Apple's New APIs Prevent In-App Hack

Published on 07-23-2012 04:11 PM

Alexey Borodin, the Russian hacker responsible for discovering a system that circumvents in-app purchases recently confirmed that Apple’s newly-instituted receipt validation system is in fact effective. In a new blog post titled “It’s all over… for now” on his website, Borodin said that there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit which was made public earlier.

The exploit, which validated fraudulent purchases by routing them through a specialized DNS server that spoofed digital receipts. was discovered first for the iOS platform and more recently for Mac apps. Apple responded by blocking the IP addresses associated with Borodin’s workaround and attempted to shut down the DNS servers hosting the receipt validations.

Apple announced a temporary solution to developers allowing them to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system. Borodin posted the following on his blog:

Hello everyone.

By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.

The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.

Apple’s solution leverages receipts which carry a “unique identifier” to validate in-app purchases. The previous system just generated generic receipts with no specific user data attached, therefore allowing for easy spoofed validations. As of right now, it isn’t clear what type of unique identifier is being used, although some are speculating that it could be a proprietary system based on UDID data.

It isn’t much of a surprise to see such a big issue being responded to so quickly. Especially given the sheer number of those affected by a loss in revenue due to the exploit. That being said, many do wonder if this will turn to another cat-and-mouse game, although this is definitely one Apple will stay on top of with utmost importance.

Source: Alexey Borodin (blog)

_{This article was originally published in forum thread:
Apple's New APIs Prevent In-App Hack
started by
Akshay Masand} _{View original post}

Categories:

28 Comments

Mrteacup - 07-23-2012, 04:23 PM

Vodka bears!
- Reply

Artist701 - 07-23-2012, 04:48 PM

Mod edit: comment removed
- Reply

romeoz - 07-23-2012, 05:14 PM

mod edit, comment removed.
- Reply

dopeyrat - 07-23-2012, 05:37 PM

Originally Posted by romeoz

it not like this is new news....

Read the forum Rules.
- Reply

xXR3H@NXx. - 07-23-2012, 06:33 PM

Good thing this is over.

Mod edit: Unnecessary comment removed.
- Reply

mustard05 - 07-23-2012, 08:14 PM

HAHA, I feel like I should make a comment that should be edited or modified by the admin. I mean, every other comment has been edited. LOL
- Reply

Agent929 - 07-23-2012, 08:18 PM

Originally Posted by mustard05

HAHA, I feel like I should make a comment that should be edited or modified by the admin. I mean, every other comment has been edited. LOL

Wow way to ruin the article with all the edits lol
- Reply

mustard05 - 07-23-2012, 08:20 PM

Originally Posted by Agent929

Wow way to ruin the article with all the edits lol

Just goes to show you, they(admin) can say whatever they like, but us little people will be edited or modified. Haha
- Reply

Agent929 - 07-23-2012, 08:29 PM

Originally Posted by mustard05

Just goes to show you, they(admin) can say whatever they like, but us little people will be edited or modified. Haha

So true lol
- Reply

xXR3H@NXx. - 07-23-2012, 08:54 PM

I said good thing it's over but there is a way to get free iaps
- Reply

mustard05 - 07-23-2012, 08:58 PM

Originally Posted by xXR3H@NXx.

I said good thing it's over but there is a way to get free iaps

That's it? Seriously?
- Reply

romeoz - 07-23-2012, 09:00 PM

I just said this is nothing new....
- Reply

MXCO - 07-23-2012, 09:07 PM

Originally Posted by romeoz

I just said this is nothing new.........this site is starting to become a joke...

+1
- Reply

mustard05 - 07-23-2012, 09:09 PM

Originally Posted by romeoz

I just said this is nothing new.........this site is starting to become a joke...

I had a post removed earlier this evening on a different post by the Mods. Oh well…. Just laugh and move on. They obviously are having issues.
- Reply

Hogs4Life - 07-23-2012, 09:58 PM

Got what I wanted days ago, so did millions. Suck on that Apple!
- Reply

mustard05 - 07-23-2012, 10:07 PM

Originally Posted by Hogs4Life

Got what I wanted days ago, so did millions. Suck on that Apple!

Why are u here then?? Seriously.
- Reply

bigray - 07-24-2012, 01:30 AM

Originally Posted by mustard05

Why are u here then?? Seriously.

We are here to get the latest news. I actually didn't know about the inapp purchase hack until I saw it on here and then google found it for me
- Reply

kyphur - 07-24-2012, 05:14 AM

Quick question for anyone who actually used the Russian Hack:

Is a few free in app purchases really worth the risk allowing a hacker access to your iDevice? Seriously once shutdown those "purchases" won't stick as they're not recorded in Apple's system.
- Reply

xXR3H@NXx. - 07-24-2012, 07:04 AM

Originally Posted by mustard05

That's it? Seriously?

Yup and its safe but not all games work but most games and it's a cydia tweak. You wanna know?
- Reply

H4CK3R - 07-24-2012, 07:28 AM

Originally Posted by xXR3H@NXx.

Yup and its safe but not all games work but most games and it's a cydia tweak. You wanna know?

You aren't allowed to share this stuff on here. Read the rules....

Good luck getting an infraction if you do lol.
- Reply

Apple

iPhone

iPad

iOS

Jailbreak

Cydia