Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Hacker Sidesteps Apple iOS In-App Purchases

Posted by Soulskill on from the price-is-right dept.

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

14 of 142 comments (clear)

  1. Thanks Slashdot! by CajunArson · · Score: 5, Informative

    Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re:Thanks Slashdot! by chinton · · Score: 5, Insightful
      I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

      I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

    2. Re:Thanks Slashdot! by Sarten-X · · Score: 4, Interesting

      Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

      Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

      --
      You do not have a moral or legal right to do absolutely anything you want.
    3. Re:Thanks Slashdot! by nitio · · Score: 5, Insightful

      Not true. YMMV but consider that most likely what you bought is a license to run the software (not the software itself) therefore the software in question - and the data - are still owned by the company that sold you the license. Copyright and all that shit

      Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.

      You know what the best alternative is? Pay the extra or don't pay from the beginning. Simple as that.

      --
      http://stoploudness.org/
    4. Re:Thanks Slashdot! by Quila · · Score: 4, Informative

      It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

      The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

    5. Re:Thanks Slashdot! by Sarten-X · · Score: 4, Insightful

      ...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.

      So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?

      Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.

      I have no moral responsibility to give credit, so I don't feel guilt.

      I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

      --
      You do not have a moral or legal right to do absolutely anything you want.
  2. I'm gonna buy by Culture20 · · Score: 5, Funny

    a wheelbarrow of smurfberries!

  3. Pay the price by Sponge+Bath · · Score: 4, Insightful

    It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

    1. Re:Pay the price by tlhIngan · · Score: 4, Informative

      It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

      It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

      It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

      The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

  4. Re:More apps should validate receipts by billcopc · · Score: 5, Interesting

    Disclaimer: app developer here.

    It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

    They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

    --
    -Billco, Fnarg.com
  5. Article is missleading by falcon5768 · · Score: 4, Informative

    He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  6. Re:Not the first to do it by falcon5768 · · Score: 4, Informative

    Its not that he was the first that shocked anyone, its that he pulled it off WITHOUT jailbreaking the phone using DNS redirects and user-installed certs

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  7. Man in the Middle... by Anonymous Coward · · Score: 5, Interesting

    In other news... Russian Hackers clear a lot of bank accounts...

    Let me get this straight:
    You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
    In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
    Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

    Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

  8. Apple's receipt verification is broken too by Y2K+is+bogus · · Score: 4, Interesting

    I just reviewed the documentation for the receipt verification, and that process is broken too.

    To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.

    The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).

    The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.