Russian Hacker Sidesteps Apple iOS In-App Purchases

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

Thanks Slashdot!

[CajunArson]

Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

Re:Thanks Slashdot!

[chinton]

I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

Re:Thanks Slashdot!

[i+kan+reed]

Where the "something" in this case are the states of Boolean variables. Not illegal.

Re:Thanks Slashdot!

[CajunArson]

Since apparently the 10 remaining people on Slashdot now all have Aspergers, you should note that my first post was meant to be sarcastic and facetious.

To any Apple Security Service (A.S.S.) personnel, I would like to note that I do not own an i/Phone/Pad/whatever and therefore have no interest in stealing your precious apps. Oh wait.. I just realized that not owning an iWhatever makes me an even bigger criminal than that Russian dude! Time to flee the country (again)!

Re:Thanks Slashdot!

[Black+LED]

I think this is different. The data for the in-app purchases already exists on your device. You have every right to manipulate the data on your device, computer, whatever in any way that you want. So long as you aren't then redistributing that data, there is no problem.

Re:Thanks Slashdot!

[Sarten-X]

Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

Re:Thanks Slashdot!

[Dog-Cow]

That is not true for all such purchases. In fact, I'd wager that a significant minority, if not out-right majority, involve downloading something.

Re:Thanks Slashdot!

[Serious+Callers+Only]

Where the "something" in this case are the states of Boolean variables.

Is that the same sort of boolean as the states of Legal/Illegal, or some other rarefied form with which we are not familiar?

Re:Thanks Slashdot!

He didn't take it. He asked them to give it to him, they did.

Re:Thanks Slashdot!

> It's not like anybody had to put effort into making those variables do anything,

So what?

> These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

I pay for the storage system. Everything else is without embued value, correct (human effort is a weasel phrase to corrupt the point; effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession. I have no moral responsibility to give credit, so I don't feel guilt. I also don't feel hungry after I eat. It's the common human condition. Welcome to the world.

Re:Thanks Slashdot!

[nitio]

Not true. YMMV but consider that most likely what you bought is a license to run the software (not the software itself) therefore the software in question - and the data - are still owned by the company that sold you the license. Copyright and all that shit

Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.

You know what the best alternative is? Pay the extra or don't pay from the beginning. Simple as that.

Re:Thanks Slashdot!

[Quila]

It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Re:Thanks Slashdot!

[Sarten-X]

The effort spent to create the software can no longer be sold to someone else, either.

Instead, the author has worked out a plan for the pricing structure necessary to be fairly (in his or her mind) compensated for the time and effort, and making unlicensed copies is effectively removing a unit of income from that plan. The author could rebuild the plan to accommodate the lost payment, but now has to account for a smaller market, as well. Sure, the author can copy it fifteen billion times, but likewise a jeweler can spend his life making fifteen billion pieces to hand out to every cheap bastard who wants one.

Re:Thanks Slashdot!

[Antipater]

(human effort is a weasel phrase to corrupt the point; effort does not equate to value)

Thanks so much. I haven't gotten a laugh like that since someone told me that Mormons attacked the US on 9/11 Tell me, how does it feel to live in a world where you never pay the labor cost associated with something?

Re:Thanks Slashdot!

"I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it"."

Except if it's an MPAA movie or an RIAA-affiliated music label. Then it's okay.

#slashdotlogic

Re:Thanks Slashdot!

[Sarten-X]

...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.

So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?

Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.

I have no moral responsibility to give credit, so I don't feel guilt.

I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

Re:Thanks Slashdot!

[fredprado]

I don't agree with everything the GP said, but he is right on the excerpt you decided to quote. Effort does not equate to value. You can run in circles loaded with rocks all day long and you will be producing very little value, for example.

Re:Thanks Slashdot!

[nedlohs]

making unlicensed copies is effectively removing a unit of income from that plan.

If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale. That doesn't change that it can be sold to other people though, so it can still be sold to someone else.

Sure, the author can copy it fifteen billion times, but likewise a jeweler can spend his life making fifteen billion pieces to hand out to every cheap bastard who wants one.

I'm pretty sure that typing:
n=1
while true
do
        cp it it.$n
        n=`expr $n + 1`
done

doesn't take an entire life. Sure it'd waste disk space and be rather stupid to do, but I just did it for free (though I didn't try it so there's probably an error)...

Re:Thanks Slashdot!

I'm not buying that. If a text file comes with a license that says "do not modify this text" and you add "hello" to the top of the file, so long as you aren't distributing your modified version, there isn't a thing that the licensor can do to you.

This is my device, this is my computer. I can change any data that I want on it. No license can deprive me of my freedom to do so.

Re:Thanks Slashdot!

>bought is a license

A license I did not sign is not binding. I bought and paid for the physical copy and not some weird-ass other shit, copyright is very clear on that. The amount of newspeak in your post is worrying (although you heard that probably from one of those untrue commercials).

Of course they can put whatever junk they want on the disc, however I can do whatever I want to it, including using it as a frisbee or decoding the data on it since I own the thing.

Re:Thanks Slashdot!

And physical products are "just" the states and arrangements of atoms. Does this make it ok to steal physical products as well?

Re:Thanks Slashdot!

But if you were running around in circles loaded with rocks all day because I asked you to, would you do it for free? Whether software being sold is complete garbage or useful and well-made is irrelevant to the fact that if you want that software, it should be exchanged in an agreement with the author (and if said author wants to distribute the software for free, great, such is his prerogative).

Re:Thanks Slashdot!

[i+kan+reed]

Of course I do. Software is an organized large collection of data arranged in a novel way. On the other side: you can't copyright "true". Setting one bit on data you already possess is not copyright infringement. You're crazy.

Re:Thanks Slashdot!

[spire3661]

The problem is labor cost is often disconnected to the actual cost of the product. Should I pay for Max Payne 3 knowing the entire studio was just let go. Should I pay for Kingdoms of Amalur knowing the entire studio is dead and the owners ran off with the money? Paying for these products simply makes the money go down a hole.

Re:Thanks Slashdot!

[ganjadude]

what is with the low UIDs comeing out of the woodwork to troll lately?

Re:Thanks Slashdot!

[legont]

This is exactly why I personally try to avoid any paid software and such like a plague and use free source. It's not because I mind paying - I actually want to pay people for their work - but because I feel that if I bought something, it is unconditionally mine to do whatever I want with it. Yes, the law is currently different; yes we shell try to change it. Meantime, I just don't buy that kind of products unless absolutely unavoidable. For example, I'd love to have iPad - it's great - but I will not buy it ever.

Re:Thanks Slashdot!

[Bigbutt]

Slashdot's user database was hacked and all the passwords are on one of the hacker sites. So it's not who you think it is.

[John]

Re:Thanks Slashdot!

[Sarten-X]

Unless someone values you running in circles with rocks enough to expend their own effort in some other way (like earning money with which to pay you). Maybe you're supposed to be testing the durability of flooring under heavy load, but I digress.

Exerting effort does not inherently require that someone else value it, but all value is derived (either directly or indirectly) from the exertion of effort. However, as a society we have generally held that all effort is valued when it benefits someone else. The exception to this rule is slavery, where a person's effort benefits someone else, but the person exerting the effort does not have the freedom to choose the value of their work.

Re:Thanks Slashdot!

I love this line "If the person who got a copy free was going to buy it in the first place". You aren't going to live forever in the first place, so what difference is it if someone kills you today? I mean can it really be called murder? I mean you were going to die anyway! Whats the big diff?

Re:Thanks Slashdot!

[scot4875]

I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

I'm a programmer. I can only speak for myself, but value physical and mental effort roughly equally.

However, what in-app purchases I see on the app store disgust me. I'll use a recent example of a game I downloaded: it was a decent enough tower defense game -- one that I'd have paid a couple bucks for to compensate the developers. However, there is no paid version; the only method of compensation available is via in-app purchases, where you can buy virtual money to pay for upgrades. The lowest level purchase costs $2.99 and gets you enough money to pay for 1/2 of a level of an upgrade. There are literally hundreds of levels of upgrades. The highest level purchase is $29.99 and gets you enough for about 6 full levels.

Fuck that. That is absolutely insulting. To spend $30 and not be able to unlock pretty much everything is ridiculous -- and the game doesn't have nearly enough content to make it worthwhile to keep playing to try to max out the upgrades and see how high a score you can get; it "ends" with barely 20% of the stuff being unlocked. If there were simply a $3-$5 buy option, I'd have paid for it and wished the developers well; when they try to milk $30 purchases out of people by using a scoring system that requires a bunch of repetitive play just to have an option to even *get* the highest score, they can starve for all I care. If I'd cared enough, I'd have just written a trainer to go in and add as much cash as I wanted and then published it to the Play store as a special screw-you to the developers.

If your game requires upgrades to do well, you'd better damn well make sure that the upgrades happen as you work through the game. Games that reset to the beginning after every play have no business going with this model. I didn't have to play through Super Mario Brothers 1000 times just to unlock all the options to get a chance to get a high score, and the fact that people somehow think this is an acceptable way for a scoring system to work now (shit like Temple Run) is just sad to me.

--Jeremy

Re:Thanks Slashdot!

[XxtraLarGe]

The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

It was a joke, I think you missed the reference.

Re:Thanks Slashdot!

[sl4shd0rk]

"if you don't want to pay for something it doesn't give you the right to take it"

Like private data on someone's mobile device?

Re:Thanks Slashdot!

[Sarten-X]

If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale.

That's not their decision to make, though. The author, being the one who exerted the effort, chooses the value of his work. A buyer can either accept the valuation and receive the results of the effort, reject the deal, or suggest a different value that the buyer may agree to.

At no point, however, is it fair for the buyer to unilaterally decide to have the results of the effort without paying in return. That infringes the producer's freedom to choose the value for his work. A geologist being told that the expedition to a tropical island to find a new oil field was really a vacation, so he won't be paid, is unfair in the same manner. The person doing the work is denied the ability to bargain.

Sure it'd waste disk space and be rather stupid to do, but I just did it for free

If you value your effort that little, that's your right. Personally, as an author of a few FOSS programs, I like that, but you do not have the right to force that valuation on someone else.

Re:Thanks Slashdot!

[Bert64]

For metals pulled from the earth and smelted, and products which are assembled a high level of effort must be expended for each and every product...

For any form of digital media, effort may well have gone into creating the initial version, but all subsequent copies were produced trivially... So by extension, only the original has any value and all the copies have little or no value.

Or you could argue that the value of the media should be split equally amongst each produced copy...

To declare that trivially produced copies hold value would in effect be to declare that the work has infinite value, since infinite additional copies can trivially be produced for no additional effort.

Re:Thanks Slashdot!

[tlhIngan]

It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt). Which means if you attempt to buy it again, Apple basically doesn't charge you (the receipt says you already bought it).

For stuff like DLC, it makes sense - you won't lose the item you bought if you delete and reinstall the app later.

For stuff that's a purchase for something repeatedly, you can't check receipts (e.g., smurfberries, where you can pay $99 multiple times).

