Hack allows free access to in-app iOS purchases [u] - Page 2

Quote:

Originally Posted by SolipsismX 


It shows a hole in in-app purchases, an issue with the process, but to say that in-app purchases are flawed in it's essential nature and being is just hyperbole. Do you say that Java or JavaScript or any other piece of software must be fundamentally flawed everytime a bug fix is issued thus proving there were bugs? Of course not.
.

I agree, that's why I said the Apple implementation is fundamentally flawed, not the concept of in-app purchases. I've written a lot of 'transaction-based' software with remote servers, and if you're only mean of verification is based on certificates, you should always use a white-list of certificates. I have not analysed this issue in detail, but it seems the process accepts certificates based an common names instead of thumbprints etc.

Quote:

Originally Posted by genovelle 

Theft is a crime. Period.   I'm sure you were saying pedophilia, but as moral values continue to degrade, our society will return to the days of pedophilia being legal like it was is Greece.  It was not until Christianity became the official religion there that the practice was stopped.  

Couple of years ago in the news there was other information about some 'god-people'. 

Don't put that religion did something good. Religion blinds. Are you blind?

Old news....

It's better that one Russian guy tells the world about this exploit than thousands of people in China use it secretly.

He's done the right thing and now Apple will fix it. It's a win for developers.

Quote:

Originally Posted by Tallest Skil 


Could get all ISPs to block all P2P.

A waste of time. 

1) ISP's block p2p

2) p2p changes protocol, to a possibly 100% encrypted format

3) p2p functions as normal

4) now ISP's can not do traffic shaping on p2p traffic

Quote:

Originally Posted by Marvin 


Simple really:
http://www.youtube.com/watch?feature=player_detailpage&v=xMk4cW9Zpj4#t=4794s
Make it more worthwhile to pay for it than to steal it. Unfortunately, not so simple to implement such a system in a digital era.
With digital content, there is such a disconnect between cause and effect that the gains from honesty are as unrecognisable as the damage done by dishonesty.
The content providers don't help matters by blocking content by region and providing it after long periods of time through exclusive/expensive distribution channels, by implementing restrictive DRM and by using measures to extort money from users via hidden charges.
People wouldn't steal movies quite so much if new movies went straight to Blu-Ray but the movie industry has managed to persuade people that a movie going direct to video/DVD/Blu-Ray means it's a failed movie when in fact, the distribution format means nothing about the quality. It's just that the movie industry knows that controlling the distribution means they can control the profits. Once it goes to retail, their control is gone.
The music industry has embaced DRM-free audio but no such luck with DRM-free video yet. I think this is due to music files being so small that it is hard to have a service where people can find what they want and get consistent quality so iTunes ends up being more worthwhile as it's 99c per song and you can find as much music as you like with quality control. If a movie is $10-15 and only comes on a DRM disc or download and you can't put it on a mobile device easily, paying for it is worse than stealing it.
I think the app issue is a minor one because the App Store works in a similar way to music. Lots of inexpensive content where it's harder to steal than pay for it. If the App Store content is worth paying for, people will generally pay for it. There certainly won't be a significant volume of the 300 million+ users who go out of their way to steal the content.

You raise good points.

Physical media needs to be a premium product.  People should want to own the official release, due to it being better in many respects to any digital copy.

And access to pay-for digital media needs to be available, at a price most normal folks consider reasonable, if they want to make it the preferred choice for the folks who prefer digital.

Paid-for needs to be better than free.  Libraries did not put book stores out of business, despite being free.  I don't see why torrents should put the publishers of entertainment out of business either.  They need to provide a proper value proposition, and people will accept it.  My guess is that as of now, they could be doing better.

People will pay for convenience.  They will also pay for something that they like better.  Look at bottled water.  People love it, despite the fact that a free alternative is often available.

Quote:

Originally Posted by Suddenly Newton 

Basically, the equivalent of "I'm mad this game costs so much, so I broke into the store and took it, and I'm going to show you how to do the same so I can teach these greedy developers a lesson."
Yeah, or you could simply not buy it. But hey, some people think they are entitled to steal.

Quote:

Originally Posted by Tallest Skil 


That's exactly the mindset.
"I can't afford it, so I'm entitled to download it for free. This can't be illegal."

Quote:

Originally Posted by charlituna 


And use your greed to steal your Apple ID and password so I can buy a ton of stuff and sell it on eBay. I'll get my cousins in America to help me by buying it to pickup in store with their name as okay to pick up for you. In and out before you know what hit you, you lazy greedy turd.

Are we missing the point?

This guy may be scum and have the worst of intentions.

But, I think the more important point is that guys like this serve a valuable role in keeping Apple on it's toes and in the long run making things safer for us all. I appreciate AI and others reporting this and allowing discussion on it. That way the user who may stumble upon this hack has some info about it. Knowing that the passwords are sent in clear text is important to know. Some idiots will ignore that and try the hack. But at least they are given the opportunity to be educated and do the smart thing and avoid this scumbag's hack.

Quote:

Originally Posted by charlituna 


What exactly is the loophole Apple needs to fix.
Allowing customers to change their DNS settings? Okay that's gone. No reason for folks needing to change them anyway right.
Allowing customers to side load security certificates? Gone, who needs that anyway right. From now on, you have to submit them to Apple who will thoroughly vet every one of them before putting them on an official server, etc.
Andso on. Since you are do smart tell us what is wrong and what they should do about it.
While we are at it, perhaps we should demand that Apple drops the whole IAP system, it's bunk anyway. And not just from games, from everything. Apple just does it to make more money and they are worth billions,the greedy bastards.

As I've already said in my previous response. When the api validates the in-app process with an apple server (which gets redirected using the custom dns) why does apple allow custom certificates instead of a whitelist of apple certificates...

It seems the only security is that it should be ssl (any certificate is valid) and that's not a good idea. You always have to take a man-in-the-middle attack using for instance dns spoofing into account.

Quote:

Originally Posted by GregInPrague 

In the current climate I don't know how you can.  If the society can't agree whether truth is relative or not how can you say what is right or wrong?  When elected officials are consistently getting away with obvious corruption why should a teenager feel guilty about downloading a few movies?  In my opinion piracy won't diminish until either A) Laws are put into place with real teeth (they've tried and there's been huge backlash across Europe in the last year) or B) There's a significant spiritual change in the region.

Seriously, why should the teenager feel bad if corruption exist everywhere in society ? Not only with elected officials, but also with companies. Big companies like Microsoft, IBM, Google and even Apple are basically places where moral values don't exist. Of course it's not illegal, they have the power of money to change laws. Even if it's illegal, so what? The penalties are pennies for them. Google copies Oracle, Oracle copies someone else, Apple copies someone else.

Why put someone for jail for piracy, but not for bigger crimes? Also, it's not only Europe. In the US and Canada, most people pirate too. Honestly, I never knew anyone who didn't do it and not only from poor people. Rich people pirate as much if not more. It would not surprise me if 90 % of people here used torrents. Who the hell can buy 10 000 songs for their ipods?

Hence, since the vast majority of the population doesn't see any changes at the top, why should they change. You see politician fighting for less laws for the rich (the market will take care of it) but for more laws for the others. Doesn't make sense.

If that doesn't change, well morality is relative, right?

What is this guy talking about???  I'm 2 races away from beating the entire CSR game and I haven't spent a dime...  This game isn't different than Dragonvale - you have to put time in it if you want to level up and such.  The biggest thing about CSR?  You have to wait until the agent shows up to sell you car for half price (which she does rather often).  If you do that it really shouldn't be a problem...

Quote:

Originally Posted by Marvin 
I think the app issue is a minor one because the App Store works in a similar way to music. Lots of inexpensive content where it's harder to steal than pay for it. If the App Store content is worth paying for, people will generally pay for it. There certainly won't be a significant volume of the 300 million+ users who go out of their way to steal the content.

If you make a game and put it on the app store for sale at the cheapest paid price (non-free) then you can expect 100x more users to play your game than buy it. i.e. for every 1 person that buys it you can expect 100 to pirate and play it (can be seen easily from server -side high scores etc).

Quote:

Originally Posted by GregInPrague 

"Who really wants to pass their user name and password to Russia? Please people, you're only asking for trouble if you use this hack."

Because they are Russians? You racist bastard, haha... Im quite sure you wouldn't want to pass a Swede like me your username and password either... The jailbreak solution seams to be far safer, although one would need to undergo the actual jailbreak, messy, makes it kinda not worth it...

Quote:

Originally Posted by Tallest Skil 


Could get all ISPs to block all P2P.

Hi2u Big Brother. Scary. :)

Quote:

Originally Posted by charlituna 


Let's put away the indignation and go review the context. I never said those that 'steal' via p2p should be put in jail. I said that would be the only way to completely stop it. Big difference.

 Sure, the threat of the death penalty in "civilized" countries such a Iran, China and the USA has made these enlightened states murder free...

Quote:

Originally Posted by genovelle 

Theft is a crime. Period.

Theft is rather a felony or a misdemeanor. Moreover piracy is a copyright infringement, no physical product is stolen here, this is more of a shortfall than a loss.

Quote:

Originally Posted by GregInPrague 


Probably so, but too late because AI was actually late to this party.
Who really wants to pass their user name and password to Russia? Please people, you're only asking for trouble if you use this hack.

 To be fair to the fellow he has now changed things to force users to log out of their account, thus mitigating the risk of anyone accusing him of stealing personal details.