Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

As noted by 9to5Mac, a Russian hacker has developed a relatively simple method to allow users to bypass Apple's In App Purchase mechanism on many iOS apps, allowing users to obtain the content for free.

in app purchase hack confirm
Alternate In App Purchase confirmation button seen on hacked devices

The method, which does not require jailbreaking, involves installing a pair of certificates on the user's device and then using a custom DNS entry. Users can then perform in-app purchases as usual and automatically be redirected through the hacked system.


Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method.

The hacker has already been evicted from his original host and had reportedly moved to a new one, but the site is currently down. It is unclear whether it is down simply due to high traffic or if other steps are being taken to hinder his activities.

Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

Update: The Next Web takes a closer look at the method developed by Alexey Borodin, which actually can not be prevented simply by employing receipt validation.

All Borodin’s service needs is a single donated receipt, which it can then use to authenticate anyone’s purchase requests. Many of those receipts have been donated by Borodin himself, who has spent several hundred dollars on in-app purchases testing and generating receipts. [...]

Because the bypass emulates the receipt verification server on the App Store, the app treats it as an official communication, period.

Addressing the issue will ultimately require changes by Apple, which could enhance the API used for In App Purchases to provide for uniquely signed receipts that could not be duplicated on a mass basis as with Borodin's service.

The Next Web also interviewed Borodin, who noted that he has turned over operation of the site to a third party in order to avoid trouble and will be deleting any information he obtained from running the operation. According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

Update 2: Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.

“I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.

According to [developer Marco] Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

Update 3: Apple has issued a brief statement to The Loop acknowledging that it is aware of and investigating the issue.

“The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”

Popular Stories

new best buy blue

Best Buy's Memorial Day Sale Has Record Low Prices on iPads, MacBooks, and Much More

Friday May 24, 2024 7:12 am PDT by
Best Buy today kicked off its Memorial Day weekend sale, and it has some of the best prices we've tracked in weeks on iPads and MacBooks. Specifically, you'll find record low prices on the 5th generation iPad Air, iPad mini 6, M2 MacBook Air, and M3 MacBook Pro. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a purchase, we may receive a small payment,...
macOS 15 Feature

macOS 15 System Settings to Get Design Overhaul

Thursday May 23, 2024 12:51 pm PDT by
With the macOS 15 update that is set to debut at WWDC in June, Apple plans to rearrange "menus and app UIs," according to a report from AppleInsider. The System Settings app, which was last updated with macOS Ventura, will get one of the biggest updates. With macOS Ventura, Apple renamed the System Preferences app to System Settings, introducing a design similar to the Settings app on the...
6chatgpt mac app

5 Reasons to Use OpenAI's ChatGPT App for Mac

Thursday May 23, 2024 6:07 am PDT by
On May 13, OpenAI during its Spring Update announced that it would be releasing a desktop ChatGPT app for the Mac in the "coming weeks," and said that ahead of a wider launch it had started rolling out the app to some ChatGPT Plus subscribers. Subscribe to the MacRumors YouTube channel for more videos. After testing the app for a few days, we thought it was worth sharing some reasons why...
iOS 17

Apple Sheds More Light on iOS 17.5 Bug That Resurfaced Deleted Photos

Friday May 24, 2024 2:36 am PDT by
Last week, some iPhone users reported that Apple's iOS 17.5 update had introduced a bug that caused old photos that were deleted to reappear in the Photos app. Apple quickly released an iOS 17.5.1 update to fix the issue, but for many users, its explanation of "database corruption" in the release notes was all too brief, and did little to allay concerns about the privacy of their data. Apple ...

Top Rated Comments

lannisters4life Avatar
155 months ago
Why would you report this on the front page? If it were in the forums it would have been closed instantly.
Score: 65 Votes (Like | Disagree)
troop231 Avatar
155 months ago
This button looks scary
Score: 63 Votes (Like | Disagree)
-Ryan- Avatar
155 months ago
Yeah free advertisement for hack sites
I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.
Score: 34 Votes (Like | Disagree)
jordanhuxley Avatar
155 months ago
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.
Score: 29 Votes (Like | Disagree)
johnparjr Avatar
155 months ago
Yeah free advertisement for hack sites
Score: 29 Votes (Like | Disagree)
HarryKeogh Avatar
155 months ago
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!
Score: 28 Votes (Like | Disagree)