Apple is taking steps to stop users gaining free in-app purchases through an online hack.
Apple have reportedly taken steps to prevent the use of a free in-app purchase hack. The hack, published by Russian hacker Alexy V. Borodin, shows app users how to work around in-app purchases and get the extra content for free.
Apple have confirmed that they are investigating the hack and have already taken steps to minimize the number of people who can use it. They also told developers that the loophole would be closed completely in iOS 6, making the hack void.
For now, they have reportedly responded to the hack by adding a new field to capture users’ unique device identifier (UDID) to track in-app purchases through the Apple Store. This can help identify which devices are using the hack to get free content. Apps aren’t normally supposed to collect this information, so the move has sparked debate over whether Apple are rolling out broader security measures involving UDIDs, or whether this is a one-time event.
While this method doesn’t stop users from utilizing the hack, it does identify the individuals doing so. It’s thought that this might act as a deterrent and reduce the number of people exploiting the loophole. Apple have also blocked the servers that were originally used for the bypass.
Borodin originally built the hack after becoming frustrated with the CSR Racing app, which is free to download but requires payment to unlock a number of features and options. Speaking to Macworld, Borodin said: “I set this up due to hungry and lazy developers … I was very angry to see that CSR Racing developer taking money from me every single breath.”
How the Hack Works
The hack works by spoofing the code receipts that Apple provides for in-app purchases. These receipts help developers validate purchases, and release the extra content. With the hack, users install fake certificates on their device and use a special DNS server that pretends to be the App Store. This tricks the app into thinking its communicating with the app store, and that the receipts are produced by Apple. Borodin revealed that every in-app purchase receipt is generic and doesn’t contain any identifiable data, so they are easy to fake. Apple suggests that developers set up their own servers for receipt validation, which in this instance could protect them from the hack, but many do not have the time or the resources to do so.
Publicity around the hack has raised questions over whether Apple is doing enough to protect developers. Many developers use a business model that involves low initial download costs, and relies on in-app purchases from loyal customers to generate revenue. If users can by-pass the purchase, but still get the benefits, this can cost developers large amounts of income. On the flip side, Borodin isn’t the first – or last – app user to become frustrated with how some developers exploit in-app purchases, leading customers to believe they are getting a free download, then charging them for even basic functions and content.
So what would Borodin do when his hack becomes obsolete? “The future is to cache developers’ server responses,” he revealed, indicating that even apps that use their own servers to validate in-app purchases instead of the App Store, could be find themselves at risk of being hacked.