A Russian hacker has successfully figured out a method to obtain in-app purchases from iOS apps for free.
The “in-app proxy” method is simple, doesn’t require a jailbreak, and allows users to install in-app content for free. The hack works on all iOS devices 3.0-6.0. We do not condone the stealing of content in any form, and this story, like the 9to5Mac piece, is being written to alert the developer community. The hack is already gaining massive amounts of traction, and hopefully a fix is released soon.
The three-step process involves installing a CA certificate, installing an in-appstore.com certificate, and changing the DNS record.hacker. Once the user completes the process they are met with the message pictured above instead of Apple’s purchase confirmation.
A great deal of information is also processed through the developers servers as part of the process including:
- Restriction level of app
- ID of app
- ID of version
- GUID of your idevice
- Quantity of in-app purchase
- Offer name of in-app purchase
- Language you are using
- Identifier of application
- Version of application
- Your locale
We do not recommend anyone use this process, and we will not provide information on the specifics of the hack. Developers, Apple, fix this. Now.