Forgot your password?
typodupeerror
IOS Security Software Apple News

Russian Hacker Sidesteps Apple iOS In-App Purchases 142

Posted by Soulskill
from the price-is-right dept.
An anonymous reader tips news that a Russian developer has posted a video showing how in-app purchases for some iOS software can be acquired without payment. The hack does't require the device to be jailbroken, and can be accomplished even by users who aren't technically proficient. The method involves three steps: "The installation of CA certificate, the installation of in-appstore.com certificate, and the changing of DNS record in Wi-Fi settings. After the quick process, users are presented with the message pictured above when installing in-app purchases, opposed to Apple’s usual purchase confirmation dialog." 9to5mac notes that this doesn't affect all apps, since some of them make use of Apple's method for validating receipts.
This discussion has been archived. No new comments can be posted.

Russian Hacker Sidesteps Apple iOS In-App Purchases

Comments Filter:
  • Thanks Slashdot! (Score:5, Informative)

    by CajunArson (465943) on Friday July 13, 2012 @12:29PM (#40639973) Journal

    Before even the first 50 apple flame posts are up for this story, the loophole will be closed. The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

    • by chinton (151403) <chinton001-slashdot.gmail@com> on Friday July 13, 2012 @12:34PM (#40640015) Journal
      I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

      I've got a hack for getting free jewelry. It involves a crowbar and the brittleness of the glass they use to make those display cases.

      • Re: (Score:2, Insightful)

        by i kan reed (749298)

        Where the "something" in this case are the states of Boolean variables. Not illegal.

        • Re:Thanks Slashdot! (Score:5, Interesting)

          by Sarten-X (1102295) on Friday July 13, 2012 @12:43PM (#40640105) Homepage

          Exactly... It's not like anybody had to put effort into making those variables do anything, or draw the pictures that appear when the variable holds a particular value, or work out and balance the mechanics of a game that the variables influence. These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

          Similarly, the energy that grew my lunch came from the sun, which gives energy away for free, so it's perfectly legal and right for me to dine-and-dash, right?

          • by Anonymous Coward

            > It's not like anybody had to put effort into making those variables do anything,

            So what?

            > These variables are just information in a storage system, so therefore must be completely detached from any value or human effort whatsoever.

            I pay for the storage system. Everything else is without embued value, correct (human effort is a weasel phrase to corrupt the point; effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from th

            • (human effort is a weasel phrase to corrupt the point; effort does not equate to value)

              Thanks so much. I haven't gotten a laugh like that since someone told me that Mormons attacked the US on 9/11 Tell me, how does it feel to live in a world where you never pay the labor cost associated with something?

              • I don't agree with everything the GP said, but he is right on the excerpt you decided to quote. Effort does not equate to value. You can run in circles loaded with rocks all day long and you will be producing very little value, for example.
                • by Sarten-X (1102295)

                  Unless someone values you running in circles with rocks enough to expend their own effort in some other way (like earning money with which to pay you). Maybe you're supposed to be testing the durability of flooring under heavy load, but I digress.

                  Exerting effort does not inherently require that someone else value it, but all value is derived (either directly or indirectly) from the exertion of effort. However, as a society we have generally held that all effort is valued when it benefits someone else. The e

              • The problem is labor cost is often disconnected to the actual cost of the product. Should I pay for Max Payne 3 knowing the entire studio was just let go. Should I pay for Kingdoms of Amalur knowing the entire studio is dead and the owners ran off with the money? Paying for these products simply makes the money go down a hole.
            • by Sarten-X (1102295) on Friday July 13, 2012 @01:16PM (#40640467) Homepage

              ...effort does not equate to value). Someone is upset when they don't get credit, which is different than having valued assets removed from their possession.

              So tell me, when you were born into this world, what valued assets did you have of your own? Not your family's, mind you, but your own? Apart from things you've put forth effort to produce, or put forth effort to earn the money to pay others to produce, what do you now possess that is of value?

