Earlier this month, Russian developer ZonD80 (Alexey Borodin) released a hack that took advantage of a loophole by delivering in-app purchases for free. Not long afterward, Apple tried somewhat unsuccessfully to block his hack attempts, but we knew it was just a matter of time before Apple got that problem solved (with their own fist of fury).
The solution implemented by Apple involves a more sophisticated receipt that incorporates a unique identifier (which many speculate and assume is based on proprietary system using UDID data, though the specifics are not yet known).
In a blog post Monday, Borodin discussed the latest work done by Apple to eliminate the loophole he was exploiting:
By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.”
Borodin was also quoted as saying, “It’s all over… for now.” It can’t have come as a surprise that Apple worked at this problem rather quickly and until it was solved completely and he should expect they will be watching him rather carefully going forward.
Developers are being encouraged by Apple to implement the new validation system and has issued the following statement:
“A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.”