Russian Hacker Sidesteps Apple iOS In-App Purchases 142
An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.
Thanks Slashdot! (Score:5, Informative)
Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.
Re:Thanks Slashdot! (Score:5, Insightful)
I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.
Re: (Score:2, Insightful)
Where the "something" in this case are the states of Boolean variables. Not illegal.
Re:Thanks Slashdot! (Score:5, Interesting)
Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.
Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?
Re: (Score:1)
> It's not like anybody had to put effort into making those variables do anything,
So what?
> These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.
I pay for the storage system. Everything else is without embued value, correct (human effort is a weasel phrase to corrupt the point; effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from th
Re: (Score:2)
(human effort is a weasel phrase to corrupt the point; effort does not equate to value)
Thanks so much. I haven't gotten a laugh like that since someone told me that Mormons attacked the US on 9/11 Tell me, how does it feel to live in a world where you never pay the labor cost associated with something?
Re: (Score:3)
Re: (Score:2)
Unless someone values you running in circles with rocks enough to expend their own effort in some other way (like earning money with which to pay you). Maybe you're supposed to be testing the durability of flooring under heavy load, but I digress.
Exerting effort does not inherently require that someone else value it, but all value is derived (either directly or indirectly) from the exertion of effort. However, as a society we have generally held that all effort is valued when it benefits someone else. The e
Re: (Score:2)
Re: (Score:2)
I did not ask the developer to develop. So the case you provided does not equate with software.
Not saying right or wrong. Just stating that the GP and GGGP are correct in that.
Personally I do not like software copyright. I think the current implementation of the laws are at best stupid.
I think we could have a much bigger effect by just ignoring there shit product though.
As long as we are "Stealing" it these people have a leg to stand on with the people that count. (Lawmakers)
If we decided looking at the ent
Re: (Score:2)
Re: (Score:2)
Re:Thanks Slashdot! (Score:5, Insightful)
...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.
So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?
Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.
I have no moral responsibility to give credit, so I don't feel guilt.
I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...
Re: (Score:1)
I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...
I'm a programmer. I can only speak for myself, but value physical and mental effort roughly equally.
However, what in-app purchases I see on the app store disgust me. I'll use a recent example of a game I downloaded: it was a decent enough tower defense game -- one that I'd have paid a couple bucks for to compensate the developers. However, there is no paid version; the only method of compensation available is via in-app purchases, where you can buy virtual money to pay for upgrades. The lowest level pur
Re: (Score:2)
I'm a programmer too. I can only speak for myself as well, but fuck everything about that pricing.
It's pretty obvious that the authors are grossly overvaluing their work. This still doesn't give potential customers the right to force them to accept a different valuation, though. The options are to pay the high price, don't use the upgrades, or try to communicate with the authors to negotiate a more reasonable deal.
Re: (Score:2)
For metals pulled from the earth and smelted, and products which are assembled a high level of effort must be expended for each and every product...
For any form of digital media, effort may well have gone into creating the initial version, but all subsequent copies were produced trivially... So by extension, only the original has any value and all the copies have little or no value.
Or you could argue that the value of the media should be split equally amongst each produced copy...
To declare that trivially p
Re: (Score:2)
Or you could argue that the value of the media should be split equally amongst each produced copy...
This is exactly what I'm arguing for, but recognizing that the number of sales is generally unknown at the time the pricing is set, and almost definitely unknown at the time the initial effort is put forth.
I doubt it's possible for Duke Nukem Forever to ever sell enough copies to make up for the amount of effort that went into making (and remaking, and redesigning, and remaking) it. Of course, 15 years ago, that seemed entirely likely, and maybe even with a hefty profit because consumers would (in total) va
Re: (Score:2)
Water, O2, those minerals people pulled from the Earth... The value is already there to be worth the effort to the human.
So you pay for every breath you take and every molecule of water you absorb? No? Perhaps it isn't so inherently valuable in the ubiquitous form.
The value is ascribed to the substance when someone wants it enough to exert effort to make it available, by separating the oxygen from other gasses, or laying pipes to carry the water. If someone is in a situation that requires more effort to get the water or oxygen (say, for instance, being in a polluted city or on a space station), they will value the substance h
Re: (Score:2)
Holy Ad Hominem, Batman! If your paragraphs were just a bit shorter, or you used just a little bold text, I'd expect the post to be signed "APK"...
Irrelevant.
On the contrary. At birth (and by extension, your ancestors' births), you have exactly nothing of value. Since all trade consists of getting something you value for something someone else values, you must start with something valuable. Somewhere through your life, you (or your charitable benefactor) had to do something to create the initial value, which could the
Re: (Score:2)
I have no idea what you're trying to say, so I will assume you are practicing a typing lesson. Given the word choice, I'll also assume it's based on some post-modern poetry.
