Video Taken down due to copyright claim from Apple
We received some disturbing tips today that a Russian developer has published a method of obtaining in-app purchases from iOS apps for free. First noticed by Russian blog i-ekb.ru, the “in-app proxy” method does not require a jailbreak, can be completed by novices in three steps using just an iOS device, and allows users to install in-app content for free. The hack also works on all devices running iOS 3.0 to 6.0. We confirmed the method works (at least temporarily), and the published instructions are starting to get attention, so we decided to publish this story as a warning to the Apple developer community.
The hack appears to come from Russian developer ZonD80 who posted the above video demonstration. ZonD80 also appears to run a website called In-AppStore.com, where donations are being accepted to support the development of the project and help keep servers up and running. The developer explained the three steps of the hack, which include the installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog. The fact that this hack is being used to steal in-app purchase content is perhaps just as troubling as the developer’s terms of service. Below is a list of data processed through the devs servers as part of the process (but again, we are imploring readers not to try this):
-restriction level of app
-id of app
-id of version
-guid of your idevice
-quantity of in-app purchase
-offer name of in-app purchase
-language you are using
-identifier of application
-version of application
The method is not allowing users to install content from 100 percent of apps, as some users of the method report it failing for certain in-app purchases in specific regions. This is of course not something we approve of. Despite warnings from the developer himself to please “not pirate AppStore apps,” he continued to assist users of the hack that report it not working with certain apps. Hopefully Apple and the developer community can shut this guy down before too much content is illegally downloaded.
Update: Commenters noted that Apple does provide a method for developers to validate receipts for in-app purchases. This is likely why the hack described above does not work with some apps and is something all devs implementing IAP should be taking advantage of.
Update 2: TNW spoke with Alexey V. Borodin, the developer of the hack, who claimed apps using Apple’s method of validating receipts mentioned above are not safe. According to Borodin, only developers using their own servers to verify in-app purchases are able to dodge the hack.
“The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”