Free In-App Purchase Hack Causing Headaches For Apple
redOrbit Staff & Wire Reports – Your Universe Online
Apple is investigating reports that a Russian hacker has discovered and published a way to illegally obtain no-cost in-app purchases on iPad, iPhone, and iPod Touch mobile devices, various media outlets have reported.
On Friday, news broke that a Russian developer by the name of Alexey Borodin had discovered a way to hack the iOS in-app purchase program, allowing customers to bypass the payment process and more or less steal additional content for their video games, productivity software, and other programs, according to ZDNet‘s Emil Protalinski.
Borodin’s exploit essentially uses receipts to emulate the App Store’s verification server, allowing phony purchases to go through because the server treats the communication attempt as an official one, Protalinski said.
He allegedly can pull off the hack with just a single receipt because nothing in the confirmation process links a purchase directly to a single device or customer account, meaning that one purchased receipt can be used multiple times — a process that Borodin said he has spent several hundred dollars on in-app purchases to test.
Apple spokeswoman Natalie Harrison has confirmed that the company is looking into the matter, telling both CNET and the Los Angeles Times, “The security of the App Store is incredibly important to us, and the developer community“¦ We take reports of fraudulent activity very seriously and we are investigating.”
According to Salvador Rodriguez of the Times, this is the third “embarrassing episode” for Apple’s mobile software sales service this month. First, a malware program believed to be the first ever to find its way to the App Store was discovered by a security firm. That program sent spam text messages to user contacts, Rodriguez said.
The other issue was a July 4 issue that saw many recently updated apps suddenly crashing, resulting in negative feedback for developers. The problem has seen solved and the negative feedback issue corrected.
Friday’s issues could be far more serious. As CNET reporter Josh Lowensohn said, “Affected developers, as well as Apple, face a loss of profits if the exploit remains in use from would-be spenders. Developers get 70 percent of the revenue from purchases made inside their apps, while Apple gets the other 30 percent.”