Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Hacker Sidesteps Apple iOS In-App Purchases

Posted by Soulskill on from the price-is-right dept.

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

27 of 142 comments (clear)

  1. Thanks Slashdot! by CajunArson · · Score: 5, Informative

    Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Thanks Slashdot! by chinton · · Score: 5, Insightful
      I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

      I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

    2. Re:Thanks Slashdot! by i+kan+reed · · Score: 2, Insightful

      Where the "something" in this case are the states of Boolean variables. Not illegal.

    3. Re:Thanks Slashdot! by Black+LED · · Score: 2, Insightful

      I think this is different. The data for the in-app purchases already exists on your device. You have every right to manipulate the data on your device, computer, whatever in any way that you want. So long as you aren't then redistributing that data, there is no problem.

    4. Re:Thanks Slashdot! by Sarten-X · · Score: 4, Interesting

      Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

      Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

      --
      You do not have a moral or legal right to do absolutely anything you want.
    5. Re:Thanks Slashdot! by nitio · · Score: 5, Insightful

      Not true. YMMV but consider that most likely what you bought is a license to run the software (not the software itself) therefore the software in question - and the data - are still owned by the company that sold you the license. Copyright and all that shit

      Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.

      You know what the best alternative is? Pay the extra or don't pay from the beginning. Simple as that.

      --
      http://stoploudness.org/
    6. Re:Thanks Slashdot! by Quila · · Score: 4, Informative

      It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

      The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

    7. Re:Thanks Slashdot! by Sarten-X · · Score: 2

      The effort spent to create the software can no longer be sold to someone else, either.

      Instead, the author has worked out a plan for the pricing structure necessary to be fairly (in his or her mind) compensated for the time and effort, and making unlicensed copies is effectively removing a unit of income from that plan. The author could rebuild the plan to accommodate the lost payment, but now has to account for a smaller market, as well. Sure, the author can copy it fifteen billion times, but likewise a jeweler can spend his life making fifteen billion pieces to hand out to every cheap bastard who wants one.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    8. Re:Thanks Slashdot! by Sarten-X · · Score: 4, Insightful

      ...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.

      So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?

      Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.

      I have no moral responsibility to give credit, so I don't feel guilt.

      I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

      --
      You do not have a moral or legal right to do absolutely anything you want.
    9. Re:Thanks Slashdot! by fredprado · · Score: 2

      I don't agree with everything the GP said, but he is right on the excerpt you decided to quote. Effort does not equate to value. You can run in circles loaded with rocks all day long and you will be producing very little value, for example.

    10. Re:Thanks Slashdot! by legont · · Score: 2

      This is exactly why I personally try to avoid any paid software and such like a plague and use free source. It's not because I mind paying - I actually want to pay people for their work - but because I feel that if I bought something, it is unconditionally mine to do whatever I want with it. Yes, the law is currently different; yes we shell try to change it. Meantime, I just don't buy that kind of products unless absolutely unavoidable. For example, I'd love to have iPad - it's great - but I will not buy it ever.

  2. I'm gonna buy by Culture20 · · Score: 5, Funny

    a wheelbarrow of smurfberries!

  3. Pay the price by Sponge+Bath · · Score: 4, Insightful

    It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

    1. Re:Pay the price by tlhIngan · · Score: 4, Informative

      It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

      It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

      It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

      The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

  4. scruples by v1 · · Score: 2

    Tricking an app store into giving you free game boosters is one thing, but then soliciting donations to upgrade the system is surprisingly brazen. A bit like the difference between pirating movies to watch, and selling pirated movies on the corner.

    --
    I work for the Department of Redundancy Department.
  5. Does it really leave evidence of stealing IAP ? by lymang · · Score: 2

    So apparently you could do this already if your iDevice was jailbroken? I wonder if that method leaves any kind of evidence or not. Does this method (i.e. using this russian workaround with certificates and whatnot) leave a trail or any kind? I mean, why would people do this if it did leave a trail? I've got to imagine it doesn't leave very much evidence. Or are people really just that greedy?

    --
    Meh.
  6. Re:More apps should validate receipts by billcopc · · Score: 5, Interesting

    Disclaimer: app developer here.

