Apple takes steps to block iOS in-app purchase hack
Apple has enacted measures to block a hack that can allow users to obtain in-app purchases through the iOS App store for free.
The IP addresses used by a Russian hacker for the exploit were blocked over the weekend, according to The Next Web. Apple also reportedly issued a takedown request against the servers used, and issued a copyright claim to remove the YouTube video that showed users how to utilize the exploit.
In addition, PayPal issued a block on hacker Alexey V. Borodin's account, preventing him from collecting donations for violating its terms of service.
The hack, which entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server, was first publicized < ahref="http://www.appleinsider.com/articles/12/07/13/hack_allows_free_acces_to_in_app_ios_purchases.html">last week. Apple quickly issued a statement to say it was investigating the matter, adding that the company takes "reports of fraudulent activity very seriously."
Prior to Apple's takedown efforts, Borodin claimed that his method had already been used to process more than 30,000 illegal in-app payment requests. However, the hack has not been completely quashed, as Borodin continues to find ways to keep the exploit alive.
Screenshot of Borodin's in-app purchasing workaround being used on CSR Racing. | ZonD80's YouTube channel
Apple's current methods to block the hack are likely a short-term fix. Developers believe a more permanent solution would be easy for Apple to create, though it would likely require a software update for iPhone and iPad users.
Apple first introduced in-app purchases with the release of iOS 3.0 in 2009. The feature was initially limited to paid applications, but was made available to free apps later that year. Apple takes a 30 percent cut of revenue generated from in-app purchases.
The IP addresses used by a Russian hacker for the exploit were blocked over the weekend, according to The Next Web. Apple also reportedly issued a takedown request against the servers used, and issued a copyright claim to remove the YouTube video that showed users how to utilize the exploit.
In addition, PayPal issued a block on hacker Alexey V. Borodin's account, preventing him from collecting donations for violating its terms of service.
The hack, which entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server, was first publicized < ahref="http://www.appleinsider.com/articles/12/07/13/hack_allows_free_acces_to_in_app_ios_purchases.html">last week. Apple quickly issued a statement to say it was investigating the matter, adding that the company takes "reports of fraudulent activity very seriously."
Prior to Apple's takedown efforts, Borodin claimed that his method had already been used to process more than 30,000 illegal in-app payment requests. However, the hack has not been completely quashed, as Borodin continues to find ways to keep the exploit alive.
Screenshot of Borodin's in-app purchasing workaround being used on CSR Racing. | ZonD80's YouTube channel
Apple's current methods to block the hack are likely a short-term fix. Developers believe a more permanent solution would be easy for Apple to create, though it would likely require a software update for iPhone and iPad users.
Apple first introduced in-app purchases with the release of iOS 3.0 in 2009. The feature was initially limited to paid applications, but was made available to free apps later that year. Apple takes a 30 percent cut of revenue generated from in-app purchases.
Comments
Quote:
Originally Posted by irnchriz
If Alexey is short of cash he can just sell all of the iTunes accounts of those using his hack.
His process now forces users to log out of their itunes account. He doesn't want access to their details. Additionally his paypal acc has been frozen so I guess he hasn't made a single bean.
Although he is enabling people to steal, personal gain (ie cash) doesn't seem to have been his primary motive (donations aside).
The guy will try to amass a little fortune before being on the run, lol, pesky russians.
Quote:
Originally Posted by irnchriz
If Alexey is short of cash he can just sell all of the iTunes accounts of those using his hack.
Yep! The idiots who used his service will pay now as their iTunes account gets owned. No free lunch.
So is it Apple's fault for having the vulnerability, or other people's fault for trying to take advantage of it?
What an interesting topic for a philosophy class. "Is it ever the fault of any victim when someone with malice aforethought commits a crime against them?" One could argue not having bullet proof skin is responsible for so many murders!
Quote:
Originally Posted by digitalclips
What an interesting topic for a philosophy class. "Is it ever the fault of any victim when someone with malice aforethought commits a crime against them?" One could argue not having bullet proof skin is responsible for so many murders!
Or having so many loopholes in tax law is responsible for rampant tax evasion.
Not clear which side you are on here ...
Quote:
Originally Posted by auxio
Or having so many loopholes in tax law is responsible for rampant tax evasion.
"The legal right of an individual to decrease the amount of what would otherwise be his taxes or altogether avoid them, by means which the law permits, cannot be doubted." - U.S. Supreme Court
The loopholes encourage tax avoidance or mitigation. Evasion is illegal.
