Hacker Releases Tools for Bypassing Apple's In App Purchase Mechanism [Updated]

As noted by 9to5Mac, a Russian hacker has developed a relatively simple method to allow users to bypass Apple's In App Purchase mechanism on many iOS apps, allowing users to obtain the content for free.


Alternate In App Purchase confirmation button seen on hacked devices

The method, which does not require jailbreaking, involves installing a pair of certificates on the user's device and then using a custom DNS entry. Users can then perform in-app purchases as usual and automatically be redirected through the hacked system.


Aside from the obvious impact that the hack involves theft of content from developers, the method also poses risks to those using the hack, as some of their own information is transmitted to the hacker's servers during the purchasing process. For both of those reasons, users are strongly advised not to pursue the method.

The hacker has already been evicted from his original host and had reportedly moved to a new one, but the site is currently down. It is unclear whether it is down simply due to high traffic or if other steps are being taken to hinder his activities.

Developers can prevent the hack from working with their apps by implementing validation of In App Purchase receipts, something many developers have not included in their apps.

Update: The Next Web takes a closer look at the method developed by Alexey Borodin, which actually can not be prevented simply by employing receipt validation.

All Borodin’s service needs is a single donated receipt, which it can then use to authenticate anyone’s purchase requests. Many of those receipts have been donated by Borodin himself, who has spent several hundred dollars on in-app purchases testing and generating receipts. [...]

Because the bypass emulates the receipt verification server on the App Store, the app treats it as an official communication, period.

Addressing the issue will ultimately require changes by Apple, which could enhance the API used for In App Purchases to provide for uniquely signed receipts that could not be duplicated on a mass basis as with Borodin's service.

The Next Web also interviewed Borodin, who noted that he has turned over operation of the site to a third party in order to avoid trouble and will be deleting any information he obtained from running the operation. According to Borodin, over 30,000 in-app transactions were made through his service, and he netted just $6.78 in PayPal donations to help with his costs.

Update 2: Macworld also chatted with Borodin, who noted that he can indeed see users' App Store account names and passwords, as they are transmitted in clear text as part of the In App Purchase process.

“I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.

According to [developer Marco] Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

Update 3: Apple has issued a brief statement to The Loop acknowledging that it is aware of and investigating the issue.

“The security of the App Store is incredibly important to us and the developer community, Natalie Harrison, told The Loop. “We take reports of fraudulent activity very seriously and we are investigating.”

Top Rated Comments

(View all)
Avatar
103 months ago
Why would you report this on the front page? If it were in the forums it would have been closed instantly.
Score: 65 Votes (Like | Disagree)
Avatar
103 months ago
This button looks scary
Score: 63 Votes (Like | Disagree)
Avatar
103 months ago

Yeah free advertisement for hack sites

I agree. Macrumors ought to report this news as it is of relevance to both users of iOS and app developers, but effectively linking to the site on multiple ocassions is just wrong. The lack of sensitivity in this post is astounding.
Score: 34 Votes (Like | Disagree)
Avatar
103 months ago
Many games have ridiculous in app purchases. Its ludicrous to charge tens of pounds/dollars for a few extra coins.
Score: 29 Votes (Like | Disagree)
Avatar
103 months ago
Yeah free advertisement for hack sites
Score: 29 Votes (Like | Disagree)
Avatar
103 months ago
Thank goodness! Paying a whole $0.99 for a quality app and supporting developers and not being a dirtbag crook was just killing me!
Score: 28 Votes (Like | Disagree)

Top Stories

Leaker: Apple to Stick With Lightning Over USB-C for 'iPhone 12' Before Going Port-Less Next Year

Tuesday May 26, 2020 2:31 am PDT by
Apple will use a Lightning port instead of USB-C in the upcoming "iPhone 12," but it will be the last major series of Apple's flagship phones to do so, with models set to combine wireless charging and a port-less Smart Connector system for data transfer and syncing in the iPhone "13 series" next year. The above claim comes from occasional Apple leaker and Twitter user "Fudge" (@choco_bit),...

