In-app hack creator admits defeat, says 'it's all over…for now'The Russian hacker responsible for discovering a system to sidestep paying for in-app purchases confirmed on Monday that Apple's newly-instituted receipt validation system is effective.
In a blog post on his website on Monday titled "It's all over for now," Alexey Borodin said there is no way to bypass the new APIs Apple rolled out late last week as a quick fix for the revenue-stealing exploit made public earlier in July, reports The Mac Observer.
Word of the exploit, which validated fraudulent purchases by routing them through a specialized DNS server which spoofed digital receipts, first came a little over a week ago. Apple responded by blocking the IP addresses associated with Borodin's workaround and attempting to shut down the DNS servers hosting the dubious receipt validations.
The iPhone maker announced a temporary solution to plug the hole days later and announced that a permanent fix would be present in the upcoming iOS 6 mobile operating system.
Screenshot of Borodin's iOS in-app purchase workaround in action.
From Borodin's Monday blog post:
By examining last apple's statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It's a good news for everyone, we have updated security in iOS, developers have their air-money.
But, service will still remain operational until iOS 6 comes out.
The another thing is for in-appstore for OS X. We still waiting for apple's reaction and we have some cards in the hand. It's good that OS X is open.
Apple's solution leverages receipts which carry a "unique identifier" to validate in-app purchases. The previous system merely generated generic receipts with no specific user data attached, thus allowing for easily spoofed validations. It remains unclear what type of unique identifier is being used, though some have speculated it could be a proprietary system based on UDID data.
An email regarding the security changes was issued last Friday which asked developers to take necessary precautions listed on a special support page. As part of the fix content makers were given access to two private Apple APIs for the express purpose of validating in-app purchases with Apple's new system.
Most recently, Borodin created a workaround for in-app purchasing in