In-app purchases have been a boon for app developers, creating the potential for lucrative new income streams. They also help foster ongoing app development, encouraging devs to keep offering new content in order to keep users purchasing. All that is now threatened, thanks to the discovery of an effective attack on Apple’s purchase authentication mechanism.

Unlike many iOS hacks, this one doesn’t require a jailbroken handset, as the only modifications needed to take advantage of this attack are to normal, user-configurable system options. First, the phone needs a couple custom encryption certificates installed, and then you’ll need to make some DNS modifications. The sum effect of these changes puts a hacker-controlled server in place of Apple’s computers, which is set up to authenticate any in-app purchases without taking a dime from you.

Some apps use additional authentication to verify in-app purchases, and as a result aren’t vulnerable to this attack, but a troubling number are. In light of this, we imagine that the rest will be scrambling to add such protections, but this stands to be quite the headache for developers.

Besides this all being a huge legal no-no, the hacker-run server that validates these transactions gets to learn a whole bunch of info about your phone when you connect to it, just like Apple would normally see. We’ve got a feeling these guys are a bit less trustworthy than Apple, though, so you’re probably best off staying clear.

This may all be mostly a moot point already, as Apple has reportedly contacted the server’s host and is working to get it offline. Still, if the relevant code gets released, there’s nothing stopping individuals from running their own similar servers.

Source: i-ekb (Google Translate)
Via: 9to5Mac

You May Also Like

iOS 14 code reveals a new feature for the iPhone 12 Pro

The latest iOS 14 code has revealed that the new iPhone 12 Pro may include a time of flight sensor in their camera configuration
Galaxy S20

Samsung sold 40% lesser Galaxy S20 models than the S10 series: Report

Samsung considers things getting worse in the near future, depending on how the pandemic evolves.
Pixel 4a

Google Pixel 4a said to offer UFS 2.1 storage

UFS 2.1 is likely to result in faster read/write speeds for file transfers