Apple on Friday recently issued a note to developers outlining a fix for an in-app purchasing exploit that allowed for the free download of content that you had to pay for. Alongside with this note, Apple also announced that the loophole will be plugged when iOS 6 is released this fall.
According to CNET, Apple recommended that’s app that feature in-app purchases should follow a set of guidelines that includes confirming orders with the company’s new receipt system. The receipt validation protocol, which Apple unveiled on Wednesday, attaches a “unique identifier” to in-app purchase receipts. The tactic effectively prevents the recently-discovered workaround that validated purchases by routing them to a specialized DNS server and spoofing digital receipts. Before this discovery, Apple sent generic receipts containing no unique user data
Apple spokesman Tom Neumayr said the following: "Apple recommends that developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases. This will also be addressed with iOS 6.” Friday’s documents includes instructions on how to setup and use Apple’s new validation system as well as how to validate transactions that have already gone through. The document stated the following:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.