I estimate a speed of about 30 words per minute. Keep trying, you're doing great!
Re: (Score:2)
Where the "something" in this case are the states of Boolean variables.
Is that the same sort of boolean as the states of Legal/Illegal, or some other rarefied form with which we are not familiar?
Re: (Score:1)
Where the "something" in this case are the states of Boolean variables. Not illegal.
And Algebra..... just watch out for the Bra in Algebra
Re: (Score:2, Insightful)
Re: (Score:2)
That is not true for all such purchases. In fact, I'd wager that a significant minority, if not out-right majority, involve downloading something.
Re:Thanks Slashdot! (Score:5, Insightful)
Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.
You know what the best alternative is? Pay the extra or don't pay from the beginning. Simple as that.
Liar (Score:3, Informative)
You must be one of those kiddies who shit their pants at the thought of violating a EULA or live in corporate USA. But for normal people in the free world, you are free to do anything to any bit on your computer.
EULA's cannot take away fundemental rights and I have the right to remix, video/music and data anyway I want. FOR MYSELF! As long as I do not redistribute copyright material YOU FUCKING MORON, copyright laws are not applicable.
And this guy is NOT distributing copyrighted material that does not belon
Re: (Score:3, Interesting)
I think I had made myself clear when I said "Copyright and all that shit" suggesting I don't agree with copyright legislation they way it is pretty much everywhere and the "YMMV" sort of implies that my point of software license isn't true all the time. I'm sorry if I haven't shoute
Re: (Score:1)
This is my device, this is my computer. I can change any data that I want on it. No license can deprive me of my freedom to do so.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Capcom goes a long way to this with DLC characters in their fighting game that are bundled with the disc but you have to pay to have that data already present unlocked. As sad as it is, it's not illegal for them to do that neither is legal for you to hack and make it available just because you have the data in a device you own.
As citizens and consumers we should not stand for it. Such DLC breaks the traditional system of sales in two very important ways. Firstly you have no choice but to buy from Capcom. There is no market, no-one else can make compatible DLC, you pay what Capcom demands or nothing. Secondly you can't sell what you own. You can sell the game disc but the DLC is tied to your account and then becomes worthless, and you can't pass it on to someone else.
We have laws governing commerce to prevent abuse. It sounds like
Re: (Score:2)
Of course I do. Software is an organized large collection of data arranged in a novel way. On the other side: you can't copyright "true". Setting one bit on data you already possess is not copyright infringement. You're crazy.
Re: (Score:1)
Interesting logic. You don't pay for downloaded media or software, either?
Actually, I don't think I ever have. I only get Free (as in speech) software, free (as in beer) software, Free media, and free media (as in YouTube or what I get with my TV tuner card.)
But, then, I don't have any Apple devices.
Re: (Score:1, Informative)
Since apparently the 10 remaining people on Slashdot now all have Aspergers, you should note that my first post was meant to be sarcastic and facetious.
To any Apple Security Service (A.S.S.) personnel, I would like to note that I do not own an i/Phone/Pad/whatever and therefore have no interest in stealing your precious apps. Oh wait.. I just realized that not owning an iWhatever makes me an even bigger criminal than that Russian dude! Time to flee the country (again)!
Re: (Score:2)
Re: (Score:2)
Slashdot's user database was hacked and all the passwords are on one of the hacker sites. So it's not who you think it is.
[John]
Re: (Score:2)
The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.
I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".
It was a joke, I think you missed the reference [imdb.com].
Re: (Score:2)
"if you don't want to pay for something it doesn't give you the right to take it"
Like private data on someone's mobile device?
Re: (Score:2)
It's like that, but where the jewelry store knows you did it and has your email, home address, and credit card number on file.
Re: (Score:3)
The effort spent to create the software can no longer be sold to someone else, either.
Instead, the author has worked out a plan for the pricing structure necessary to be fairly (in his or her mind) compensated for the time and effort, and making unlicensed copies is effectively removing a unit of income from that plan. The author could rebuild the plan to accommodate the lost payment, but now has to account for a smaller market, as well. Sure, the author can copy it fifteen billion times, but likewise a jew
Re: (Score:1)
If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale. That doesn't change that it can be sold to other people though, so it can still be sold to someone else.
Re: (Score:2)
If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale.
That's not their decision to make, though. The author, being the one who exerted the effort, chooses the value of his work. A buyer can either accept the valuation and receive the results of the effort, reject the deal, or suggest a different value that the buyer may agree to.
At no point, however, is it fair for the buyer to unilaterally decide to have the results of the effort without paying in return. That infringes the producer's freedom to choose the value for his work. A geologist being told that the e
Re: (Score:2)
Sure, and I didn't say otherwise.
Which I didn't try to do, so I'm not sure what the point is?
