everyone has in app purchases now, not just Apple. If you can't stop your kids from buying games then that's a parenting issue.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.