Apple leverages 'unique identifier' to thwart in-app purchasing hack

Posted:
in General Discussion edited January 2014
Developers reported on Wednesday that Apple is now attaching a unique identifier to in-app purchases in an attempt to stop a recently-discovered workaround which allowed the download of paid content for free.

Scattered tips sent to MacRumors from unnamed app developers claim the iPhone maker's latest step against the in-app purchasing workaround involves either a proprietary identification system or unique device identifier data (UDID), the unique number assigned to every wireless iDevice.

Developers have been seeing a new receipt field on in-app purchase invoices titled "unique_identifier" which appears to be a device's UDID. While the reports are consistent, it is unclear whether Apple is using actual UDID data or a new form identification as the company has instituted protocols against apps using the sensitive information.

The reported hack was first made public last Friday and involves sending forged digital certificates to a unique DNS server which then sends back spoofed code receipts, effectively validating a "purchase" as legitimate. Russian hacker Alexey V. Borodin who discovered the workaround said Apple's purchasing process was easy to replicate as the digital receipts were generic and contained no unique user data.

Wednesday's news comes on the heels of Apple's move to block access to IP addresses used by the Russian hacker which itself was reportedly followed by a request to take down the servers involved in the sidestepping process.

UDID


UDID access has been a topic of debate recently as consumer advocacy groups and government bodies called for Apple to impose usage restrictions of the unique device data which could be used nefariously. Mobile ad agencies rely on metrics calculated from reportedly anonymous UDID metrics to monetize advertisements and are pushing hard against the access blockage on claims that it would hurt revenues.

Apple has taken steps to ensure developers no longer use UDID data and is reportedly denying App Store submissions which use the identifiers. Apps that previously used UDID information before the Apple crackdown, however, retain access to the data and can only be changed when an update is submitted.

While Apple has remained mum on the new system it is unlikely the company would allow unrestricted access to the unique identifiers.

Comments

  • Reply 1 of 7


    I thought they told developers that they weren't allowed to have access to the UDID. If Apple is putting UDID's on in-app purchase receipts back to the developer, that kind of defeats the purpose. Perhaps the UDID on the receipt cannot be traced back to the user.

  • Reply 2 of 7
    solipsismxsolipsismx Posts: 19,566member
    I thought they told developers that they weren't allowed to have access to the UDID. If Apple is putting UDID's on in-app purchase receipts back to the developer, that kind of defeats the purpose. Perhaps the UDID on the receipt cannot be traced back to the user.

    I'd guess it's not the same or it wouldn't make sense. If it's not the same I do wonder if it's generated based on the UDID value and easily breakable so devs can then track by UDID without Apple even being aware. This is the sort of the thing Apple usually doesn't get right away so I wouldn't be surprised.
  • Reply 3 of 7
    charlitunacharlituna Posts: 7,217member
    I thought they told developers that they weren't allowed to have access to the UDID. If Apple is putting UDID's on in-app purchase receipts back to the developer, that kind of defeats the purpose. Perhaps the UDID on the receipt cannot be traced back to the user.

    It's not likely the same. I believe Apple issues a randomly made id on subscriptions through the store already and they likely just extended that to all purchases. Or will if the developers wants to code for it.
  • Reply 4 of 7
    elrothelroth Posts: 1,201member


    It looks like AI is keeping track of negative comments now:


     


     


     


        image

  • Reply 5 of 7
    katastroffkatastroff Posts: 103member


    Although Apple doesn't allow any new apps to use the UDID, it's still there; and if Apple chooses to use it as part of a receipt/hash it's their choice. Even if the devs have a a list of UDIDs, they would not be able to track that because they can't write it into their code.

  • Reply 6 of 7
    gatorguygatorguy Posts: 24,176member


    • 42.5 percent of apps do not encrypt users' personal data, even when accessed via public Wi-Fi.


    • 41.4 percent of apps were shown to track a user's location unbeknownst to them.


    • Almost one in five of the apps analyzed can access your entire Address Book, with some even sending your information to the cloud without notification.



     


    The report, even if embellished a bit (considering they sell an app that applies), would serve as evidence that a lot of devs aren't playing by the rules.


    http://news.cnet.com/8301-13579_3-57475865-37/bitdefenders-ios-privacy-app-yanked-from-the-app-store/


     


    BTW, I don't see any change in Apple's privacy policies regarding UDID yet. I've assumed it will be updated sometime around the release of iOS6, but perhaps not? As far as Apple is concerned currently the UDID is not considered personally-identifiable, and thus can be shared with whoever Apple's wishes for any reason, even combined with other "non-identifiable" data.
  • Reply 7 of 7
    solipsismxsolipsismx Posts: 19,566member
    gatorguy wrote: »
    <ul style="margin-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;font-size:15px;font-family:Helvetica, Arial, sans-serif;vertical-align:baseline;list-style-type:none;line-height:20px;background-color:rgb(245,245,245);"><li style="margin-top:10px;padding-top:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;font-size:inherit;font-style:inherit;font-family:inherit;text-align:left;vertical-align:baseline;">42.5 percent of apps do not encrypt users' personal data, even when accessed via public Wi-Fi.</li>

    <li style="margin-top:10px;padding-top:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;font-size:inherit;font-style:inherit;font-family:inherit;text-align:left;vertical-align:baseline;">41.4 percent of apps were shown to track a user's location unbeknownst to them.</li>

    <li style="margin-top:10px;padding-top:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;font-size:inherit;font-style:inherit;font-family:inherit;text-align:left;vertical-align:baseline;">Almost one in five of the apps analyzed can access your entire Address Book, with some even sending your information to the cloud without notification.</li>

    </ul>

     
    The report, even if embellished a bit (considering they sell an app that applies), would serve as evidence that a lot of devs aren't playing by the rules.
    http://news.cnet.com/8301-13579_3-57475865-37/bitdefenders-ios-privacy-app-yanked-from-the-app-store/
     
    BTW, I don't see any change in Apple's privacy policies regarding UDID yet. I've assumed it will be updated sometime around the release of iOS6, but perhaps not? As far as Apple is concerned currently the UDID is not considered personally-identifiable, and thus can be shared with whoever Apple's wishes for any reason, even combined with other "non-identifiable" data.

    Those stats aren't good. While the iOS App Store is better than any other app store I do expect Apple to create these rules and then enforce a method to reasonable prevent users from using potentially unsecured apps.
Sign In or Register to comment.