Re: (Score:2)
If the person who got a copy free was going to buy it in the first place, and if them getting it doesn't result in someone else purchasing it who wouldn't have otherwise, then sure it is a lost sale. That doesn't change that it can be sold to other people though, so it can still be sold to someone else.
Did you know that there is a substantial number of people who engage in piracy are also "evangelical" about it? By this I mean that they tell all their friends about the great stuff they got for free and make sure their friends know how to get it for free. Some of these people even go so far as believing that if they can destroy the revenue model for software, music, movies, books, whatever that it will somehow just be free for everyone. Therefore, there is the strong desire to make stuff available to th
Re: (Score:2)
So what? It doesn't mean a given person copying a given piece of software removed a unit of income from the software producer. They may have, they may not have, they may have removed more than one, they have added some. It's the blanket statement I had an issue with.
Re: (Score:2)
The two cases aren't similar at all. In one you lose something, in the other you don't.
Re: (Score:2)
You aren't going to live forever in the first place, so what difference is it if someone kills you today? I mean can it really be called murder? I mean you were going to die anyway! Whats the big diff?
if someone kills me today, and i would have lived another 3 years had they not killed me. then i have been deprived of three years life.
your example would be more analogous* to the argumet "Well if i pay for the software, the author is just going to spend the money anyway. so in the end, he will not end up with the money"
no one is making that argument.
*would still be a bad analogy but it's about as close as i could get to something in the same realm.
Now you know. Now don't do it. (Score:1)
Also I wouldn't publish or use his findings. Because if you are caught you are in trouble.
There is getting pirated material from an other site (The Site owner takes some (usually the bulk) responsibility for the failure) is one thing. Actually trying to get the data straight from Apple Store, is stealing. If caught you are going to be responsible. Being that this is costing Apple Money, you will bet if they are nice they will charge you for the Apps you downloaded, if not they will fine you a much higher
Re:Thanks Slashdot! (Score:5, Informative)
It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.
The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.
Re: (Score:2)
Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt). Which means if you attempt to buy it again, Apple basically doe
Re: (Score:2)
Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt).
This is not true. A receipt is generated either way, regardless of whether the purchase item allows multiple purchases (such as buying currency) or one-off (such as unlocking a feature).
The reason a lot of developers probably don't do this is because it makes the transaction take longer. The entire process, when done bullet proof, takes about 15 steps that primarily involve two servers (your company's and Apple's) talking to each other. That introduces a lot of wait time for the transaction to complete... a
Re: (Score:2)
Re: (Score:2)
then let's not stoop to advertising black-hat services.
Yes, instead we should bury our heads in the sand and pretend it doesnt exist. people who know about the exploit can then continue to use it. App developers can remain blissfully unaware that people are getting their in-app purchases for free.
lets never show news that anything is ever wrong with the world. perhaps we could build some sort of filter for the internet that blocked everything we didn't want the public to hear.
it is also debatable as to if this a a black-hat method in the first place:
- Y
Re: (Score:3)
No no no.. it's a PRO Apple Store topic. This just means now all developers will have to use the new validation method. It's exactly what Apple wants....
I'm gonna buy (Score:5, Funny)
Pay the price (Score:5, Insightful)
Re:Pay the price (Score:5, Informative)
It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).
It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).
The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Yes it did. I was supposed to be sarcastic.
But I guess with a lot of the Anti-Capitalist Everything point of view that is popular, I guess you would think I was being serious.
The point is if you are going to get free stuff from the Apple store... Apple is going to cramp down fast and hard, as you are directly taking money away from them.
re: Crime names (Score:1)
It might be better to buy the software instead of leaving a trail of your theft with the Apple store.
The crime of forging receits is called Uttering. I would be fine with fraud as well, but calling it theft is just retarded.
Russia must be one hell of a land... (Score:1)
I say this because in this vast country, major break throughs in the tech world have a hand in Russia. I would label Russia as fertile waters to fish for good, competent hacker talent.
scruples (Score:3)
Tricking an app store into giving you free game boosters is one thing, but then soliciting donations to upgrade the system is surprisingly brazen. A bit like the difference between pirating movies to watch, and selling pirated movies on the corner.
Does it really leave evidence of stealing IAP ? (Score:2)
So apparently you could do this already if your iDevice was jailbroken? I wonder if that method leaves any kind of evidence or not. Does this method (i.e. using this russian workaround with certificates and whatnot) leave a trail or any kind? I mean, why would people do this if it did leave a trail? I've got to imagine it doesn't leave very much evidence. Or are people really just that greedy?
More apps should validate receipts (Score:2)
Re: (Score:2)
you must have not met the developers i've met over the years
I have to change 10 lines of code? oh no, my fingers are going to fall off. i'll just leave it like this
Re: (Score:3)
you must have not met the managers i've met over the years
I have to dedicate 10 minutes of a human resource? oh no, my bonus-driving stats are going to fall off. i'll just leave it like this
Re:More apps should validate receipts (Score:5, Interesting)
Disclaimer: app developer here.