Apple Releases macOS Catalina 10.15.5 With Battery Health Management Features, Fix for Finder Freezing

Tuesday May 26, 2020 1:59 pm PDT by
Apple today released macOS Catalina 10.15.5, the fifth update to the macOS Catalina operating system that was released in October 2019. macOS Catalina 10.15.5 comes two months after the launch of macOS Catalina 10.15.4, which introduced Screen Time Communication Limits. macOS Catalina 10.15.5 is a free update that can be downloaded from the Mac App Store using the Update feature in the...

16-Inch MacBook Pro, iPad Pro, and iMac Pro With Mini-LED Displays Again Rumored to Launch in 2021

Tuesday May 26, 2020 5:30 am PDT by
Apple plans to release several higher-end devices with Mini-LED displays in 2021, including a new 12.9-inch iPad Pro in the first quarter, a new 16-inch MacBook Pro in the second quarter, and a new 27-inch iMac in the second half of the year, according to Jeff Pu, an analyst at Chinese research firm GF Securities. This timeframe lines up with one shared by analyst Ming-Chi Kuo, who recently...

Leaker Shares Details on 'iPhone 13' Camera

Wednesday May 27, 2020 4:27 pm PDT by
The next-generation iPhone 12 lineup coming in fall 2020 isn't out yet, but Fudge (@choco_bit), a leaker who sometimes shares information on upcoming Apple devices, today offered up details on what Apple has in store for the 2021 iPhone 13's camera setup. A simple design drawing depicts a device with a four camera array, which Fudge claims will have the following features: 64-megapixel...

Jailbreak Tool 'unc0ver' 5.0 Released With iOS 13.5 Compatibility

Sunday May 24, 2020 3:06 pm PDT by
The team behind the "unc0ver" jailbreaking tool for iOS has released version 5.0.0 of its software that claims to have the ability to jailbreak "every signed iOS version on every device" using a zero-day kernel vulnerability by Pwn20wnd, a renowned iOS hacker. The announcement comes just days after it was announced that the tool would soon launch. The unc0ver website highlights how the tool...

Apple Making It Harder to Avoid Nagging macOS Update Notifications

Thursday May 28, 2020 8:13 am PDT by
With the release of macOS Catalina 10.15.5 and related security updates for macOS Mojave and High Sierra earlier this week, Apple is making it more difficult for users to ignore available software updates and remain on their current operating system versions. Included in the release notes for macOS Catalina 10.15.5 is the following:- Major new releases of macOS are no longer hidden when...

HBO Max Now Available on Apple TV and iOS Devices

Wednesday May 27, 2020 2:42 am PDT by
HBO Max launched today, and is now available on Apple TV, iPhone, and iPad. WarnerMedia's new streaming service, which replaces HBO Now, combines HBO content with shows and films from Warner Bros and Turner TV. The service is available as a native app on the ‌Apple TV‌ HD and ‌Apple TV‌ 4K, but second and third-generation ‌Apple TV‌ owners will need to AirPlay HBO Max content...

First App Using Apple and Google's Exposure Notification API Launches in Switzerland

Tuesday May 26, 2020 3:02 pm PDT by
The first app that takes advantage of the Exposure Notification API developed by Apple and Google has launched in Switzerland, according to a report from the BBC. A team of app developers working on contact tracing app called SwissCovid have rolled out the app in a beta capacity for members of the Swiss army, hospital workers, and civil servants. After the app is tested and approved by MPs,...

Anker Launches $100 24K Gold-Plated USB-C to Lightning Cable

Wednesday May 27, 2020 12:47 pm PDT by
Anker, a brand normally known for its well-made, affordable accessories for Apple devices, has debuted a new $100 24K gold-plated USB-C to Lightning cable. According to Anker, the cable, which is in the PowerLine+ III family, features a "Special Edition Gold Design" that's "bold yet elegant" with the aforementioned gold-plated cable heads and matching braided gold and black cable. The...

Apple Reissuing Numerous iOS App Updates, Potentially Related to Recent 'This App is No Longer Shared' Bug

Sunday May 24, 2020 9:13 pm PDT by
Over the past few hours, a number of MacRumors readers have reported seeing dozens or even hundreds of pending app updates showing in the App Store on their iOS devices, including for many apps that were already recently updated by the users. In many cases, the dates listed on these new app updates extend back as far as ten days. Apple has not shared any information as to why updates for...