Russian Hacker Makes In-App Purchase Free On iPhone, iPad

A Russian hacker is running a service that exploits a weakness in Apple’s e-commerce systems to get free upgrades and extras within apps on iPhones and iPads, without jailbreaking the devices.

In-app purchases (IAPs) are a lucrative market, as free-to-download games such as CSR Racing  encourage users to spend money buying credits and upgrades and extra levels within the game. Hacker Alexey Borodin’s “In-Appstore.com” servers trick Apple’s App Store into authorising purchases that haven’t been paid for, using a “man-in-the-middle” spoof that exploits a fundamental weakness to the IAP.

In-app purchase for free

“It’s my hobby,” Borodin (also known as ZonD80) explained to MacWorld. “And it’s a challenge to CSR Racing.” The hacker said he was angry that the racing game’s developers were “taking money from me every single breath.”

The hack works because apps validate in-app purchases through a mechanism which is easy to get around. When a user buys anything within an app, the App Store processes the payment, and sends a receipt. The app then checks the validity of that receipt with Apple’s servers, before unlocking the new functionality.

Unfortunately, the code sent by the Apple servers is generic, and easy to mimic, so Borodin can validate in-app purchases, by sending them from a bogus server. Users just need to change their DNS settings so all IAP requests go to that server, and don’t have to jailbreak their iDevice.

The service has been intermittently available, due to overloading, and Borodin has requested and received donations (he asked for $50) to keep the server running. His procedure does not work if app developers use an alternative method, validating in-app purchase receipts from their own servers, instead of within the app. The app then has to connect to the app developers’ servers, which can be trusted to check with those of Apple.

Although the app developers’ servers would be harder to spoof, Borodin claims he will be able to do this in future.  “The future is to cache developers’ server responses.”

Security experts are critical of Apple for using a flawed model, pointing out that the company should be using a shared secret to validate communications with its servers and eliminate the possibility of simple man-in-the-middle attacks.

“This is a pretty big blow to Apple,” said Paul Ducklin on Sophos’ Naked Security blog, “especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.” Earlier this month, malware was found in Apple’s App Store for the first time, and last year, Apple’s reputation for high security was damaged by the appearance of the Flashback Trojan.

Apple issued the following response to TechWeekEurope: “”The security of the App Store is incredibly important to us and the developer community,. We take reports of fraudulent activity very seriously, and we are investigating.”

Are you a security super-guy? Try our quiz!

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

11 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

14 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

16 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago