After Apple rolled out temporary fixes, and promised a permanent fix for the in-app purchase hack in iOS 6 earlier today, it looks like the same Russian hacker now offers a similar hack for in-app purchases in the Mac App Store. The Next Web has the full story…
[tweet https://twitter.com/alastairh/status/224836579707985920]
On Friday, we broke the news on some worrying tips we received about an “in-app proxy” hack that allowed even novice users to illegally install paid in-app purchase content for free. In updates to our original story, we noted the hack’s developer, Alexey V. Borodin, said in an interview that Apple’s method of validating receipts for developers would not protect apps from the hack. Apple followed up with a statement that claimed it is investigating the issue. Today, we get an update from The Next Web that further claims Apple began taking action over the weekend:
Over the weekend, Apple began blocking the IP address of the server used by Russian hacker Alexey V. Borodin to authenticate purchases.
It followed this up with a takedown request on the original server, taking down third-party authentication with it, also issuing a copyright claim on the overview video Borodin used to document the circumvention method. PayPal also got involved, placing a block on the original donation account for violating its terms of service
Unfortunately, the service is reportedly still operational with Borodin apparently moving the server to a location outside of Russia. He told The Next Web that the new service has been “updated and cuts out Apple’s servers, ‘improving’ the protocol to include its own authorisation and transaction processes. The new method ‘can and will not reach the App Store anymore, so the proxy (or caching) feature has been disabled'”
[tweet https://twitter.com/alastairh/status/224834890665967616]
While Borodin also claimed he has changed the process to force users to sign out of their iTunes account (to ensure users he is not stealing personal/credit card data), there are more than a few reasons to still be concerned. Developer Alastair Houghton told us that he thinks Borodin’s method could be used “intercept traffic intended for any other secure website”:
As noted by The Next Web, at least one developer has updated its Mac App Store app to include high-resolution “Retina graphics” for the new lineup of Retina display Macs that we revealed last month (here and here).
The Mac App Store app is Folderwatch. It was updated today with several new features, one of which is “Retina graphics.” We are not ready to speculate that the developers know something we do not, but Apple obviously allowed the update. It is likely we will begin to see Mac Apps updated with high-resolution artwork leading up to Apple’s introduction of Retina Macs at the Worldwide Developers Conference next week.
Some have pointed to the unusually high number of to-be-announced sessions on the WWDC schedule as proof of the introduction of a new app platform, but we noted that many of these sessions could relate to Retina Mac apps.
Hewlett-Packard engineers did dare pull unthinkable: They hacked iPad to install webOS only to find out Apple’s hardware runs their mobile operating system more than twice as fast compared to their own TouchPad hardware, a source “close to the subject” told The Next Web. The finding had devastating effects on the team’s morale:
The hardware reportedly stopped the team from innovating beyond certain points because it was slow and imposed constraints, which was highlighted when webOS was loaded on to Apple’s iPad device and found to run the platform significantly faster than the device for which it was originally developed.
It should be pointed out that webOS runs on Qualcomm ARM chips while iPad 2 runs on Samsung silicon. This little nugget is even more revealing:
With a focus on web technologies, webOS could be deployed in the iPad’s Mobile Safari browser as a web-app; this produced similar results, with it running many times faster in the browser than it did on the TouchPad.
In fact, the webOS team wanted HP’s TouchPad and Pre hardware “gone” even before the products hit the marketplace according to TNW. With a hardware refresh a year off and similar issues with the Pre phones, this could have contributed to the decision to shutter the webOS and perhaps license it out to other companies (with better hardware).
In a separate report, TNW details how the news was broken to the webOS group within HP.
Almost everyone at HP found out about the death of the TouchPad and Pre hardware as the public did, in the press release. Only the top executives knew anything about this decision and even senior staff as high as Ari Jaaksi, the Vice President of webOS software, didn’t know about the shuttering of hardware before it happened.
After the press release came out, there was a company wide meeting filled with a bunch of ‘corporate speak’, in which staff were told that they were going to be in limbo for 3-4 weeks.