Apple offers temporary fix for in-app purchase hack ahead of iOS 6 patch

in General Discussion edited January 2014
Apple on Friday issued a note to developers outlining a fix for an in-app purchasing exploit that allowed for the free download of for-pay content, and also announced that the loophole will be plugged when iOS 6 is released this fall.

In its support document for iOS app developers, reports CNET, Apple recommends that apps featuring in-app purchases follow a set of guidelines that includes confirming orders with the company's new receipt system.

The receipt validation protocol, which Apple unveiled on Wednesday, attaches a "unique identifier" to in-app purchase receipts. This tactic effectively thwarts the recently-discovered workaround that validated dubious "purchases" by routing them to a specialized DNS server and spoofing digital receipts. Previous to the discovery, Apple sent generic receipts containing no unique user data.

"We recommend developers follow best practices at to help ensure they are not vulnerable to fraudulent In-App purchases," said Apple spokesman Tom Neumayr. "This will also be addressed with iOS 6."

Friday's document includes instructions on how to setup and use Apple's new validation system as well as how to validate transactions that have already gone through.

Hack Fix

From the document:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker?s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
As part of the damage control measures, Apple allowed apps to access certain non-public APIs pertaining to verification and security services.

Along with the support document Apple sent out an email to developers noting the exploit will be patched in iOS 6 when the mobile operating system is released alongside an expected next-generation iPhone sometime this fall.


  • Reply 1 of 3
    tallest skiltallest skil Posts: 43,399member

    I wonder if Apple will be able to retroactively charge everyone who scammed in this way.

  • Reply 2 of 3
    rmb0037rmb0037 Posts: 142member
    I wonder if Apple will be able to retroactively charge everyone who scammed in this way.
    I sure hope so. Given the fact that in-app purchases usually have to do with tiny add-ons (gold, extra "cash") in the game, these hacks may have been used several times by just one individual. multiply that by how many people actually gave into this theft, and you've got a serious problem.
  • Reply 3 of 3
    neiltc13neiltc13 Posts: 182member
    As usual with Apple - serious security flaw in their software gets left unpatched for weeks or even months.

    See DigiNotar fiasco for another example of Apple Taking a very long time to act while Google, Microsoft and Mozilla had patches within days.

    Also what happens to those devices not receiving iOS 6?
Sign In or Register to comment.