Tuesday, August 28, 2012

Free purchases in Apple Store

A Russian hacker has figured out how to bypass Apple's in-app purchasing


Alexey Borodin Russian hacker has created a lot of headaches by Apple, when carried out to reverse-engineer the protocol AppStore and issued instructions how to forge checks In-App purchases within applications.

That is to  say "to buy free" content within any application, such as new levels, bonuses, and so on. Borodin himself compares the In-App purchase to "cheating" and "selling air", because it really takes money to unlock content that is already present on the phone.

It way universal and works with virtually any application, you only need to carry out an attack like MITM on your own phone, the addition of a two false CA-certificate (first, second) and prescribing fake DNS, which supposedly caches responses from the server Apple, confirming your spending .


In confirmation of the purchase fake DNS-server gives the device a false receipt standard sample.

Company Apple, manufacturer iPhone and iPad, as well as the owner of the app store for these devices - App Store, will have to seriously revise protection protocol confirm purchases within applications.

This became necessary after Borodin published in the way of obtaining toll free software updates from the app store Apple App Store. In App Purchase system allows application developers to make money on additional purchases that the user makes the application: for example, new virtual items for games or new issues of magazines, newspapers and comic books in the respective applications. Borodin discovered a vulnerability in the encryption protocol that is used to confirm the payment system, and created a simple way to "cheat" the system.

Borodin cheated billing system application directory Apple App Store for free, and learned to make integrated applications: Buy extra levels and other content in mobile applications.

Instructions published in the official developer blog In-Appstore.com and duplicated in Russian online iguides. She can use any owner iOS-devices.

In order to make purchases within applications for free, you need to do two steps: install two certificates (links to the author provides) and enter the address in the DNS-server connection settings Wi-Fi.

The method does not require hacking the device to install any applications that do not change the code and runs on iOS since version 3.0 and finishing beta 6.0. The method consists in the fact that the ordering application is directed to a fake server, not on the official server Apple. Purchase is made to a spoofed server, the application "thinks" that a certain amount deducted from the user's account and allows access to the content. In fact, any amount not deducted.

This method is not safe for the user, since the server-side sent all his personal information needed to perform normal transactions. This prevents the author. He also says that he does not steal the money from the card and store the information provided. However, the check is not possible.

Now, however, Borodin said that the updated API completely closes the loophole that he found. However, users still have the option to use it - as long as the developers have not implemented the new API in their applications. It is assumed that iOS 6, this loophole will be closed initially.

Currently, Borodin operates a similar gap in Mac OS X. According to the publication, last week she took advantage of more than 8 million times. The corrections are expected in the Mountain Lion, which will be released a few days ago.

Apple updated the API (application programming interface) that is used to calculate the owners iOS-devices with application developers in the implementation of in-app purchases, according to The Next Web.

No comments:

Post a Comment