Russian Hacker Sidesteps Apple iOS In-App Purchases

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

Thanks Slashdot!

[CajunArson]

Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

Re:Thanks Slashdot!

[Quila]

It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

Re:Pay the price

[tlhIngan]

It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

Article is missleading

[falcon5768]

He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.

Re:Not the first to do it

[falcon5768]

Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs