Russian Hacker Makes In-App Purchase Free On iPhone, iPad

A Russian hacker is running a service that exploits a weakness in Apple’s e-commerce systems to get free upgrades and extras within apps on iPhones and iPads, without jailbreaking the devices.

In-app purchases (IAPs) are a lucrative market, as free-to-download games such as CSR Racing  encourage users to spend money buying credits and upgrades and extra levels within the game. Hacker Alexey Borodin’s “In-Appstore.com” servers trick Apple’s App Store into authorising purchases that haven’t been paid for, using a “man-in-the-middle” spoof that exploits a fundamental weakness to the IAP.

In-app purchase for free

“It’s my hobby,” Borodin (also known as ZonD80) explained to MacWorld. “And it’s a challenge to CSR Racing.” The hacker said he was angry that the racing game’s developers were “taking money from me every single breath.”

The hack works because apps validate in-app purchases through a mechanism which is easy to get around. When a user buys anything within an app, the App Store processes the payment, and sends a receipt. The app then checks the validity of that receipt with Apple’s servers, before unlocking the new functionality.

Unfortunately, the code sent by the Apple servers is generic, and easy to mimic, so Borodin can validate in-app purchases, by sending them from a bogus server. Users just need to change their DNS settings so all IAP requests go to that server, and don’t have to jailbreak their iDevice.

The service has been intermittently available, due to overloading, and Borodin has requested and received donations (he asked for $50) to keep the server running. His procedure does not work if app developers use an alternative method, validating in-app purchase receipts from their own servers, instead of within the app. The app then has to connect to the app developers’ servers, which can be trusted to check with those of Apple.

Although the app developers’ servers would be harder to spoof, Borodin claims he will be able to do this in future.  “The future is to cache developers’ server responses.”

Security experts are critical of Apple for using a flawed model, pointing out that the company should be using a shared secret to validate communications with its servers and eliminate the possibility of simple man-in-the-middle attacks.

“This is a pretty big blow to Apple,” said Paul Ducklin on Sophos’ Naked Security blog, “especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.” Earlier this month, malware was found in Apple’s App Store for the first time, and last year, Apple’s reputation for high security was damaged by the appearance of the Flashback Trojan.

Apple issued the following response to TechWeekEurope: “”The security of the App Store is incredibly important to us and the developer community,. We take reports of fraudulent activity very seriously, and we are investigating.”

Are you a security super-guy? Try our quiz!