iOS In-App Purchases Hacked On Non-Jailbroken Phones


In-app purchases have been a boon for app developers, creating the potential for lucrative new income streams. They also help foster ongoing app development, encouraging devs to keep offering new content in order to keep users purchasing. All that is now threatened, thanks to the discovery of an effective attack on Apple’s purchase authentication mechanism.

Unlike many iOS hacks, this one doesn’t require a jailbroken handset, as the only modifications needed to take advantage of this attack are to normal, user-configurable system options. First, the phone needs a couple custom encryption certificates installed, and then you’ll need to make some DNS modifications. The sum effect of these changes puts a hacker-controlled server in place of Apple’s computers, which is set up to authenticate any in-app purchases without taking a dime from you.

Some apps use additional authentication to verify in-app purchases, and as a result aren’t vulnerable to this attack, but a troubling number are. In light of this, we imagine that the rest will be scrambling to add such protections, but this stands to be quite the headache for developers.

Besides this all being a huge legal no-no, the hacker-run server that validates these transactions gets to learn a whole bunch of info about your phone when you connect to it, just like Apple would normally see. We’ve got a feeling these guys are a bit less trustworthy than Apple, though, so you’re probably best off staying clear.

This may all be mostly a moot point already, as Apple has reportedly contacted the server’s host and is working to get it offline. Still, if the relevant code gets released, there’s nothing stopping individuals from running their own similar servers.

Source: i-ekb (Google Translate)
Via: 9to5Mac


What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bitsRead more about Stephen Schenck!