              Everything of value in this world is valued because of the human effort it took to produce it. Metals must be pulled from the Earth, ores must be smelted, and products must be assembled. Information must be conceived, clarified, and codified.

              I have no moral responsibility to give credit, so I don't feel guilt.

              I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

              • by scot4875 (542869)

                I understand this to mean "I value physical effort infinitely more than mental effort". If I hold the exact opposite definition, you wouldn't mind mind being my slave, would you? I promise you'll only be doing worthless physical labor...

                I'm a programmer. I can only speak for myself, but value physical and mental effort roughly equally.

                However, what in-app purchases I see on the app store disgust me. I'll use a recent example of a game I downloaded: it was a decent enough tower defense game -- one that I'd have paid a couple bucks for to compensate the developers. However, there is no paid version; the only method of compensation available is via in-app purchases, where you can buy virtual money to pay for upgrades. The lowest level pur

                • by Sarten-X (1102295)

                  I'm a programmer too. I can only speak for myself as well, but fuck everything about that pricing.

                  It's pretty obvious that the authors are grossly overvaluing their work. This still doesn't give potential customers the right to force them to accept a different valuation, though. The options are to pay the high price, don't use the upgrades, or try to communicate with the authors to negotiate a more reasonable deal.

              • by Bert64 (520050)

                For metals pulled from the earth and smelted, and products which are assembled a high level of effort must be expended for each and every product...

                For any form of digital media, effort may well have gone into creating the initial version, but all subsequent copies were produced trivially... So by extension, only the original has any value and all the copies have little or no value.

                Or you could argue that the value of the media should be split equally amongst each produced copy...

                To declare that trivially p

                • by Sarten-X (1102295)

                  Or you could argue that the value of the media should be split equally amongst each produced copy...

                  This is exactly what I'm arguing for, but recognizing that the number of sales is generally unknown at the time the pricing is set, and almost definitely unknown at the time the initial effort is put forth.

                  I doubt it's possible for Duke Nukem Forever to ever sell enough copies to make up for the amount of effort that went into making (and remaking, and redesigning, and remaking) it. Of course, 15 years ago, that seemed entirely likely, and maybe even with a hefty profit because consumers would (in total) va

        • Where the "something" in this case are the states of Boolean variables.

          Is that the same sort of boolean as the states of Legal/Illegal, or some other rarefied form with which we are not familiar?

        • Where the "something" in this case are the states of Boolean variables. Not illegal.

          And Algebra..... just watch out for the Bra in Algebra

      • Re: (Score:1, Informative)

        by CajunArson (465943)

        Since apparently the 10 remaining people on Slashdot now all have Aspergers, you should note that my first post was meant to be sarcastic and facetious.

        To any Apple Security Service (A.S.S.) personnel, I would like to note that I do not own an i/Phone/Pad/whatever and therefore have no interest in stealing your precious apps. Oh wait.. I just realized that not owning an iWhatever makes me an even bigger criminal than that Russian dude! Time to flee the country (again)!

      • The first rule of the free app hack is that YOU DO NOT TALK ABOUT THE FREE APP HACK.

        I thought the first rule would have been "if you don't want to pay for something it doesn't give you the right to take it".

        It was a joke, I think you missed the reference [imdb.com].

      • by sl4shd0rk (755837)

        "if you don't want to pay for something it doesn't give you the right to take it"

        Like private data on someone's mobile device?

      • by Dahamma (304068)

        It's like that, but where the jewelry store knows you did it and has your email, home address, and credit card number on file.

    • Also I wouldn't publish or use his findings. Because if you are caught you are in trouble.
      There is getting pirated material from an other site (The Site owner takes some (usually the bulk) responsibility for the failure) is one thing. Actually trying to get the data straight from Apple Store, is stealing. If caught you are going to be responsible. Being that this is costing Apple Money, you will bet if they are nice they will charge you for the Apps you downloaded, if not they will fine you a much higher

    • Re:Thanks Slashdot! (Score:5, Informative)

      by Quila (201335) on Friday July 13, 2012 @01:00PM (#40640271)

      It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

      The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

      • by tlhIngan (30335)

        It was closed before the hack. App developers just didn't bother to implement receipt authorization that's built into the store, allowing their apps to be tricked.