Plus, apps sometimes like to be able to give stuff for free, which they can implement any which way to check as Apple won't have a receipt (so it's a lose-it scenario if you uninstall and reinstall and the app doesn't back that information up).

Re:Thanks Slashdot!

[Ken_g6]

Interesting logic. You don't pay for downloaded media or software, either?

Actually, I don't think I ever have. I only get Free (as in speech) software, free (as in beer) software, Free media, and free media (as in YouTube or what I get with my TV tuner card.)

But, then, I don't have any Apple devices.

Re:Thanks Slashdot!

[Dishevel]

I did not ask the developer to develop. So the case you provided does not equate with software.
Not saying right or wrong. Just stating that the GP and GGGP are correct in that.
Personally I do not like software copyright. I think the current implementation of the laws are at best stupid.
I think we could have a much bigger effect by just ignoring there shit product though.
As long as we are "Stealing" it these people have a leg to stand on with the people that count. (Lawmakers)
If we decided looking at the entire product that it is as presented "shit" and just left it sitting there developers and studios would get the hint and produce content we want.

Re:Thanks Slashdot!

[Sarten-X]

Or you could argue that the value of the media should be split equally amongst each produced copy...

This is exactly what I'm arguing for, but recognizing that the number of sales is generally unknown at the time the pricing is set, and almost definitely unknown at the time the initial effort is put forth.

I doubt it's possible for Duke Nukem Forever to ever sell enough copies to make up for the amount of effort that went into making (and remaking, and redesigning, and remaking) it. Of course, 15 years ago, that seemed entirely likely, and maybe even with a hefty profit because consumers would (in total) value the game more than the total agreed value of the programmers' effort making it.

To declare that trivially produced copies hold value would in effect be to declare that the work has infinite value

I can declare that with anything, easily copied or not. I keep a rock on my back porch. It's unique, and I exerted effort to find and recover it. I value that effort at $1,000,000, because I can. Of course, nobody else will value it that high, so nobody will purchase it from me. Similarly, I can produce an infinite number of copies of my software, but eventually I will run out of people who will buy the copies, because they value it less than I do. Eventually, the valuation of each copy (as decided by the buyers) approaches zero, establishing an upper limit on society's valuation of my software.

Of course, that upper limit may be many times higher than what I paid someone else for the education, equipment, marketing, and distribution of those copies, so I could make a significant profit. For producing something that society values that highly, I see nothing wrong with that.

Re:Thanks Slashdot!

[Sarten-X]

I'm a programmer too. I can only speak for myself as well, but fuck everything about that pricing.

It's pretty obvious that the authors are grossly overvaluing their work. This still doesn't give potential customers the right to force them to accept a different valuation, though. The options are to pay the high price, don't use the upgrades, or try to communicate with the authors to negotiate a more reasonable deal.

Re:Thanks Slashdot!

[Sarten-X]

I have no idea what you're trying to say, so I will assume you are practicing a typing lesson. Given the word choice, I'll also assume it's based on some post-modern poetry.

I estimate a speed of about 30 words per minute. Keep trying, you're doing great!

Re:Thanks Slashdot!

[Dahamma]

It's like that, but where the jewelry store knows you did it and has your email, home address, and credit card number on file.

Re:Thanks Slashdot!

[santax]

But... if apple is closing this gate to their content providers money, how will they rip them off, besides the 30% idiotic cut? This is not a flaw, something this simple yet non-obvious, is implemented.

Re:Thanks Slashdot!

[Sparton]

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt).

This is not true. A receipt is generated either way, regardless of whether the purchase item allows multiple purchases (such as buying currency) or one-off (such as unlocking a feature).

The reason a lot of developers probably don't do this is because it makes the transaction take longer. The entire process, when done bullet proof, takes about 15 steps that primarily involve two servers (your company's and Apple's) talking to each other. That introduces a lot of wait time for the transaction to complete... and especially with older devices/crappy wifi, each second means there's a greater chance that the device will lose connection. Depending on where in the process that loss of connection is, that means the user could be billed, but the game doesn't know they should be credited. And that, of course, means really pissed off (paying) customers, including people that may just avoid your entire company's library of current and future games, on the assumption that you're a scammer.

Bullet proof is great, but many users may not know or want to go through the effort of logging a support ticket. Depending on the company/app, it may not be obvious how to do so. The end result, so long as the free riders aren't to numerous, is actually better for everyone involved (either due to ease of use, getting desired result, or not taking a hit to reputation).

Re:Thanks Slashdot!

[fredprado]

Sure, if you received a commission request you are entitled to receive compensation on delivery or in whatever way you specified in contract with the other part. On the other hand, no, you do not have any "moral right" to have exclusive rights over any intellectual concept or work just because you created it. What you have is just a legal right conceded by society to you. This right exists for less than 500 years of the 30K+ years of human civilization, and it can be argued that before that most of humankind's important intellectual production was done.

Re:Thanks Slashdot!

[nedlohs]

The two cases aren't similar at all. In one you lose something, in the other you don't.

Re:Thanks Slashdot!

[nedlohs]

That's not their decision to make, though. The author, being the one who exerted the effort, chooses the value of his work. A buyer can either accept the valuation and receive the results of the effort, reject the deal, or suggest a different value that the buyer may agree to.

Sure, and I didn't say otherwise.

but you do not have the right to force that valuation on someone else.

Which I didn't try to do, so I'm not sure what the point is?

Re:Thanks Slashdot!

[cdrguru]

If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale. That doesn't change that it can be sold to other people though, so it can still be sold to someone else.

