Hack allows free access to in-app iOS purchases [u]

Editor's note: AppleInsider does not condone illegal activity or EULA abuse and in no way endorses the activity described below. As such this article is presented purely for discussion.

According to a report by MacWorld, Russian coder Alexey V. Borodin is responsible for finding and taking advantage of the exploit which was subsequently posted to YouTube. As of this writing the video had accumulated over 2,000 views.

The process entails installing forged digital certificates onto an iOS device and connecting to a unique DNS server which the app believes to be Apple's official App Store. Borodin explains that the server then sends spoofed code receipts, normally issued by Apple, to the app which in turn validates the purchase. He goes on to say that the receipts were "easy to spoof" because they are generic and contain no specific user data.

While other hacks require a jailbroken iOS device able to run proprietary code, the newest iOS exploit simply takes advantage of what can be perceived as a hole in Apple's purchasing system.

Apparently Borodin created the bypass as a "challenge" to developers of CSR Racing, a so-called "freemium" app that costs nothing to download but offers exclusive in-app purchases to unlock special content.

“I set this up due to hungry and lazy developers, Borodin wrote in an instant message conversation with the publication. "I was very angry to see that CSR Racing developer taking money from me every single breath.”

Instapaper developer Marco Arment believes that the hack will only work for one-time in-app purchases while subscription-based buys should be unaffected.

“It probably won’t affect the auto-renewing subscriptions, since they rely on a lot of server-side processing to track, but it wouldn’t surprise me if it could affect any other [in-app purchase] type (including non-renewable ‘subscriptions’ like what Instapaper uses) if the apps don’t check with Apple’s verification servers from their own web services,” Arment writes.

Employing the hack not only affects developers' incomes but users could face negative implications as well and the fault may lie with Apple's purchasing system.

“I can see the Apple ID and password [of users who use the hack],” Borodin said. “But not the credit card information.” It appears that Apple's system passes both bits of sensitive information to the Apple Store server in unencrypted plain text.

The exploit is likely an easy fix for Apple, said developer Marco Tabini, though a patch woud likely involve a software update.

Borodin claims that he is not worried about any legal action from Apple and instead took a different spin on the situation: “I’m a happy user of iPhone 4S … I think they will hire me.”

Update: Apple caught wind of Borodin's successful App Store receipt validation scheme and has issued the following statement (via The Loop):

“The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”