There isn’t a system designed that can’t be hacked. The latest digital outlet to be cracked open and scooped out is Apple’s In App Purchases (IAP) system. An enterprising Russian programmer has apparently devised a way to “spoof” the microtransactions.
The method isn’t particularly simple, it requires the installation of faked certificates on your iDevice and some DNS trickery, but it’s proving very popular among dishonest AppStore customers since it went out to the wider public on Friday. The server that handles the DNS is apparently failing due to the demand placed on it.
The man behind the hack told MacWorld that he made it because he was tired of having to pay for things in games. CSR Racing, a free to download game that utilises IAP to generate revenue, annoyed him by “taking money from [him] every single breath.” So he decided it was okay to steal from it. He’s happy enough for his method, which exploits the fact that IAP receipts contain no specific user data – making them easier to spoof, to be used by anyone else who decides they shouldn’t really have to pay for the things they want too.
I’m not a fan of IAP by any stretch of the imagination. I’d love it if developers and Apple worked to find a new way of monetizing AppStore content that was more transparent and up front. But the notion that we should be able to steal content if we don’t want to pay for it isn’t one I’m comfortable with either. Hopefully this exploit gets plugged quickly, before developers lose too much income or it puts off potential developers from the platform.
Kris Lipscombe
This was always going to happen though, the security around validating IAP appears to have been designed by a two year old.
gideon1451
Didn’t Sony just announce an in app purchasing system to their PSSuite SDK?
Nickboss1
It’s called ps mobile now.
Nickboss1
Russia seem’s to have a lot of piracy issues.
sick__puppy
From reading mac rumours this exploit also gives your username and password in plain text to the hacker who developed the exploit so use at your own risk!
Workshed
It does indeed! These unscrupulous people are very likely to be storing the username and password of every single person that uses their hack – that’s your iTunes account which ya know, has your credit card information attached to it!!
Anyone that is stupid enough to use this hack to get a few £ worth of content for free is likely to be in for a much more expensive surprise.
sick__puppy
http://www.macrumors.com/2012/07/13/hacker-releases-tools-for-bypassing-apples-in-app-purchase-mechanism/
Porcupine_I
“The man behind the hack told MacWorld that he made it because he was tired of having to pay for things in games.”
At least he is honest about it.
Nickboss1
lol….i’m tired of taxes.
Smallville2106
Tickled me when I read that line.
fs
Stealing is wrong – Apple know that better than anyone, or atleast they should, they have practically been doing that for years.
Nickboss1
I agree with you about apple but it’s the game developers that will suffer due to this.
YOURMUMANDME
I’d pay £3.99 for a t-shirt with his name on it….
Motalla
And I thought Apple users did not have any of these kind of issues! The whole point of using Apple products according to some of its advocates, living near me, is that it does not have virusses, malware, “no need for virusscanners and firewalls.”
According to them, is somehow, the huge Apple userbase not an interesting target … Hmm, maybe I should warn my mum.
sick__puppy
Well it’s secure as long as you don’t engage in dodgy hacks to steal stuff and send your password to a hacker in Russia!
Workshed
This doesn’t disprove what your nearby advocates are saying, it just proves that the weakest link in security is the user.
wirralsman
As a software developer, I strongly disapprove
colmshan1990
Ah, damn it.
I knew we’d gone too long without a ‘hacker’ story.
Assholes never go away.
Forrest_01
Nope, wherever you turn, there’s always an asshole right behind you!