New MacBook Pros are here! Get the lowest prices anywhere: Apple Price Guides updated July 31st (exclusive coupons)
 


Friday, July 20, 2012, 03:18 pm PT (06:18 pm ET)

Apple offers temporary fix for in-app purchase hack ahead of iOS 6 patch

Apple on Friday issued a note to developers outlining a fix for an in-app purchasing exploit that allowed for the free download of for-pay content, and also announced that the loophole will be plugged when iOS 6 is released this fall.

In its support document for iOS app developers, reports CNET, Apple recommends that apps featuring in-app purchases follow a set of guidelines that includes confirming orders with the company's new receipt system.

The receipt validation protocol, which Apple unveiled on Wednesday, attaches a "unique identifier" to in-app purchase receipts. This tactic effectively thwarts the recently-discovered workaround that validated dubious "purchases" by routing them to a specialized DNS server and spoofing digital receipts. Previous to the discovery, Apple sent generic receipts containing no unique user data.

"We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases," said Apple spokesman Tom Neumayr. "This will also be addressed with iOS 6."

Friday's document includes instructions on how to setup and use Apple's new validation system as well as how to validate transactions that have already gone through.

Hack Fix

From the document:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.

As part of the damage control measures, Apple allowed apps to access certain non-public APIs pertaining to verification and security services.

Along with the support document Apple sent out an email to developers noting the exploit will be patched in iOS 6 when the mobile operating system is released alongside an expected next-generation iPhone sometime this fall.