Russian Hacker Makes In-App Purchase Free On iPhone, iPad

A Russian hacker is running a service that exploits a weakness in Apple’s e-commerce systems to get free upgrades and extras within apps on iPhones and iPads, without jailbreaking the devices.

In-app purchases (IAPs) are a lucrative market, as free-to-download games such as CSR Racing  encourage users to spend money buying credits and upgrades and extra levels within the game. Hacker Alexey Borodin’s “In-Appstore.com” servers trick Apple’s App Store into authorising purchases that haven’t been paid for, using a “man-in-the-middle” spoof that exploits a fundamental weakness to the IAP.

In-app purchase for free

“It’s my hobby,” Borodin (also known as ZonD80) explained to MacWorld. “And it’s a challenge to CSR Racing.” The hacker said he was angry that the racing game’s developers were “taking money from me every single breath.”

The hack works because apps validate in-app purchases through a mechanism which is easy to get around. When a user buys anything within an app, the App Store processes the payment, and sends a receipt. The app then checks the validity of that receipt with Apple’s servers, before unlocking the new functionality.

Unfortunately, the code sent by the Apple servers is generic, and easy to mimic, so Borodin can validate in-app purchases, by sending them from a bogus server. Users just need to change their DNS settings so all IAP requests go to that server, and don’t have to jailbreak their iDevice.

The service has been intermittently available, due to overloading, and Borodin has requested and received donations (he asked for $50) to keep the server running. His procedure does not work if app developers use an alternative method, validating in-app purchase receipts from their own servers, instead of within the app. The app then has to connect to the app developers’ servers, which can be trusted to check with those of Apple.

Although the app developers’ servers would be harder to spoof, Borodin claims he will be able to do this in future.  “The future is to cache developers’ server responses.”

Security experts are critical of Apple for using a flawed model, pointing out that the company should be using a shared secret to validate communications with its servers and eliminate the possibility of simple man-in-the-middle attacks.

“This is a pretty big blow to Apple,” said Paul Ducklin on Sophos’ Naked Security blog, “especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.” Earlier this month, malware was found in Apple’s App Store for the first time, and last year, Apple’s reputation for high security was damaged by the appearance of the Flashback Trojan.

Apple issued the following response to TechWeekEurope: “”The security of the App Store is incredibly important to us and the developer community,. We take reports of fraudulent activity very seriously, and we are investigating.”

Are you a security super-guy? Try our quiz!

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago