Earlier today a method came to light that allows Apple device users to âpurchaseâ any kind of in-app content for free. The content can be obtained without âhackingâ the device and cannot be prevented by developers using Appleâs recommendedÂ receiptÂ signing procedures, as has been widely suggested. Updated with statement from Apple below.
The method for stealing this content was discovered by hacker Alexey V. Borodin, who has created an online service called In-Appstore.com to facilitate it.
The method was first reported onÂ Russian blog I-ekb.ru, and subsequently on 9to5Mac. Weâve now spoken directly to Borodin about the method and can supply more information about how it works, what the causes are and some possible solutions.
As of earlier today, some 30,000+ in-app purchases have been made through Borodinâs service, which he says gathers no personal information from its users, though those using the hack do transmit their Apple ID and password to the service when using it. That alone should deter any potential users.
How itâs done
Itâs important to note that this is technically not a hacking of the software on a userâs device, nor is it altering any code in the apps themselves. It is simply a method for bypassing Appleâs authentication servers for in-app purchases, directing the requests to Borodinâs service, which then delivers aÂ receiptÂ back to the device that fools the app into thinking that it has âpurchasedâ the content. This is commonly referred to as a man-in-the-middle attack.
All Borodinâs service needs is a single donatedÂ receipt, which it can then use to authenticate anyoneâs purchase requests. Many of thoseÂ receiptsÂ have been donated by Borodin himself, who has spent several hundred dollars on in-app purchases testing and generatingÂ receipts.
The exploit requires that a CA certificateÂ and a profile needed toÂ establishÂ a connection with iTunesÂ be installed on the device, a simple procedure that can be done right from an iPhone or iPad. It also requires that a user routes the internet traffic of the device through a Domain Name System server that Borodin set up to act as an intercept for the purchase requests made from the device.
Once these steps have been taken, the user simply taps on the âpurchaseâ button in an app and the server intercepts the request and furnishes it with aÂ receiptÂ for the purchase.
Apple currently provides a method for developers to verify their App StoreÂ receiptsÂ with its own servers, leading some to believe that this method could prevent a bypass like Borodinâs from working. We have confirmed with him that this is not the case. Because the bypass emulates theÂ receiptÂ verification server on the App Store, the app treats it as an official communication, period.
These purloined in-app purchases cannot be restored using an appâs ârestore purchasesâ dialog, but they can be re-downloaded by using the service again and are included in full-device backups.
If a developer was to use their own servers to verify in-app-purchases using Appleâs recommended method, it would currently be safe from the bypass, but only because the In-Appstore service is not caching the traffic to those sites. Borodin says that it would be simple for it to begin doing so.
Note that this vulnerability isÂ similar to the one that was noted could affect Mac App Store apps on its launch last year, but this one cannot be prevented by simply validating App StoreÂ receipts.
At the core of what makes this method work is the fact that Apple only includes generic information in itsÂ receiptÂ framework. This means that the item being purchased, the app, and a few other identifying bits are in the receipt, but nothing that ties the purchase directly to a customer or device. This makes it easy to capture a single purchased receipt and pass it off as a new one on each request.
Apple must act, but developers can prevent
According to Borodin, one fix for this vulnerability would be for Apple to alter its API for in-app purchases (IAP) to offer a more unique kind ofÂ receiptÂ for purchases, which would raise privacy issues.
Another possible fix, however, would be for Apple to update the API used for IAP to add a way for developers to ensure, without a doubt, that the verification call mentioned above is talking directly to Apple.
âThe fact is, this would be easy for Apple to solve by providing a method for developers to validate IAP receipts using whatâs called a âshared secret,â that is, a piece of information known to both Apple and the developer that is not exchanged as part of the validation process,â says developer Marco Tabini. âCoupled with another technique called âsalting,â in which each communication is digitally signed in a time-sensitive way, this would make it much harder for someone to subvert the IAP process using a man-in-the-middle attack.â
So a combination of two-way encrypted communication between theÂ receiptÂ server and the app, as well as a more stringent protocol provided by Apple, is needed to completely solve the issue. If every developer used a securely encrypted receipt validation method like the one described above, Borodinâs method would never have worked. Unfortunately, many use only the standard method which authenticates with Appleâs servers only, not their ownâ¦and not securely.
We asked Borodin if he would be willing to share his findings with Apple, and he agreed, so we put him in touch with the company. He also says that he is no longer in control of the In-Appstore site, and will be deleting any information that he has about the site from his computer. The site is now in the hands of an unnamed third party, as Borodin says he does ânot want to be in jail =).â
âI work alone. There was an idea. An angry idea due to CSR racing. Now the idea is reality,â says Borodin of his motivations for hacking the in-app purchase model of the popular arcade game. This idea led to the method used by In-Appstore to spoof those services.
Borodin has a PayPal button up on the site. So far, he hasÂ receivedÂ $6.78 in donations.
We have reached out to Apple for comment on this story.
Update: Apple has issued a statement about the issue to The Loop:
âThe security of the App Store is incredibly important to us and the developer community,â Apple representative Natalie Harrison, told The Loop. âWe take reports of fraudulent activity very seriously and we are investigating.â