In an unusual move, Apple is offering iOS application developers a workaround for the exploit that enables iOS users to make free in-app purchases. Apple says the exploit will be fixed in the forthcoming iOS 6.0, but in the meantime Apple is explicitly giving developers permission to tap into private Apple iOS APIs to verify certificates that purport to be from the App Store. Historically, Apple has summarily rejected iOS applications that rely on accessing any private API.
The exploit, which gained notoriety last week, was developed by Russian hacker Alexey Borodin, although there’s really nothing from stopping other motivated individuals from using the same approach. Borodin forged security certificates that claim to be from Apple, then set up his own DNS servers to respond as if they were Apple’s App Store. When applications tried to make in-app purchases, Borodin’s exploit essentially hijacked the process and provides spoofed receipts so the apps will unlock or access additional features or content.
Apple’s workaround is not exactly painless for developers — they will have to update their existing iOS applications to be able to validate store receipts — but at least it’s a solution that can be deployed now and support in-app purchasing prior to iOS 6. Similarly, if applications have not saved their store receipts, they will not be able to validate purchases.
Apple has steadily recommended that developers using in-app purchases follow “best practices” and validate receipts using their own servers or services independent from the App Store to avoid these kinds of man-in-the-middle attacks. Of course, developers should also take care their their own validation process cannot be attacked in a similar manner.