It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.
They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.
Re: (Score:2)
Only if you either jailbreak the device or they're (stupidly) not using some sort of public key signing to verify authenticity.
Re: (Score:2)
The fact that this can be easily mitigated only exposes the blatant lack of reliability and lack of sophistication of Apple as a brand.
Did you not bother to read anything at all? Apple already provides a method for developers to verify the validity of in-app purchases - but some developers choose to not use it because it's easier not to.
This is a classic "lazy developer" problem, not an Apple problem.
HA! I was wrong (Score:3)
As more information has come out, it has become apparent my statement immediately above is erroneous. If the workaround server has access to a valid receipt from someone - anyone - it can circumvent even in-app purchase verifications for that app even if it is using Apple's system.
So while there may be a "lazy developer" component - it's not the whole story.
Re: (Score:2)
You are liable for purchases made this way... (Score:2, Insightful)
Re: (Score:2)
you are not liable for such purchases as you never entered into an agreement to purchase them.
Apple can't bill you for them. Apple can't bill you for anything, because you don't have a billing account with Apple.
The could suspend your Apple account; however, if they do thatanyone who's acoount is suspended might as well just jailbreak their device.
They can not do anything to your actual phone service as they are not a party to your agreement with your carrier.
Details? (Score:2)
I'm not 100% clear on what this hack does. Are they:
Re: (Score:2)
Not the first to do it (Score:1)
There is already a much more polished version of this where you just install a single app from a Cydia repo that does essentially the same thing. It's been out for months.
Comment removed (Score:5, Informative)
Re: (Score:2)
Yes, he exploited common vulnerabilities on random apps. How innovative! It's almost like mass-exploiting Wordpress and claiming that the OS running it is not secure.
Comment removed (Score:5, Informative)
Cheat codes come to modern games (Score:4, Insightful)
Before cheat codes made the games more fun for lowsy players, but today they make them more fun for poor players!
/. Decline. (Score:1)
Re: (Score:2)
this is a news site.
it's news.
this is a site aimed towards somewhat technologically knowledgeable people.
it gave a somewhat technologial account of what the hack is.
i don't understand your issue.
Credentials? (Score:1)
Re: (Score:2)
According to TFA, this is the data sent to the Russian servers when you use it to make a "purchase":
-restriction level of app
-id of app
-id of version
-guid of your idevice
-quantity of in-app purchase
-offer name of in-app purchase
-language you are using
-identifier of application
-version of application
-your locale
Man in the Middle... (Score:5, Interesting)
In other news... Russian Hackers clear a lot of bank accounts...
Let me get this straight:
You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.
Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.
Re: (Score:2)
Re: (Score:2)
This completely compromises device security (Score:1)
Uh, let me get this straight. The method posted involves installing a SomeGuy's (TM) trusted root certificate and using SomeGuy's (TM) DNS resolver?
This is an incredible security risk, since it completely and utterly subverts any SSL/TLS communication from that device.
If you need an example - what's to stop SomeGuy (TM) to sign a certificate for https://www.your-bank.example.com/, copy the bank website to a server under his (or hers) control, and have the DNS resolver point to the IP for his (or her) server
but then after that... (Score:2)
Shocking I Tell You! (Score:2)
Oh so if I install this random Root Certificate Authority on my machine, thus granting some random hackers the ability to perform MITM attacks against all my SSL sessions, they can perform a MITM attack on in-app purchase transactions?
Shocking, simply shocking.
FYI: this exists so enterprise customers can install their root CA certs so their internal certificates will be considered valid.
At its core, this is the same problem we have with SSL in general. CAs are a single point of failure and one rogue certifi
since some of them make use of Apple's method for (Score:2)
>since some of them make use of Apple's method for validating receipts.
And now I know who is the employer of that Russian developer
Apple's receipt verification is broken too (Score:5, Interesting)
I just reviewed the documentation for the receipt verification, and that process is broken too.
To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.
The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).
The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.
Re: (Score:2)
The receipt data is first supposed to be sent to the developer's server. The server then verifies it with the app store. It's up to the developer to make sure communication with their own server is secure.
Still not a very good system IMO. What does Apple use for securing actual app purchases from their store? I'm assuming they have something in place to prevent using a MITM attack to install your own apps?
I believe this is how it works (Score:1)
So, to verify the receipt: http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html
1) you send a receipt to https://buy.itunes.apple.com/blah blah (note the https so ssl is used here)
2) buy.itunes.apple.com send the app back the app the message whether the receipt is valid or not (I believe it's a pure json over ssl)
This is, i believe, how the hack works:
1) you change the dns so that buy.itunes.apple.com points to yo
Awww, people not paying for smurf berries..... (Score:2)