A news broke on 9to5Mac 24 hours ago that a Russian hacker, Alexey V. Borodin, has managed to build an in-app purchase hack that allows iOS users to trick the app developer's servers into believing that they are communicating with the App Store when verifying the in-app purchases. This allows users to acquire items for free, causing losses for the developers.
Following are some facts that I think are worth sharing with you, our readers, and the people you care about:
The hack works by installing a bogus certificate on your iOS device, another certificate for In-AppStore.com, and changing the DNS settings.
Because you have certified the hack, it will have access to the UUID of your device, your Apple ID and unencrypted password. Here's an excerpt of what Borodin told Macworld over instant messages:
“I can see the Apple ID and password (for accounts that try the hack)," Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.
Borodin started to work on the hack because he disliked how CSR Racing, a new iOS racing game, used a freemium model to entice players to spend extra money within the game. Now that the hack has been spoiled and abused by other people, he is no longer in control of the In-AppStore service. This is what he told The Next Web:
He also says that he is no longer in control of the In-Appstore site, and will be deleting any information that he has about the site from his computer. The site is now in the hands of an unnamed third party, as Borodin says he does “not want to be in jail =).”
One of the first attempts that Apple has made was shutting down the initial DNS server used to serve these requests, but apparently the people who are now running this service has managed to setup new DNS servers. We're still waiting to see what Apple's next move is. As Apple told The Loop:
“The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”
The main reason why I think a lot of people need to understand this and avoid it entirely is that even when Apple has solved this problem on their side and all developers have taken precautionary actions toward this, iOS devices that have installed these certificates will be prone to further exploit by whoever is currently running the In-AppStore website. Marco Tabini told MacWorld that this might require a new iOS update to fix this problem completely.
Fixing the exploit won’t be too difficult for Apple, but Tabini says, “I can’t think of an easy way to solve this problem without an iOS update.”
Finally, if you're an iOS developer using in-app purchases in any of your apps, you might want to take precautionary steps, starting with reading the section on Verifying Store Receipts again.