        The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

        Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt). Which means if you attempt to buy it again, Apple basically doe

        • by Sparton (1358159)

          The question is why Apple didn't make authorization mandatory. But if they did then there'd be bitching about that too.

          Because authorization means it's a one-off purchase - once you bought something, it's marked in your account as purchased (otherwise Apple can't produce the receipt).

          This is not true. A receipt is generated either way, regardless of whether the purchase item allows multiple purchases (such as buying currency) or one-off (such as unlocking a feature).

          The reason a lot of developers probably don't do this is because it makes the transaction take longer. The entire process, when done bullet proof, takes about 15 steps that primarily involve two servers (your company's and Apple's) talking to each other. That introduces a lot of wait time for the transaction to complete... a

    • by santax (1541065)
      But... if apple is closing this gate to their content providers money, how will they rip them off, besides the 30% idiotic cut? This is not a flaw, something this simple yet non-obvious, is implemented.
  • by Culture20 (968837) on Friday July 13, 2012 @12:36PM (#40640027)
    a wheelbarrow of smurfberries!
  • Pay the price (Score:5, Insightful)

    by Sponge Bath (413667) on Friday July 13, 2012 @12:38PM (#40640051)
    It might be better to buy the software instead of leaving a trail of your theft with the Apple store.
    • Re:Pay the price (Score:5, Informative)

      by tlhIngan (30335) <<ten.frow> <ta> <todhsals>> on Friday July 13, 2012 @12:50PM (#40640157)

      It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

      It depends on the app. Apps have two choices with regards to in-app purchases. They can go through the official Apple Store receipt mechanism, or choose not to. Usually purchases for stuff that "expire" don't (because the receipt method prevents a user from buying it again, so your $99 smurfberry pack can only be bought once), while stuff that may need to be reloaded does (e.g., DLC, so if you reinstall your app, you can redownload your previous in-app purchases because the app verifies with Apple what DLC you already own).

      It's possible to do a hybrid system were some DLC is offered using the former system (usually to offer it "free" instead of requiring payment) - I believe developers host the additional content so if they wanted to give it for free, they tell the app they can get access to it. Of course, without an Apple receipt for it, if the developer removes the access, you've lost it. It's how the Atari thing let people get all games, but it goes away on next install (Atari updated the game's flags to say you own all the games, but if the app checks against Apple, it says you own none which is the case on reinstall).

      The former could be acquired "for free" by using a jailbroken device with IAPCracker installed. The ones that check don't because they do confirmations with Apple to ensure it really was purchased.

    • It might be better to buy the software instead of leaving a trail of your theft with the Apple store.

      The crime of forging receits is called Uttering. I would be fine with fraud as well, but calling it theft is just retarded.

  • I say this because in this vast country, major break throughs in the tech world have a hand in Russia. I would label Russia as fertile waters to fish for good, competent hacker talent.

  • by v1 (525388) on Friday July 13, 2012 @12:44PM (#40640115) Homepage Journal

    Tricking an app store into giving you free game boosters is one thing, but then soliciting donations to upgrade the system is surprisingly brazen. A bit like the difference between pirating movies to watch, and selling pirated movies on the corner.

  • So apparently you could do this already if your iDevice was jailbroken? I wonder if that method leaves any kind of evidence or not. Does this method (i.e. using this russian workaround with certificates and whatnot) leave a trail or any kind? I mean, why would people do this if it did leave a trail? I've got to imagine it doesn't leave very much evidence. Or are people really just that greedy?