Did you know that there is a substantial number of people who engage in piracy are also "evangelical" about it? By this I mean that they tell all their friends about the great stuff they got for free and make sure their friends know how to get it for free. Some of these people even go so far as believing that if they can destroy the revenue model for software, music, movies, books, whatever that it will somehow just be free for everyone. Therefore, there is the strong desire to make stuff available to the widest audience possible and make sure that anyone that knows how to use BitTorrent and Google will be able to get it for free just like they did.

End result of this process is once someone acquires a copy of said item it will be redistributed. It was a very old believe that in the mid-1980s every game for Apple computers sold exactly two copies - one on the East coast and one on the West. It was then uploaded to BBS systems and that is where everyone else, including reviewers, got their copy. Very few titles were produced around 1986 for Apple because of this.

Today I don't really see the need for that second copy to be sold. Distribution is much more efficient these days.

In no way does one person pirating something affect other sales. Unless they tell all their friends about it and pass around free copies. Which maybe 50% of the folks pirating stuff do.

Re:Thanks Slashdot!

I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

Don't forget to leave behind a perfect copy of all the jewelry you take with your awesome hack.

Re:Thanks Slashdot!

There is vastly more valuable stuff that is not the result of human effort. Water, O2, those minerals people pulled from the Earth... The value is already there to be worth the effort to the human. The human effort, at best, simply expanded on the innate value.

Perhaps we should live in a world where we are forced to tithe the descendents of Throkk, the caveman who invented fire, every time we strike a match? Reductio ad absurdum works both ways.

Re:Thanks Slashdot!

> So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own?

Irrelevant.

> Apart from things you've put forth effort to produce

You completely missed the point when you glossed over this part of your half-thought.
What you produce does not equate to value. So you'll need to rethink what you're saying or abandon the discussion that's outside of your interest.

> what do you now possess that is of value?

Physical possessions that I or others decide have value (there's no absolute value). Possession is a social contract. These are related points, only as a basis for my understandings and beliefs.

There's no value embued in possessions themselves. The characteristics of the possessions are of no value. - This includes the details on a specific item (for example, the dimples on a golfball or the bits on disk). That's the assertion. If I copy the details/likeness there is pressure to reimburse "copyright holders", a legal concept (social contract) as if something was lost (opportunity for credit). I recognize it as social pressure born of social contracts which I do not abide by. There is no moral obligation unless I choose to participate (you must agree to not take our product/ideas outside of the company and we will pay you for effort - I agree and respect the moral obligation even years after employment as it's literally impossible to not "take" ideas...I do what I can to protect their interests). Being told I am agreeing to unknown parties when agreeing to another is just another sham by retailers and lawmakers to create moral obligation where there is none.

> I understand this to mean "I value physical effort infinitely more than mental effort"

You do not understand. The rest of your post is based on your fantasy you created for your own amusement.

Re:Thanks Slashdot!

[Bucky24]

I think the difference is that this is an iPhone (or iPad, whatever). Apple has made it quite clear that they consider the device still belonging to them (regardless if this is legal or not).

Re:Thanks Slashdot!

well the consumer should have a say, after all, the only thing protecting the author is society's consent through copyright. we really need to have a moratorium on this, i think.

Re:Thanks Slashdot!

Yes, because when I Copy That Floppy it's exactly as severe as murder.

Re:Thanks Slashdot!

[nedlohs]

So what? It doesn't mean a given person copying a given piece of software removed a unit of income from the software producer. They may have, they may not have, they may have removed more than one, they have added some. It's the blanket statement I had an issue with.

It was a very old believe that in the mid-1980s every game for Apple computers sold exactly two copies - one on the East coast and one on the West. It was then uploaded to BBS systems and that is where everyone else, including reviewers, got their copy

A bullshit beliief so why bother repeating it?. I was not on the East or the West coast in the 1980s and I bought more than one game for the Apple II. So clearly it is false. Prince of Persia and Karateka were both released for Apple machines in the 1980s and sold significantly more than 2 copies each.

Very few titles were produced around 1986 for Apple because of this

Define "very few". 1986 doesn't seem like a bad year judging by: http://www.retrocpu.com/apple-ii/games/
Sure the Mac Plus came out in 86 which started the decline of the Apple II, but where is your evidence for a drop in games?

Re:Thanks Slashdot!

[AmiMoJo]

Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.

As citizens and consumers we should not stand for it. Such DLC breaks the traditional system of sales in two very important ways. Firstly you have no choice but to buy from Capcom. There is no market, no-one else can make compatible DLC, you pay what Capcom demands or nothing. Secondly you can't sell what you own. You can sell the game disc but the DLC is tied to your account and then becomes worthless, and you can't pass it on to someone else.

We have laws governing commerce to prevent abuse. It sounds like we need some new ones.

Re:Thanks Slashdot!

[NSN+A392-99-964-5927]

Where the "something" in this case are the states of Boolean variables. Not illegal.

And Algebra..... just watch out for the Bra in Algebra

Re:Thanks Slashdot!

In Soviet Russia.......

Re:Thanks Slashdot!

[Sarten-X]

Water, O2, those minerals people pulled from the Earth... The value is already there to be worth the effort to the human.

So you pay for every breath you take and every molecule of water you absorb? No? Perhaps it isn't so inherently valuable in the ubiquitous form.

The value is ascribed to the substance when someone wants it enough to exert effort to make it available, by separating the oxygen from other gasses, or laying pipes to carry the water. If someone is in a situation that requires more effort to get the water or oxygen (say, for instance, being in a polluted city or on a space station), they will value the substance higher, and someone who values their own effort highly can make a profit selling the ubiquitous substance.

Perhaps we should live in a world where we are forced to tithe the descendents of Throkk, the caveman who invented fire, every time we strike a match?

