In an unusual move, Apple is offering iOS application developers a workaround for the exploit that enables iOS users to make free in-app purchases. Apple says the exploit will be fixed in the forthcoming iOS 6.0, but in the meantime Apple is explicitly giving developers permission to tap into private Apple iOS APIs to verify certificates that purport to be from the App Store. Historically, Apple has summarily rejected iOS applications that rely on accessing any private API.
The exploit, which gained notoriety last week, was developed by Russian hacker Alexey Borodin, although there’s really nothing from stopping other motivated individuals from using the same approach. Borodin forged security certificates that claim to be from Apple, then set up his own DNS servers to respond as if they were Apple’s App Store. When applications tried to make in-app purchases, Borodin’s exploit essentially hijacked the process and provides spoofed receipts so the apps will unlock or access additional features or content.
Apple’s workaround is not exactly painless for developers — they will have to update their existing iOS applications to be able to validate store receipts — but at least it’s a solution that can be deployed now and support in-app purchasing prior to iOS 6. Similarly, if applications have not saved their store receipts, they will not be able to validate purchases.
Apple has steadily recommended that developers using in-app purchases follow “best practices” and validate receipts using their own servers or services independent from the App Store to avoid these kinds of man-in-the-middle attacks. Of course, developers should also take care their their own validation process cannot be attacked in a similar manner.
Editors' Recommendations
- Everything you need to know about the massive Apple App Store outage
- Apple used this free iPhone app to shoot Monday’s Scary Fast event
- Guess how much Apple has paid App Store developers — you won’t even be close
- This EU law could force Apple to open up iMessage and the App Store
- The best free music apps for iOS and Android