Quote:
Originally Posted by Sensi
The guy will try to amass a little fortune before being on the run, lol, pesky russians.
If he wanted to steal money from itunes customers I doubt that he would have used his real name...
Assuming that apple come up with a fix for the exploit, can they force an OTA upgrade. If not, then surely anyone taking advantage of free apps will decline any OTA updates for as long as possible? Additionally is there anyway that apple can "undo" the process?
Quote:
Originally Posted by PowerMach
The loopholes encourage tax avoidance or mitigation.
Seemingly only for those that already pay the lowest rates
Quote:
Originally Posted by PowerMach
"The legal right of an individual to decrease the amount of what would otherwise be his taxes or altogether avoid them, by means which the law permits, cannot be doubted." - U.S. Supreme Court
The loopholes encourage tax avoidance or mitigation. Evasion is illegal.
So then, could using loopholes in Apple's in-app payment system be considered "payment avoidance or mitigation"?
Basically, I'm trying to show that people think it's ok to be creative in finding workarounds for taxation laws in their own self-interest (while others pay their fair share). Yet, the same reasoning, when applied to finding workarounds for payment systems (while others pay their fair share) is wrong. Both are wrong IMO.
Quote:
Originally Posted by auxio
So then, could using loopholes in Apple's in-app payment system be considered "payment avoidance or mitigation"?
Basically, I'm trying to show that people think it's ok to be creative in finding workarounds for taxation laws in their own self-interest (while others pay their fair share). Yet, the same reasoning, when applied to finding workarounds for payment systems (while others pay their fair share) is wrong. Both are wrong IMO.
It is legal to avoid tax...it is illegal to avoid a payment system and steal. And leave the "fair share" out of it, if that was true, EVERYONE would pay into the system, which, they don't (bottom 50% of taxpayers).
Quote:
Originally Posted by icoco3
It is legal to avoid tax...it is illegal to avoid a payment system and steal. And leave the "fair share" out of it, if that was true, EVERYONE would pay into the system, which, they don't (bottom 50% of taxpayers).
And investors who pay a far lower percentage on income than wage earners.
Quote:
Originally Posted by auxio
And investors who pay a far lower percentage on income than wage earners.
Nothing evil about profit...but they still pay more $$$, about 90%+ from top 50% and >10% from bottom 50% of overall taxes collected.
Quote:
Originally Posted by icoco3
Nothing evil about profit...but they still pay more $$$, about 90%+ from top 50% and >10% from bottom 50% of overall taxes collected.
I don't know about the USA but in most western countries that poorest people pay a higher percentage of their income in taxes. Although they occupy lower income rate bands they are disproportionally affected by sales taxes, given that save little and spend most of their income.
Whilst i am not a fan of sales taxes they do have the advantage of forcing low income earners (who avoid income tax ) to pay taxes. The caveat being that those people are unfairly able to consume more than their honest counter parts.
Quote:
Originally Posted by AppleInsider
The hack, which entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server
Why does the term "Russian Roulette" seem very apt here?
Better to play by the rules & pay the few bucks, than to play with fire & install mysteryware from Russia...
http://www.in-appstore.com/
People there are basically divided in the same way as folks in this forum, with no one talking about the real problem or long-term solution. Everyone seems to be praising piracy or condemning it, or going off-topic on things like taxes.
This is really NAPSTER all over again. In the past, people stole music like mad because there was no popular legal means to get that music in a convenient, modern way like the iTunes Music Store. Now most people in deveoped countries buy their music (including myself) rather than stealing it. That's true not because NAPSTER's flame was extinguished but because Apple provided a convenient and reasonably priced solution.
But with app buying, you don't always know what your getting until you pay, and then you don't get your money back if you don't like what you paid for. Hence this Russian Developer, on some level, is to be praised as much as they are to be condemned, not unlike NAPSTER was to be praised — not for encouraging theft, but for allowing people to Try Before We Buy, and to put pressure on the app industry (i.e., Apple) to change the status quo and give app buyers Trials and give developers App Upgrades in the app store.
We can howl and cry all we want about right and wrong, but these naughty guys often do more good than bad in the end, especially if we legitimate buyers of apps keep up the pressure in Apple to enacted improvements to the app buying experience:
http://www.apple.com/feedback/iphone.html
or
http://www.apple.com/feedback/ipad.html
This is about in-app purchases, not the app itself. If you're to the point where you want to spend money inside the app, you're already past the point of deciding whether you want it.
What, do the pirates want trials on in-app purchases now?