Skip to main content
  1. Home
  2. Mobile

Apple offers developers a workaround for in-app purchasing exploit

Geoff Duncan
By
apple app store apps
Image used with permission by copyright holder

In an unusual move, Apple is offering iOS application developers a workaround for the exploit that enables iOS users to make free in-app purchases. Apple says the exploit will be fixed in the forthcoming iOS 6.0, but in the meantime Apple is explicitly giving developers permission to tap into private Apple iOS APIs to verify certificates that purport to be from the App Store. Historically, Apple has summarily rejected iOS applications that rely on accessing any private API.

The exploit, which gained notoriety last week, was developed by Russian hacker Alexey Borodin, although there’s really nothing from stopping other motivated individuals from using the same approach. Borodin forged security certificates that claim to be from Apple, then set up his own DNS servers to respond as if they were Apple’s App Store. When applications tried to make in-app purchases, Borodin’s exploit essentially hijacked the process and provides spoofed receipts so the apps will unlock or access additional features or content.

Recommended Videos

Apple’s workaround is not exactly painless for developers — they will have to update their existing iOS applications to be able to validate store receipts — but at least it’s a solution that can be deployed now and support in-app purchasing prior to iOS 6. Similarly, if applications have not saved their store receipts, they will not be able to validate purchases.

Related

Apple has steadily recommended that developers using in-app purchases follow “best practices” and validate receipts using their own servers or services independent from the App Store to avoid these kinds of man-in-the-middle attacks. Of course, developers should also take care their their own validation process cannot be attacked in a similar manner.

Editors' Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
The ugly side to Apple’s embrace of third-party App Store payments
apple app store third party payment allow ugly side reality render

Apple says it will allow app developers in South Korea to enable third-party payment systems in their apps. In doing so, developers will no longer be forced to pay a 30% cut of their gross app revenue for using the App Store's own in-app payment system.

Despite years of developer backlash, Apple has been adamant about forcing developers to use its in-house payments system for handling in-app purchases and subscription payments. Apple's grip was so tight that the company didn't hesitate before kicking a bonafide money-making machine like Fortnite off the App Store because Epic tried to avoid the Apple tax with its own payment system.

Read more
Apple reveals how much it paid to App Store developers in 2021
App store icon showing three notifications.

Apple paid out a total of $60 billion dollars to App Store developers in 2021, data released by the tech giant this week revealed.

The company said that since the App Store’s launch in 2008, $260 billion has been paid to App Store developers globally, up from $200 billion a year earlier.

Read more
How to turn off in-app purchases in iOS
how to turn off in-app purchases

If you’ve downloaded any apps on your iOS device recently, then chances are it features in-app purchases, especially if it’s a game. What was once a rarity has turned into the norm, and apps are now full of opportunities to buy virtual goods that don’t exist outside of the game. From gems and extra lives to costumes and ammunition, if there is a way to charge money for it, a developer has probably done so.

Read more