A Russian developer nicknamed ZonD80 had devised a way to bypass Apple’s iOS In-App Purchase program and get the content for free. Alexey Borodin’s has become very popular worldwide and apparently over 30,000 requests have already been served and the numbers are climbing very fast. Apple tried to fight the hack by banning Borodin’s server’s IP address, but he was clever enough to move his servers offshore and update his method so that it circumvents the new blockades set up by Apple for his hack.
After several tries, Apple has confirmed that they have a workaround and said it was investigating the issue. The Cupertino based technology giant has finally outlined a proper fix, though temporary, the issue will be permanently fixed on iOS 6 and will completely block this kind of hack.
iOS 5.1 and earlier versions of the proprietary operating system are found to be vulnerable to the hack as validation of in-app purchase receipts are done by connecting to the App Store server directly from an iOS device. The process of device connecting directly to Apple’s remote server can be hijacked easily by modifying the DNS table so that all these requests are redirected to a server which is controlled by the hacker. With the help of hacker’s own certificate authority installed on user’s device, the hacker can then issue SSL certificates such that his server is identified as App Store server. When a request is originated by the device to the App Store server to check whether the receipt is valid or not, the request is redirected to hacker’s server which then responds that the receipt is indeed valid, thus authorizing the whole purchase and making in-app purchases free.
According to Apple, iOS 6 will address this vulnerability and if the app follows best practices, it is unlikely that it will be affected by this hack. Since last week, Apple has been including unique identifiers in the validation receipts for in-app purchases. Apple says that if an app performs validation by connecting to developer’s own server in order to double check and uses appropriate cryptographic technique to do so, the app won’t be affected by Borodin’s attack.
For those apps which are already in the app store and not using the “best practices”, there’s unfortunately no way to protect those apps. The store receipt method just fails to work as Borodin’s workaround just requires a single donated receipt, which is then recycled to authenticate any number of purchase requests. The requests are authenticated using one receipt by his own verification server that is designed to emulate Apple App Store.
Apparently, Apple’s transmits its customers’ Apple IDs and passwords in clear text as it never thought a situation like this would ever happen. Borodin’s hack transmits following details to his server:
-restriction level of app
-id of app
-id of version
-guid of your idevice
-quantity of in-app purchase
-offer name of in-app purchase
-language you are using
-identifier of application
-version of application
Since the credentials are transferred in clear text, it is easily possible for anyone to fetch those details using the middle man technique. If you still haven’t tried the hack, below are the steps you need to follow:
Below are the steps to the hack:
- Install two certificates: CA and in-appstore.com.
- Connect via Wi-Fi network and change the DNS to 220.127.116.11.
- Press the Like button and enter your Apple ID & password.
It is advised that iPhone, iPad and iPod touch owners avoid using the hack now and in the future due to privacy and legal concerns that surround the hack.