  • Hasn't receipt validation been around about as long as in-app iOS purchases? You'd think more people would do it since there is money involved and it isn't particularly complicated.
    • by alen (225700)

      you must have not met the developers i've met over the years

      I have to change 10 lines of code? oh no, my fingers are going to fall off. i'll just leave it like this

      • you must have not met the managers i've met over the years

        I have to dedicate 10 minutes of a human resource? oh no, my bonus-driving stats are going to fall off. i'll just leave it like this

    • by billcopc (196330) <vrillco@yahoo.com> on Friday July 13, 2012 @12:57PM (#40640245) Homepage

      Disclaimer: app developer here.

      It's been around for a while, yes, but it does require a bit more coding, and since a staggering number of these shady freemium apps are written by copy-paste coders, they've probably been using the non-verified method, because to their eyes it does what they want.

      They might fix it if this workaround becomes too mainstream, but even then, an updated binary would be required in most cases. The cat is out of the bag. Anything going over the network can now be spoofed. Even the verification could be spoofed if so desired. I hope all the Zyngas of the world had their fun while it lasted.

      • Even the verification could be spoofed if so desired.

        Only if you either jailbreak the device or they're (stupidly) not using some sort of public key signing to verify authenticity.

  • I hope that Apple bills each user who tries this... It would not be that hard to show that the purchase was made and after a little sorting out, the credits will go to the developer.. I'm not sure what happens if you run up expenses on your account that you can't afford, but my guess is that your service may be interrupted... Most of us have day jobs where we toil away for a corporation or government. Some of us toil away on software projects so we can escape that grind. It isn't easy making a living selli
    • by psiclops (1011105)

      you are not liable for such purchases as you never entered into an agreement to purchase them.
      Apple can't bill you for them. Apple can't bill you for anything, because you don't have a billing account with Apple.
      The could suspend your Apple account; however, if they do thatanyone who's acoount is suspended might as well just jailbreak their device.

      They can not do anything to your actual phone service as they are not a party to your agreement with your carrier.

  • I'm not 100% clear on what this hack does. Are they:

    • Tricking an app into providing a bogus receipt to broken third-party servers that fail to properly validate store receipts, and thus provide content without a valid purchase,
    • Taking an existing pirated copy of an in-app purchase blob and tricking the app into thinking that it was provided by the store, or
    • Tricking an app into thinking that a receipt is valid by changing certificate trust policies, thus causing them to activate a feature that was built int
    • The first one. Basically it only affects developers who don't use Apples in-app purchase receipt checking APIs. Anyone who coded properly is not affected which is probably why he chose to show it working on shitty facebook-like games and not anything from a decent developer.
  • by Anonymous Coward

    There is already a much more polished version of this where you just install a single app from a Cydia repo that does essentially the same thing. It's been out for months.

  • by falcon5768 (629591) <Falcon5768@@@comcast...net> on Friday July 13, 2012 @01:02PM (#40640299) Journal
    He didnt sidestep anything, he took advantage of bad developers who don't use Apples in-app receipt checking APIs.
  • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Friday July 13, 2012 @01:03PM (#40640309) Journal

    Before cheat codes made the games more fun for lowsy players, but today they make them more fun for poor players!

  • Has /. actually stooped so low has to post hacker how-to's? Really? When will it open the game cheats section, and the "used software" trade service...
    • by psiclops (1011105)

      this is a news site.
      it's news.

      this is a site aimed towards somewhat technologically knowledgeable people.
      it gave a somewhat technologial account of what the hack is.

      i don't understand your issue.

  • I'm unsure what exactly gets sent with an in-app purchase, but I'd assume it has something to do with your App Store account. Can anyone tell me why I keep getting multiple errors when trust( "RussianHacker"); is called?
    • According to TFA, this is the data sent to the Russian servers when you use it to make a "purchase":

      -restriction level of app
      -id of app
      -id of version
      -guid of your idevice
      -quantity of in-app purchase
      -offer name of in-app purchase
      -language you are using
      -identifier of application
      -version of application
      -your locale

  • Man in the Middle... (Score:5, Interesting)

    by Anonymous Coward on Friday July 13, 2012 @01:33PM (#40640627)

    In other news... Russian Hackers clear a lot of bank accounts...

