Following the recent drama related to free downloads of in-app purchases, Apple is now sending an email to developers who have apps in the App Store. The email sent to developers is regarding the in-app purchase receipt validation. In the email Apple has linked to a document that is located on it’s developers website. This page explains the in-app purchase validation bug and how hackers can download paid content for free using a certificate authority controlled by some attacker. Here’s an excerpt from Apple’s document for developers.
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
Apple has also said that it will completely fix this vulnerability in it’s system that is allowing hackers to download in-app purchases for free in iOS 6, which is due to release in the fall. If you are an iOS developer whose app is suffering due to this in-app purchase fraud, then you can go to Apple’s site and read more about the issue here.[9to5Mac]
- Apple is now using Unique Identifiers to tackle piracy on in-app purchases
- App Store’s corrupted DRM issue gets rectified. Apple issues a statement
- Hacker controls a third party app with Siri using SiriProxy
- Russian hacker finds a way to bypass Apple’s payment method to download in-app purchases for free [updated]
- Apple Responds: Apps accessing user contacts is a violation, will Require Explicit User Permission in the future