Nerds On Site

Stealing is Dangerous – why Apple in-app purchases should not be stolen

\"\"\"\"The Apple AppStore offers thousands of free apps. Many developers offer in-app purchases for extra functions. The system isn\’t perfect because if you make an in-app purchase on one device, it is not transferrable to another.
This is what thieves many of us use as a justification for bypassing the in-app purchase technology altogether, and stealing it instead.
However, two wrongs don\’t make a right. Don\’t steal.
The latest such facility (to steal from Apple and Developers) comes from a Russian hacker who uses a technique to redirect your device to his servers instead of Apple\’s servers. It requires you to install two certificates and change your DNS settings while on your WiFi network.
If on moral and character grounds you\’re not convinced to avoid this, here are some more reasons:

  • By installing his certificates, you are breaking the security of your device
  • As long as you are using his DNS server(s) you are sending all your DNS lookup traffic through his servers
  • Each iPhone/iPod/iPad has a unique serial number which you are sending to someone you likely don\’t know
  • We don\’t know what other code runs on his server once you connect to it. He\’s facilitating this hack for free, for you to also steal something. What else would or could he do?

Apple has provided developers with a method to validate purchases, but not everyone has implemented that check in their apps. Furthermore, we\’re certain Apple will implement additional changes to make these kinds of attacks and workarounds more difficult or impossible.
Even though there is a free third party IAP validation service called beeblex, which closes some security holes in the validation process, it is easily bypassed by workarounds as well. As a developer I wouldn\’t waste time by implementing that over Apple\’s documented methods.
I\’m sure none of this will appeal to hackers\’ mindset but for the rest of us: Don\’t lie, Don\’t cheat, Don\’t steal. Even when nobody is watching.
If you ask my kids what the definition of character is, they will tell you this:
Character is what you do when nobody is watching.
Update: Yesterday Apple published a new document:
In-App Purchase Receipt Validation on iOS. Below is an excerpt:

A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.

Leave a Comment

Your email address will not be published.

Scroll to Top