Apple has begun taking steps to limit the impact of a flaw in its iOS in-app purchasing mechanism that allows iDevice owners to download free in-game content, but despite its initial efforts, the service remains operational.
Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service.
Apple initiated its response after Borodin published a method that allowed iDevice users running iOS 3.0+ to ‘purchase’ any kind of in-app content for free. The content could be obtained without “hacking” the device and cannot be prevented by developers using Apple’s recommended receipt signing procedures.
The method for stealing this content was discovered by Borodin, who created an online service called In-Appstore.com to facilitate it. Speaking with him, he explained that the service had already processed more than 30,000 individual in-app payment requests.
Apple also spoke out on the issue, sharing the following statement with The Loop:
“The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison said. “We take reports of fraudulent activity very seriously and we are investigating.”
Blocking the original ‘attack’ route, Borodin sidestepped the authentication issue by migrating the service to a new server. Apple was able to pressure the host of the original server — which was located in Russia — into dropping Borodin’s service, but according to the Russian hacker, the new server is hosted in an offshore country in an attempt to evade Apple’s legal requests.
Borodin tells us that the new service has been updated and cuts out Apple’s servers, “improving” the protocol to include its own authorisation and transaction processes. The new method “can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled.”
The signing process has also been adapted to ensure that users cannot use Borodin’s service without first signing out of their iTunes account. The reason for this? “They [the users] need to sign out so they don’t scream to the Internet that I am stealing their credentials.”
In simple terms, it should mean that device details are not stored on the server. However, given the very nature of the service and the fact the servers are located in an ‘offshore’ country, we can’t stress enough the real privacy and security implications of using such a service (but also from a moral and legal perspective).
Borodin remains unrepentant, calling on Apple to either adapt its APIs or place new blocks on its service. What looked to be an Apple security issue has evolved into a game of cat and mouse, where Borodin appears to be staying true to his word and evading the methods Apple employs to restrict usage of his signing service.
Borodin also notes that Apple has not contacted him over the issue.
Evading blocks, moving the server to an offshore country (which wasn’t shared with us) and taking payments via a private PayPal account, Borodin’s service remains operational – for now. The service already has a keen following, affecting developer revenues and in-game features, but users are treading a thin line.
Borodin says that he isn’t logging devices, but nobody is able to call him on that. The service carries a significant amount of risk, requiring you to trust the word of someone that makes it his job to circumvent Apple’s payment processes.
You shouldn’t need us to tell you that is a bad idea. But if you do — we really suggest you don’t do this.