Sounds good. We'll divide the value of his effort equally among every person who's ever used his invention, and arrive at an infinitesimal amount, which I consider covered when someone says, "Gee, it sure is nice humans have conquered fire". Thanks, Throkk.

Re:Thanks Slashdot!

[Sarten-X]

Holy Ad Hominem, Batman! If your paragraphs were just a bit shorter, or you used just a little bold text, I'd expect the post to be signed "APK"...

Irrelevant.

On the contrary. At birth (and by extension, your ancestors' births), you have exactly nothing of value. Since all trade consists of getting something you value for something someone else values, you must start with something valuable. Somewhere through your life, you (or your charitable benefactor) had to do something to create the initial value, which could then be sold.

You can either create this value by producing something directly (expending effort in its production) or by facilitating trade between others (thereby expending effort in the transport, marketing, and management of the intermediate goods). In the latter case, you are producing an intangible trade route, which has some value in itself created by the effort you expended to found it.

What you produce does not equate to value.

Then what's the motivation to produce it? Sure, there's lots of things to be made that other people don't hold as valuable, but the producer does. The exact quantity of value does not have to be perfectly in agreement by all parties - indeed, little trade would ever occur if this were the case.

Physical possessions that I or others decide have value (there's no absolute value). Possession is a social contract.

Okay. The contract is simple enough: You respect my valuation of what I have, and I'll respect your valuation of what you have, and neither of us will diminish that value.

There's no value [i]mbued in possessions themselves. The characteristics of the possessions are of no value. - This includes the details on a specific item (for example, the dimples on a golfball or the bits on disk). That's the assertion.

No, that's begging the question. As an aside, the arrangement of dimples on a golf ball is a fascinating branch of study in aerodynamics, and finding the perfect arrangement that maximizes range (or stabilizes flight, or any other particular desired effect that may or may not adhere to official rules) is something that many golfers would find very valuable, but it will take an enormous amount of effort by mathematicians and physicists to develop.

Now, if I produce a certain piece of knowledge, such as the perfect dimple arrangement, it is as the result of my own investment of effort. Am I under a moral obligation to give away the fruits of my mental labor to the world, for little or no return? If so, then why is that different from a physical effort, whose fruits almost never lose value? When a physical product is acquired without the producer agreeing to the contract, it's clearly labeled as theft. Why is mental work devalued?

If I copy the details/likeness there is pressure to reimburse "copyright holders", a legal concept (social contract) as if something was lost (opportunity for credit).

I agree so far...

I recognize it as social pressure born of social contracts which I do not abide by.

...And now we're into the unfair part.

There is no moral obligation unless I choose to participate...

By accepting the producer's work, you are agreeing to participate. Then you are throwing his half of the contract out the window by rejecting his terms, but still keeping the product, effectively stealing a portion of the producer's effort. You do have the option to absolve yourself of any moral obligation by not dealing with the producer at all, but that means you don't get to benefit from his work.

Being told I am agreeing to unknown parties when agreeing to another is just another sham by retailers and lawmakers to create moral obligation where there is none.

It's a

Re:Thanks Slashdot!

[psiclops]

You aren't going to live forever in the first place, so what difference is it if someone kills you today? I mean can it really be called murder? I mean you were going to die anyway! Whats the big diff?

if someone kills me today, and i would have lived another 3 years had they not killed me. then i have been deprived of three years life.

your example would be more analogous* to the argumet "Well if i pay for the software, the author is just going to spend the money anyway. so in the end, he will not end up with the money"

no one is making that argument.

*would still be a bad analogy but it's about as close as i could get to something in the same realm.

Re:Thanks Slashdot!

[climb_no_fear]

Thank you for perfectly describing last week's work.

I'm gonna buy

[Culture20]

a wheelbarrow of smurfberries!

Re:I'm gonna buy

zynga poker chips, then sell them on ebay and get real $$

Re:I'm gonna buy

I've been saving up for the iAmRich expansion packs. Woo-hoo!

Pay the price

[Sponge+Bath]

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

Re:Pay the price

[tlhIngan]

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

Re:Pay the price

[coinreturn]

-1, pulled this statement directly out of your ass.

Re:Pay the price

In some universe, in some place and time, this might make sense. In this universe, this is complete nonsense.

What in hell are you talking about?

Who had such poor financial tracking that Apple became one of the richest companies in the world?

Are you saying the sale of millions of products, from computers, to phones, to tablets has nothing to do with their making a significant profit?

Whoosh. Your comment went completely over my head....

Re:Pay the price

[jellomizer]

Yes it did. I was supposed to be sarcastic.
But I guess with a lot of the Anti-Capitalist Everything point of view that is popular, I guess you would think I was being serious.

The point is if you are going to get free stuff from the Apple store... Apple is going to cramp down fast and hard, as you are directly taking money away from them.

Re:Pay the price

[Iniamyen]

The sarcasm is strong with this one

Re:Pay the price

Maybe it's just because I'm not directly coding IAP, but I'm fairly certain getting a receipt has nothing to do with the type of IAP. IAP items can be marked as one of multiple different types, including consumable (such as Smurfberry packages) or non-consumable (such as unlocking a feature).

I believe all of the documentation for iTunes Connect is not publicly available, but anyone who checks up on that should be able to see that whether or not a receipt is generated has nothing to do with the type.

Russia must be one hell of a land...

[bogaboga]

I say this because in this vast country, major break throughs in the tech world have a hand in Russia. I would label Russia as fertile waters to fish for good, competent hacker talent.

Re:Russia must be one hell of a land...

Idle hands are the devil's play things.

Re:Take it down!

