Apple leverages 'unique identifier' to thwart in-app purchasing hack

article thumbnail

AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Developers reported on Wednesday that Apple is now attaching a unique identifier to in-app purchases in an attempt to stop a recently-discovered workaround which allowed the download of paid content for free.

Scattered tips sent to MacRumors from unnamed app developers claim the iPhone maker's latest step against the in-app purchasing workaround involves either a proprietary identification system or unique device identifier data (UDID), the unique number assigned to every wireless iDevice.

Developers have been seeing a new receipt field on in-app purchase invoices titled "unique_identifier" which appears to be a device's UDID. While the reports are consistent, it is unclear whether Apple is using actual UDID data or a new form identification as the company has instituted protocols against apps using the sensitive information.

The reported hack was first made public last Friday and involves sending forged digital certificates to a unique DNS server which then sends back spoofed code receipts, effectively validating a "purchase" as legitimate. Russian hacker Alexey V. Borodin who discovered the workaround said Apple's purchasing process was easy to replicate as the digital receipts were generic and contained no unique user data.

Wednesday's news comes on the heels of Apple's move to block access to IP addresses used by the Russian hacker which itself was reportedly followed by a request to take down the servers involved in the sidestepping process.

UDID access has been a topic of debate recently as consumer advocacy groups and government bodies called for Apple to impose usage restrictions of the unique device data which could be used nefariously. Mobile ad agencies rely on metrics calculated from reportedly anonymous UDID metrics to monetize advertisements and are pushing hard against the access blockage on claims that it would hurt revenues.

Apple has taken steps to ensure developers no longer use UDID data and is reportedly denying App Store submissions which use the identifiers. Apps that previously used UDID information before the Apple crackdown, however, retain access to the data and can only be changed when an update is submitted.

While Apple has remained mum on the new system it is unlikely the company would allow unrestricted access to the unique identifiers.