Apple attempts to take down in-app purchase hack

On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend:

Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.

It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service

Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web that the new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled'”

While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”:

Author Ad Placeholder
Will only appear on redesign env.

the method that Mr. Borodin is using to circumvent Apple’s receipt verification system would also, if he so wished, allow him to intercept traffic intended for any other secure website, including notably bank websites. Moreover, there would be no indication on a device configured to trust his certificate and use his DNS server that anything was wrong. If you want to end up with an empty bank account, following instructions of this kind that result in your DNS and certificate trust being under the control of an untrustworthy third party is a *really* good way to go about it.

Although Apple’s process of validating receipts would not necessarily protect developers, Houghton offered up a solution for devs while Apple works out a more permanent fix:

developers can use Apple’s verification server without being vulnerable to Borodin’s method simply by checking that the certificates being used by the Apple server are the ones that they expect.This is easy enough to do by examining the certificate fingerprints, and is probably being done in some of the applications that he says don’t work with his hack.

Borodin told TNW that Apple has not contacted him, but it is clear the company is aware of the issue and working on a solution. We, of course, highly recommend avoiding the service and anything connected to Borodin.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & He also co-authors 9to5Mac’s Logic Pros series.