In-App Purchase Hack To Be Patched in iOS 6
According to a report from 9to5Mac published late last week, Apple is looking to patch up the In-App purchase hack in iOS 6 and has issued best practices to developers in an email as well as a temporary solution. This will allow developers to temporarily fix the issue until a proper fix can be released in the update. The purchase issue was originally created by a Russian hacker who created a hack allowing users to illegally download in-app purchases for free.
This is a serious issue for developers who are losing lots of revenue, as some in-app purchases can range anywhere from $0.99 to $99.99. The hack can be done in three steps and works from iOS 3 to the current version of iOS 5.The hack is creating a major security issue, especially with users attaching the hack to iOS devices with personal information, such as email accounts, Facebook, and credit card info which is susceptible to being stolen through the hack itself.
Apple is now reportedly cracking down on the hack by providing developers with best practices in order to use on their apps, to ensure that their apps are not affected. In the same email as the best practices, Apple also included a web document, giving developers a background on the hack and solutions to fix it. Apple has confirmed that a fix is coming in iOS 6, to be released later this fall.
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid. iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
This is an issue that Apple is taking seriously as it not only affects the revenue stream for both the Cupertino company developer community, but also affects the users who are risking their personal information on their devices by installing the hack. Although Apple’s temporary fix will hold off the hack for some time, iOS 6 will ultimately fix the issue for both developers and patch it up for users. iOS 6 is expected to be released in October, alongside new iPhone 5 and new iPad hardware.