In-app purchases have been a boon for app developers, creating the potential for lucrative new income streams. They also help foster ongoing app development, encouraging devs to keep offering new content in order to keep users purchasing. All that is now threatened, thanks to the discovery of an effective attack on Apple’s purchase authentication mechanism.
Unlike many iOS hacks, this one doesn’t require a jailbroken handset, as the only modifications needed to take advantage of this attack are to normal, user-configurable system options. First, the phone needs a couple custom encryption certificates installed, and then you’ll need to make some DNS modifications. The sum effect of these changes puts a hacker-controlled server in place of Apple’s computers, which is set up to authenticate any in-app purchases without taking a dime from you.
Some apps use additional authentication to verify in-app purchases, and as a result aren’t vulnerable to this attack, but a troubling number are. In light of this, we imagine that the rest will be scrambling to add such protections, but this stands to be quite the headache for developers.
Besides this all being a huge legal no-no, the hacker-run server that validates these transactions gets to learn a whole bunch of info about your phone when you connect to it, just like Apple would normally see. We’ve got a feeling these guys are a bit less trustworthy than Apple, though, so you’re probably best off staying clear.
This may all be mostly a moot point already, as Apple has reportedly contacted the server’s host and is working to get it offline. Still, if the relevant code gets released, there’s nothing stopping individuals from running their own similar servers.