By Emil Protalinski for Zero Day
News broke today that Russian developer Alexey Borodin has hacked Apple’s In-App Purchase program for iOS, allowing iPhone, iPad, and iPod touch users to circumvent the payment process and essentially steal in-app content. Apple has confirmed it is now investigating the issue.
“The security of the App Store is incredibly important to us and the developer community,” an Apple spokesperson told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”
That’s not all. It turns out that my suggestion to use store receipts (How to protect your app from the Apple iOS in-app purchase hack) was wrong. Borodin told The Next Web that all his service needs is a single donated receipt, which it can then use to authenticate anyone’s purchase requests. Borodin has spent several hundred dollars on in-app purchases testing and generating receipts.
His circumvention technique thus relies on more than just installing certificates (for a fake in-app purchase server and a custom DNS server) to allow “purchases” to go through. Since he is essentially emulating the receipt verification server on the Apple App Store, the app treats Borodin’s server as an official communication.
The problem lies in how Apple authenticates a purchase. There is nothing that ties the purchase directly to a customer or device, meaning a single purchased receipt can be used again and again. In short, this hack means in-app purchase requests are being re-routed as well as approved.
Last but certainly not least, Borodin says Cupertino is transmitting its customers’ Apple IDs and passwords in clear text, although he notes he can’t see credit card information. The following information is transferred from your device to the Borodin’s server: app restriction level, app id, version id, device guid, in-app purchase quantity, in-app purchase offer name, app identifier, app version, your language, and your locale. The Terms of Service have this rather reassuring message (typos left intact):
We newer collect your password or any of your personal and accesible data, such as appleID, temporary auth key and other .
Borodin told Macworld he was “shocked” that passwords were passed in plain text and not encrypted. Apple of course presumed its iOS software would only be talking to the official in-app purchase server with a valid security certificate. That’s a very poor assumption to make, as Borodin’s hack has clearly shown.