ROFL

Yes because anything that may interfere with the reality distortion device should never be on public display.

Meanwhile, suck it, Apple lover.

scruples

[v1]

Tricking an app store into giving you free game boosters is one thing, but then soliciting donations to upgrade the system is surprisingly brazen. A bit like the difference between pirating movies to watch, and selling pirated movies on the corner.

Does it really leave evidence of stealing IAP ?

[lymang]

So apparently you could do this already if your iDevice was jailbroken? I wonder if that method leaves any kind of evidence or not. Does this method (i.e. using this russian workaround with certificates and whatnot) leave a trail or any kind? I mean, why would people do this if it did leave a trail? I've got to imagine it doesn't leave very much evidence. Or are people really just that greedy?

More apps should validate receipts

[bytestorm]

Hasn't receipt validation been around about as long as in-app iOS purchases? You'd think more people would do it since there is money involved and it isn't particularly complicated.

Re:More apps should validate receipts

yes and people still use strcpy().

When you're paying 20c an hr to some Indian outsourced dev firm to create your apps nobody observes secure programming practices .... gollly!

Re:More apps should validate receipts

[alen]

you must have not met the developers i've met over the years

I have to change 10 lines of code? oh no, my fingers are going to fall off. i'll just leave it like this

Re:More apps should validate receipts

[billcopc]

Disclaimer: app developer here.

It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

Re:More apps should validate receipts

[characterZer0]

you must have not met the managers i've met over the years

I have to dedicate 10 minutes of a human resource? oh no, my bonus-driving stats are going to fall off. i'll just leave it like this

Re:More apps should validate receipts

I really hope this shows the dev community how Apple and their AppStore containment process holds no real security value and exposes them for the frauds they are. The fact that this can be easily mitigated only exposes the blatant lack of reliability and lack of sophistication of Apple as a brand.

Re:More apps should validate receipts

[broken_chaos]

Even the verification could be spoofed if so desired.

Only if you either jailbreak the device or they're (stupidly) not using some sort of public key signing to verify authenticity.

Re:More apps should validate receipts

Call me when 100 copies of an app get posted to the market by people who took someone else's app, changed the name, and uploaded it as their own.

Re:More apps should validate receipts

Receipt validation is rather trivial to implement, actually:
https://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html#//apple_ref/doc/uid/TP40008267-CH104-SW1

Re:More apps should validate receipts

[93+Escort+Wagon]

The fact that this can be easily mitigated only exposes the blatant lack of reliability and lack of sophistication of Apple as a brand.

Did you not bother to read anything at all? Apple already provides a method for developers to verify the validity of in-app purchases - but some developers choose to not use it because it's easier not to.

This is a classic "lazy developer" problem, not an Apple problem.

Re:More apps should validate receipts

[Eightbitgnosis]

I don't know about how the app store looks to you, but most all I see are 100's of copies of the same app.

Re:Take it down!

[billcopc]

Eat a dick, AC.

What I'm saying is, if it's a slow news day, then let's not stoop to advertising black-hat services. I know the quality of posts on here has gone to shit, but this takes the cake. The shit-cake.

You are liable for purchases made this way...

[bhlowe]

I hope that Apple bills each user who tries this... It would not be that hard to show that the purchase was made and after a little sorting out, the credits will go to the developer.. I'm not sure what happens if you run up expenses on your account that you can't afford, but my guess is that your service may be interrupted... Most of us have day jobs where we toil away for a corporation or government. Some of us toil away on software projects so we can escape that grind. It isn't easy making a living selling software... Show a little decency and respect to the developers... The marginal cost of delivery has nothing to do with the morality of getting something that you're not entitled to have.

Re:You are liable for purchases made this way...

[psiclops]

you are not liable for such purchases as you never entered into an agreement to purchase them.
Apple can't bill you for them. Apple can't bill you for anything, because you don't have a billing account with Apple.
The could suspend your Apple account; however, if they do thatanyone who's acoount is suspended might as well just jailbreak their device.

They can not do anything to your actual phone service as they are not a party to your agreement with your carrier.

Details?

[dgatwood]

I'm not 100% clear on what this hack does. Are they:

• Tricking an app into providing a bogus receipt to broken third-party servers that fail to properly validate store receipts, and thus provide content without a valid purchase,
• Taking an existing pirated copy of an in-app purchase blob and tricking the app into thinking that it was provided by the store, or
• Tricking an app into thinking that a receipt is valid by changing certificate trust policies, thus causing them to activate a feature that was built into the app to begin with?

Or some combination of the above?

Re:Details?

[falcon5768]

The first one. Basically it only affects developers who don't use Apples in-app purchase receipt checking APIs. Anyone who coded properly is not affected which is probably why he chose to show it working on shitty facebook-like games and not anything from a decent developer.

Now you know. Now don't do it.

[jellomizer]

Also I wouldn't publish or use his findings. Because if you are caught you are in trouble.
There is getting pirated material from an other site (The Site owner takes some (usually the bulk) responsibility for the failure) is one thing. Actually trying to get the data straight from Apple Store, is stealing. If caught you are going to be responsible. Being that this is costing Apple Money, you will bet if they are nice they will charge you for the Apps you downloaded, if not they will fine you a much higher amount for stealing from them. If they are really going to be bastards about it they just may send the police to knock on your door. Just pay the freaking couple of bucks for the app. It isn't worth the risk of getting caught.

Not the first to do it

There is already a much more polished version of this where you just install a single app from a Cydia repo that does essentially the same thing. It's been out for months.

Re:Not the first to do it

[falcon5768]

Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs

Re:Not the first to do it

[Deorus]

Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs

Yes, he exploited common vulnerabilities on random apps. How innovative! It's almost like mass-exploiting Wordpress and claiming that the OS running it is not secure.

