Russian Hacker Sidesteps Apple iOS In-App Purchases

An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.

Re:Thanks Slashdot!

[Sarten-X]

Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

Re:More apps should validate receipts

[billcopc]

Disclaimer: app developer here.

It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

Man in the Middle...

[Anonymous Coward]

In other news... Russian Hackers clear a lot of bank accounts...

Let me get this straight:
You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

Re:Liar

[nitio]

Hm, no I don't live in corporate USA though I'm trying to figure out which part of the free world you live. Care to share? Just curious. I live in Brazil so I'm not sure if you deem it as free or not. Not that I care that much.

I think I had made myself clear when I said "Copyright and all that shit" suggesting I don't agree with copyright legislation they way it is pretty much everywhere and the "YMMV" sort of implies that my point of software license isn't true all the time. I'm sorry if I haven't shouted or something to bring my point out

Regarding company liability- as it is with anything legal it's always not 100% true or false but you can think about the Sony Rootkit CDs which, well, made them liable for the software it installed doing unexpected things in people's hardware. You don't need to agree with me neither counter it, I'm simply suggesting that as one example where the route can be taken the other way around.

Now, to best part of your arguments, which is name calling. Might I suggest you avoid that? It doesn't add anything to anybody or the discussion. Sure you had your point - which is valid, I agree, though there are specifics. I don't think most companies that allow mods to happen are happy if people start making money out of it OR take their money because of it.
But when you name call, your argument is lost because you found someone who disagrees with you

But hey, at least you imply iyou have independent thoughts!


PS: Bill's dick wasn't that good.

Apple's receipt verification is broken too

[Y2K is bogus]

I just reviewed the documentation for the receipt verification, and that process is broken too.

To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.

The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).

The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.