    It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

    They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

    --
    -Billco, Fnarg.com
  7. Re:More apps should validate receipts by characterZer0 · · Score: 2

    you must have not met the managers i've met over the years

    I have to dedicate 10 minutes of a human resource? oh no, my bonus-driving stats are going to fall off. i'll just leave it like this

    --
    Go green: turn off your refrigerator.
  8. Article is missleading by falcon5768 · · Score: 4, Informative

    He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  9. Cheat codes come to modern games by GameboyRMH · · Score: 3, Insightful

    Before cheat codes made the games more fun for lowsy players, but today they make them more fun for poor players!

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  10. Re:Not the first to do it by falcon5768 · · Score: 4, Informative

    Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  11. Re:Take it down! by MickyTheIdiot · · Score: 2

    No no no.. it's a PRO Apple Store topic. This just means now all developers will have to use the new validation method. It's exactly what Apple wants....

  12. Liar by SmallFurryCreature · · Score: 3, Informative

    You must be one of those kiddies who shit their pants at the thought of violating a EULA or live in corporate USA. But for normal people in the free world, you are free to do anything to any bit on your computer.

    EULA's cannot take away fundemental rights and I have the right to remix, video/music and data anyway I want. FOR MYSELF! As long as I do not redistribute copyright material YOU FUCKING MORON, copyright laws are not applicable.

    And this guy is NOT distributing copyrighted material that does not belong to him, he is merely distributing the tool to allow others to modify theirs. So unless you were stupid enough to elect politicians who voted for the DMCA and other such bought laws, there is NOTHING illegal about any of this.

    If you had a brain and did not just suck corporate dick you would know that the modding scene does this kind of thing routinely AND with encouragement. Create a new map using copyrighted resources? Go right ahead. As long as you only distribute the new map, not the textures and other resources from the game (which shouldn't be needed because the person downloading the map already has them from his own game).

    Oh and it has been proven by the court that software licenses do not work as your diseased mind think it does. You can sell on software. When I buy software, I am free to modify it in any way I want. Good luck trying to enforce anything else in the free world. It would actually be rather nice if it was the other way around. Then software companies would also have to accept 100% liability for anything their software does on MY hardware. After all, it is THEIR property right?

    Take Bill Gates dick out of your mouth long enough to get some fresh air and see if you can get that peanut in your head to think some independent thoughts.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

    1. Re:Liar by nitio · · Score: 3, Interesting

      Hm, no I don't live in corporate USA though I'm trying to figure out which part of the free world you live. Care to share? Just curious. I live in Brazil so I'm not sure if you deem it as free or not. Not that I care that much.

      I think I had made myself clear when I said "Copyright and all that shit" suggesting I don't agree with copyright legislation they way it is pretty much everywhere and the "YMMV" sort of implies that my point of software license isn't true all the time. I'm sorry if I haven't shouted or something to bring my point out

      Regarding company liability- as it is with anything legal it's always not 100% true or false but you can think about the Sony Rootkit CDs which, well, made them liable for the software it installed doing unexpected things in people's hardware. You don't need to agree with me neither counter it, I'm simply suggesting that as one example where the route can be taken the other way around.

      Now, to best part of your arguments, which is name calling. Might I suggest you avoid that? It doesn't add anything to anybody or the discussion. Sure you had your point - which is valid, I agree, though there are specifics. I don't think most companies that allow mods to happen are happy if people start making money out of it OR take their money because of it.
      But when you name call, your argument is lost because you found someone who disagrees with you

      But hey, at least you imply iyou have independent thoughts!


      PS: Bill's dick wasn't that good.

      --
      http://stoploudness.org/
  13. Man in the Middle... by Anonymous Coward · · Score: 5, Interesting

    In other news... Russian Hackers clear a lot of bank accounts...

    Let me get this straight:
    You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
    In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
    Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

    Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

  14. Apple's receipt verification is broken too by Y2K+is+bogus · · Score: 4, Interesting

    I just reviewed the documentation for the receipt verification, and that process is broken too.

    To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.

    The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).

    The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.

  15. HA! I was wrong by 93+Escort+Wagon · · Score: 2

    As more information has come out, it has become apparent my statement immediately above is erroneous. If the workaround server has access to a valid receipt from someone - anyone - it can circumvent even in-app purchase verifications for that app even if it is using Apple's system.

    So while there may be a "lazy developer" component - it's not the whole story.

    --
    #DeleteChrome