Forgot your password?
typodupeerror
Desktops (Apple) Security Apple News

First iOS, Now Mac OS X In-App Purchases Hacked 110

Posted by timothy
from the next-up-7-11-purchases dept.
An anonymous reader writes "Last week Russian developer Alexey Borodin hacked Apple's In-App Purchase program for all devices running iOS 3.0 or later, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple [Friday] announced a temporary fix and that it would patch the holes with the release of iOS 6. While Cupertino was distracted, Borodin came in and pulled off the same scheme on the Mac."
This discussion has been archived. No new comments can be posted.

First iOS, Now Mac OS X In-App Purchases Hacked

Comments Filter:
  • by mwvdlee (775178) on Saturday July 21, 2012 @11:26AM (#40723675) Homepage

    allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content

    You mean the users (well... only one user) can actually copy and delete it from the application vendors' hardware? Wow, that is bad!

    • by tlhIngan (30335)

      allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content

      Incorrect. Developers who check with Apple for receipts can't be affected by this (because there are shared secrets) and Apple provides a mechanism for verification.

      Developers who don't check, though, are vulnerable to this. And always have - jailbroken users know about IAPCracker which does the exact same thing - faking in-app purchases. (IAPCracker also doesn't pop up a dialog, so you can chec

    • by nobodie (1555367)

      not news,
      I have a student from Vietnam who has jailbroken his iPhone and added an app that lets him download any app for free and run them without any charge. Half the class has iPhones and he is hooking them all up, it'll be all over campus in days when the fall kids arrive.

  • by Anonymous Coward

    Ive read some comments on the pages in the links and they seem to say this is not Apples fault but the dev's fault for not using the "3 lines of code" to verify in app purchases. What I want to ask is why this is not the default behavior in iOS.

    • Ive read some comments on the pages in the links and they seem to say this is not Apples fault but the dev's fault for not using the "3 lines of code" to verify in app purchases. What I want to ask is why this is not the default behavior in iOS.

      You mean it's the developers' fault for making the assumption that their customers are honest.

  • Yeah, they've been distracted...by the upcoming release of Mountain Lion in the next few weeks. Anyone willing to bet that this issue is fixed in Mountain Lion just as it's been promised to be fixed in iOS 6?

  • Meh (Score:4, Informative)

    by Anonymous Coward on Saturday July 21, 2012 @11:42AM (#40723751)

    Apple has recommended all along that you verify receipts to make sure they're not fake. Some apps don't, and can be hacked. How surprising.

    • This circumvents on-device verification, and some remote-server verification depending on implementation.
  • by seansobes (1691592)
    Who pays for software anyway?
  • Patched (Score:4, Informative)

    by mr100percent (57156) on Saturday July 21, 2012 @12:37PM (#40724123) Homepage Journal

    Apple already explained to developers [macnn.com] how to close the hole, with in-App receipts. Also, it's closed in iOS 6

  • by Powercntrl (458442) on Saturday July 21, 2012 @01:22PM (#40724449)

    With a few rare exceptions, most games with in-app purchases are designed so that your progress in the game is directly proportional to how much you're willing to spend. In several games, no amount of patience or skill will allow you to progress. And in some games, progress itself is an illusion, with no obvious indication that your "missions" are being randomly generated and there is no way to ever "beat" the game.

    It's extremely shady on Apple's part to allow developers to label apps that require in-app purchases as "free". The way I see it, this is karma.

    I'm all for developers getting paid for their work. If they really want to nickel and dime you for every bell and whistle in the app or make you insert a coin each time you lose a life, that's their prerogative - but Apple needs to make it a lot clearer what you're downloading, since in-app-purchases mean "free" no longer means what it used to.

    • It's extremely shady on Apple's part to allow developers to label apps that require in-app purchases as "free". The way I see it, this is karma.

      I see it as extremely shady by you not to mention that for every free app with IAP they are mentioned with the price. If you don't want to pay for them, don't download apps that have them. It's that easy. Unless you hate Apple.

    • No Quarter? (Score:4, Insightful)

      by theurge14 (820596) on Saturday July 21, 2012 @04:28PM (#40725405)

      Quit your whining, kid! Back in my day we kept pumping more quarters into the machine no matter how many times the game cheated us and we liked it!

    • by Tom (822)

      It's extremely shady on Apple's part to allow developers to label apps that require in-app purchases as "free". The way I see it, this is karma.

      This. It is high time the App Store is split into 3'categories, with one for really free stuff. If you ask me, I'd even want 4, with one for really, really free stuff as in: No ads, either.

      At least let me, the customer, truthfully know what your business model is. I don't mind paying for software and regularly do. But I dislike the dishonesty in the pseudo-free sector.

    • by bhiestand (157373)

      The ones that really piss me off are the gambling games. They have (for now) found a way to bypass gambling regulations, charging for chips and whatnot, while failing to actually reward the winners.

      Can somebody tell me what makes these legal?

  • by Nihn (1863500)
    What 1 man builds another can destroy. Always.
  • The real news is of course it took him so long to defeat the exact same system in a more open OS.
  • A lot of these in-app purchases have an entirely client-side effect, such as changing how much in-game money you have. As usual, if you control the hardware, you can do whatever you want.

    If you have a jailbroken iDevice, you can make a program to change any client-side variable of a game by just calling task_for_pid and vm_write. No need to mess with the purchase receipt system at all.

  • The "World's most advanced mobile operating system"

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...