    Let me get this straight:
    You install a new certificate and point your DNS setting to a foreign server under the control of someone you should not trust.
    In other words: Any communication afterwards can be intercepted and even SSL encrypted sessions will look fine.
    Why spent a lot of work for some malware when good old STUPID provides the same setup for your man-in-the-middle attack.

    Most users who do this (farmville players...) will not change this back and also use their iPad for stuff like online banking.

    • My kingdom for mod points today. Mod this AC up.
    • While you're right not to trust this, the website says his DNS server does NOT allow you to connect out to any other sites. It only allows in-app purchases, and you must restore the configuration to use your old DNS server before you can do anything else. I'm not sure what dangers there are from the certificates that he has you install however.
  • Uh, let me get this straight. The method posted involves installing a SomeGuy's (TM) trusted root certificate and using SomeGuy's (TM) DNS resolver?

    This is an incredible security risk, since it completely and utterly subverts any SSL/TLS communication from that device.

    If you need an example - what's to stop SomeGuy (TM) to sign a certificate for https://www.your-bank.example.com/, copy the bank website to a server under his (or hers) control, and have the DNS resolver point to the IP for his (or her) server

  • Apple pretty much ties your DNA sequence and entire family history back to the 1st century to your MAC address and Apple store account and the files themselves are still coming from their servers so I don't think it'd take real long for anyone doing this to get arrested.
  • Oh so if I install this random Root Certificate Authority on my machine, thus granting some random hackers the ability to perform MITM attacks against all my SSL sessions, they can perform a MITM attack on in-app purchase transactions?

    Shocking, simply shocking.

    FYI: this exists so enterprise customers can install their root CA certs so their internal certificates will be considered valid.

    At its core, this is the same problem we have with SSL in general. CAs are a single point of failure and one rogue certifi

  • >since some of them make use of Apple's method for validating receipts.

    And now I know who is the employer of that Russian developer

  • by Y2K is bogus (7647) on Friday July 13, 2012 @03:47PM (#40642311)

    I just reviewed the documentation for the receipt verification, and that process is broken too.

    To summarize, you forward an opaque token to the appstore and verfiy success using a simple clear text status flag. This is fundamentally broken because the client doesn't authenticate the source of either piece of data. The original hack in this article is based on a Man In the Middle attack, their receipt verification system is vulnerable to exactly the same type of attack.

    The lack of cryptographic hashing and authentication on the client side is a complete failure of Apple's API design. The first step should be message signing and authentication to ensure the server is who the server says they are. Apple is relying on SSL certificates for this role, which I feel is inadequate. The SSL Certificate Authority system has been broken for a long time and reliance upon them to assure authenticity is a Bad Idea(tm).

    The concept of centralized CAs is good in theory, but recent events have proven that CAs are easily corrupted by economic, political, and technical means.

    • The receipt data is first supposed to be sent to the developer's server. The server then verifies it with the app store. It's up to the developer to make sure communication with their own server is secure.
      Still not a very good system IMO. What does Apple use for securing actual app purchases from their store? I'm assuming they have something in place to prevent using a MITM attack to install your own apps?

  • by Anonymous Coward

    So, to verify the receipt: http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/StoreKitGuide/VerifyingStoreReceipts/VerifyingStoreReceipts.html
    1) you send a receipt to https://buy.itunes.apple.com/blah blah (note the https so ssl is used here)
    2) buy.itunes.apple.com send the app back the app the message whether the receipt is valid or not (I believe it's a pure json over ssl)

    This is, i believe, how the hack works:
    1) you change the dns so that buy.itunes.apple.com points to yo

  • in your games that are all rip offs of games that existed on Newgrounds.com for at least 15 years? Gee, why wouldn't they want to pay for that?

Given its constituency, the only thing I expect to be "open" about [the Open Software Foundation] is its mouth. -- John Gilmore

Working...