Re:Not the first to do it

Oh my mistake, I didn't see that it didn't need to be jailbroken.

Re:Not the first to do it

You are being pretty disingenuous with that comment. It's a nice little Macgyver style hack. Toothpick, potato, iphone.

Article is missleading

[falcon5768]

He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.

Re:Article is missleading

Right because it's so wildly unique that bad developers are the cause of a security violation, no wait, it isn't, that's how ALL security violations exist. Moron.

Cheat codes come to modern games

[GameboyRMH]

Before cheat codes made the games more fun for lowsy players, but today they make them more fun for poor players!

/. Decline.

[Feyshtey]

Has /. actually stooped so low has to post hacker how-to's? Really? When will it open the game cheats section, and the "used software" trade service...

Re:/. Decline.

[psiclops]

this is a news site.
it's news.

this is a site aimed towards somewhat technologically knowledgeable people.
it gave a somewhat technologial account of what the hack is.

i don't understand your issue.

Before giving your AppleID pass to a russian guy..

..you should think what are u doing.

Credentials?

[Paran]

I'm unsure what exactly gets sent with an in-app purchase, but I'd assume it has something to do with your App Store account. Can anyone tell me why I keep getting multiple errors when trust( "RussianHacker"); is called?

Re:Credentials?

[CowTipperGore]

According to TFA, this is the data sent to the Russian servers when you use it to make a "purchase":

-restriction level of app
-id of app
-id of version
-guid of your idevice
-quantity of in-app purchase
-offer name of in-app purchase
-language you are using
-identifier of application
-version of application
-your locale

Lazy Developers using a default MKStoreKit

http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html

Most dev's with this issue, basically never setup a server to store receipts for the transaction, which makes it impossible to restore purchases if you upgrade your phone, restore from a backup without the purchases, or verify that the transaction actually occurred if you say; got a phonecall in the middle of the transaction, lost internet connectivity, had a lossy 3g connection which lost vital packets of information, or the app just crashed. In all of those cases you would be out the money, and the developers wouldn't do anything in response. Contacting apple might result in a credit for the amount of the iAP purchase, or it might not.

Receipt validation is good for everyone. Hopefully this will FINALLY encourage Lazy developers to stop using the default setting for MKStoreKit and actually setup iAP purchases properly.

re: Crime names

[pyzondar]

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

The crime of forging receits is called Uttering. I would be fine with fraud as well, but calling it theft is just retarded.

Re:Take it down!

[MickyTheIdiot]

No no no.. it's a PRO Apple Store topic. This just means now all developers will have to use the new validation method. It's exactly what Apple wants....

Liar

[SmallFurryCreature]

You must be one of those kiddies who shit their pants at the thought of violating a EULA or live in corporate USA. But for normal people in the free world, you are free to do anything to any bit on your computer.

EULA's cannot take away fundemental rights and I have the right to remix, video/music and data anyway I want. FOR MYSELF! As long as I do not redistribute copyright material YOU FUCKING MORON, copyright laws are not applicable.

And this guy is NOT distributing copyrighted material that does not belong to him, he is merely distributing the tool to allow others to modify theirs. So unless you were stupid enough to elect politicians who voted for the DMCA and other such bought laws, there is NOTHING illegal about any of this.

If you had a brain and did not just suck corporate dick you would know that the modding scene does this kind of thing routinely AND with encouragement. Create a new map using copyrighted resources? Go right ahead. As long as you only distribute the new map, not the textures and other resources from the game (which shouldn't be needed because the person downloading the map already has them from his own game).

Oh and it has been proven by the court that software licenses do not work as your diseased mind think it does. You can sell on software. When I buy software, I am free to modify it in any way I want. Good luck trying to enforce anything else in the free world. It would actually be rather nice if it was the other way around. Then software companies would also have to accept 100% liability for anything their software does on MY hardware. After all, it is THEIR property right?

Take Bill Gates dick out of your mouth long enough to get some fresh air and see if you can get that peanut in your head to think some independent thoughts.

Re:Liar

I have not seen a more disillusioned rant than this in a very long time.

Re:Liar

[nitio]

Hm, no I don't live in corporate USA though I'm trying to figure out which part of the free world you live. Care to share? Just curious. I live in Brazil so I'm not sure if you deem it as free or not. Not that I care that much.

I think I had made myself clear when I said "Copyright and all that shit" suggesting I don't agree with copyright legislation they way it is pretty much everywhere and the "YMMV" sort of implies that my point of software license isn't true all the time. I'm sorry if I haven't shouted or something to bring my point out

Regarding company liability- as it is with anything legal it's always not 100% true or false but you can think about the Sony Rootkit CDs which, well, made them liable for the software it installed doing unexpected things in people's hardware. You don't need to agree with me neither counter it, I'm simply suggesting that as one example where the route can be taken the other way around.

Now, to best part of your arguments, which is name calling. Might I suggest you avoid that? It doesn't add anything to anybody or the discussion. Sure you had your point - which is valid, I agree, though there are specifics. I don't think most companies that allow mods to happen are happy if people start making money out of it OR take their money because of it.
But when you name call, your argument is lost because you found someone who disagrees with you

But hey, at least you imply iyou have independent thoughts!


PS: Bill's dick wasn't that good.

Man in the Middle...

In other news... Russian Hackers clear a lot of bank accounts...

Let me get this straight:
You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

Re:Man in the Middle...

[Bob+the+Super+Hamste]

My kingdom for mod points today. Mod this AC up.

Re:Man in the Middle...

+1.
Mod up.

Re:Man in the Middle...

[Kadagan+AU]

While you're right not to trust this, the website says his DNS server does NOT allow you to connect out to any other sites. It only allows in-app purchases, and you must restore the configuration to use your old DNS server before you can do anything else. I'm not sure what dangers there are from the certificates that he has you install however.

This completely compromises device security

Uh, let me get this straight. The method posted involves installing a SomeGuy's (TM) trusted root certificate and using SomeGuy's (TM) DNS resolver?

This is an incredible security risk, since it completely and utterly subverts any SSL/TLS communication from that device.

If you need an example - what's to stop SomeGuy (TM) to sign a certificate for https://www.your-bank.example.com/, copy the bank website to a server under his (or hers) control, and have the DNS resolver point to the IP for his (or her) server instead of your actual bank?

Frankly, anyone who is misguided enough to do this deserves what's coming...

Re:This completely compromises device security

They are aiming at the same people who use Installious then whine when some app comes with a payload of more than just the original .ipa file.

Same people who piss the hell out of the legit jailbreakers and the people part of the Cydia ecosystem.

So, if they get hung up by someone asking them to install a root cert and such in order to get more smurfberries without paying, nobody really is going to shed a tear.

Re:This completely compromises device security

ah This ^^^^^^ or if you can't follow that here
http://apple.slashdot.org/comments.pl?sid=2977741&cid=40643915

idiot

but then after that...

[slashmydots]

Apple pretty much ties your DNA sequence and entire family history back to the 1st century to your MAC address and Apple store account and the files themselves are still coming from their servers so I don't think it'd take real long for anyone doing this to get arrested.

On The "Russian Hacker Sidesteps Apple iOS In-App"

I would be cautious on this. It smells like a "honey-pot" kind of situation. Apple is known for tracking its users purchases, usage and etc. They may be looking for those who would actually commit this - a new bait and switch or snatch and grab. I recommend researching this further and seeing what the Russian Hacker's process was and following up with them on it.

Shocking I Tell You!

[rabtech]

Oh so if I install this random Root Certificate Authority on my machine, thus granting some random hackers the ability to perform MITM attacks against all my SSL sessions, they can perform a MITM attack on in-app purchase transactions?

Shocking, simply shocking.

FYI: this exists so enterprise customers can install their root CA certs so their internal certificates will be considered valid.

At its core, this is the same problem we have with SSL in general. CAs are a single point of failure and one rogue certificate or one hacked CA breaks the entire chain of trust.

install a Russian provided CA?

what could possibly be the risk with that!

since some of them make use of Apple's method for

[mapkinase]

>since some of them make use of Apple's method for validating receipts.

And now I know who is the employer of that Russian developer

Apple's receipt verification is broken too

[Y2K+is+bogus]

I just reviewed the documentation for the receipt verification, and that process is broken too.

To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.

The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).

The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.

Re:Apple's receipt verification is broken too

CA pki was designed to be weak, the rationale behind CA signed certs was that it negated the need to distribute public keys of all certs, this would be valid if we were not using it on the most effective system for distributing information. Ie the internet.

Think I,m wrong, ever wonder why client pki never took off.

Re:Apple's receipt verification is broken too

[assassinator42]

The receipt data is first supposed to be sent to the developer's server. The server then verifies it with the app store. It's up to the developer to make sure communication with their own server is secure.
Still not a very good system IMO. What does Apple use for securing actual app purchases from their store? I'm assuming they have something in place to prevent using a MITM attack to install your own apps?

Re:Take it down!

This is moronic to have posted on /. and should be immediately taken down.

Wow, I couldn't have described your post any better! Great job!

HA! I was wrong

[93+Escort+Wagon]

As more information has come out, it has become apparent my statement immediately above is erroneous. If the workaround server has access to a valid receipt from someone - anyone - it can circumvent even in-app purchase verifications for that app even if it is using Apple's system.

So while there may be a "lazy developer" component - it's not the whole story.

I believe this is how it works

So, to verify the receipt: http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html
1) you send a receipt to https://buy.itunes.apple.com/blah blah (note the https so ssl is used here)
2) buy.itunes.apple.com send the app back the app the message whether the receipt is valid or not (I believe it's a pure json over ssl)

This is, i believe, how the hack works:
1) you change the dns so that buy.itunes.apple.com points to your server
2) Since it's https the domain is checked against CA, our fake buy.itunes.apple.com won't pass CA check.So, install custom CA. I believe, this is where Apple made a mistake. Instead of checking buy.itunes.apple.com against only built-in CA. It checked this domain against user installed certificate as well.
3) have the fake server (which now will pass CA check) send you the right message (which I believe is just pure json).
4) have a boat load of smurfberry delivered

So, if my speculation is true, then this hack will work with any apps whether the app even if the app is trying to verify the receipt with itunes.

Awww, people not paying for smurf berries.....

[Eightbitgnosis]

in your games that are all rip offs of games that existed on Newgrounds.com for at least 15 years? Gee, why wouldn't they want to pay for that?

Re:Take it down!

[psiclops]

then let's not stoop to advertising black-hat services.

Yes, instead we should bury our heads in the sand and pretend it doesnt exist. people who know about the exploit can then continue to use it. App developers can remain blissfully unaware that people are getting their in-app purchases for free.

lets never show news that anything is ever wrong with the world. perhaps we could build some sort of filter for the internet that blocked everything we didn't want the public to hear.

it is also debatable as to if this a a black-hat method in the first place:
  - You're not actually tricking the server into thinking you have paid for the item so that it sends it to you.
  - You are unlocking functionality that already exists within the app that the developer has already either sold to you or given to you for free.