Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Apple Now Including Unique Identifiers for In App Purchase Receipts to Combat Hack
Following last week's launch of a hack that allowed users to obtain In App Purchase content free of charge by routing their purchase requests through a server run by a Russian hacker, Apple began taking steps to thwart the method. The hacker has, however, continued to develop his method to skirt around Apple's roadblocks.
One of the suggestions for a method by which Apple could improve the security of In App Purchasing was to include a unique identifier in validation receipts, and we've received word that developers are now seeing something along those lines coming from receipts issued by Apple since late yesterday. The receipts carry a new field called "unique_identifer" that appears to include the Unique Device Identifier (UDID) for the device making the In App Purchase.
As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.
[ 46 comments ]
Top Rated Comments
(View all)
88 months ago
Mulitple devices/replacement devices
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:
88 months ago
Maybe a UK judge can require the hacker to include the text "this receipt is a copy of a legitimate and cool receipt" for the next 6 months on all receipts and on his website.
88 months ago
It's a shame that Apple even needs to do this. The world we live in today...
Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.
88 months ago
As one developer noted to us, apps are no longer supposed to be collecting the UDID and thus it is unclear whether Apple's use of the identifier for this purpose is simply a first step toward a broader implementation of unique receipt identifiers for increased security or if Apple is attempting to identify those users and devices who are sharing their receipts with the Russian hacker to allow the method to function.
They might allow developers to use it to check if the purchase is valid. There's a huge difference between that and developers using it to track users and possibly logging these IDs on their own servers
88 months ago
I thought we won the cold war! But now Russia is crushing our corrupt capitalist country, just like they said they would!!! ;)
88 months ago
How will this impact those of us that have an iPad and an iPhone? Will we be required to pay for the app 1 time, but the in-app stuff twice?? :confused::confused::confused:
Not if they do it right. They can record the purchase with your account so a "restore purchases" event would trigger that your other devices get their own authorization to run the app. If done right it should create a serious hurdle for the hack.
I'd like to know if they have fixed the sending of the credentials in clear text. I am not sure if there was really a vulnerability here since the overall communication is encrypted according to the installed certificates on the device, but the hacker seemed surprised or disappointed that faking the certs gave him access to the credentials of any user exploiting his hack. I'm not sure if another layer of encryption would make sense here (i.e.: using a public key from Apple with Apple being the only holder of the private key -- then again, that public key would still have to be stored among the device certificates so I am not really seeing any additional layer of protection -- I am seeing that as being a good way to use the hack without exposing your credentials to the hacker's server).
88 months ago
That happened to me already - because the old system had sometimes setups where this wasn't tracked. In my opinion, in-App-purchases should be handled the same way App purchases are. Put it on the "purchased" list in the App store.
Agreed. I've never understood why this wasn't the case from day one.
88 months ago
The Next Web are reporting this is NOT the same as the UDID:
http://thenextweb.com/2012/07/18/apple-adds-uniqueidentifier-to-in-app-purchase-receipts-not-udid-may-be-related-to-recent-breach/
----------
If you can't run your validation server, check out these guys who seem to do it for free:
http://thenextweb.com/apple/2012/07/18/developers-beeblex-offers-super-secure-and-completely-free-in-app-purchase-validation-for-ios-apps/
The addition of the field was reported by Macrumors, but contrary to its article, it does not appear to contain a Unique Device Identifier (UDID), something that Apple has been instructing developers to move away from.
http://thenextweb.com/2012/07/18/apple-adds-uniqueidentifier-to-in-app-purchase-receipts-not-udid-may-be-related-to-recent-breach/
----------
As a developer, and one who is just starting to get into paid apps, I wish there were things Apple could implement to allow better control of piracy. I'm worried that my $50 app* would get pirated, or even my $0.99 ones. Setting up push servers is one thing (and expensive), but validation servers would be a pain as well.
* It's a medical database thing, thus sadly it's expensive, hopefully it'll have sales.
If you can't run your validation server, check out these guys who seem to do it for free:
http://thenextweb.com/apple/2012/07/18/developers-beeblex-offers-super-secure-and-completely-free-in-app-purchase-validation-for-ios-apps/
88 months ago
Yes. The world we live in today is almost unbearable. All these wars of opportunity complete with extrajudicial killings funded by casino capitalism. While a naive self-absorbed population frets endlessly about... pirated software? What a shame indeed.
There's a difference between fretting and having a conversation. :rolleyes:
[ Read All Comments ]
Last year, we shared a list of some of the best HomeKit products you can buy, which was quite popular with MacRumors readers, so we thought we'd follow it up.
In our 2019 HomeKit video,...
Amazon is discounting the 2019 AirPods with Charging Case to $139.99, down from $159.00. Apple just refreshed the AirPods last month with an updated H1 chip and "Hey Siri" support,...
As part of its ongoing effort to rebuild Apple Maps, Apple has added detailed terrain features to the U.S. states of Arizona and New Mexico as well as the southern portion of Nevada, including the...
Tik Tok, which was pulled from the App Store in India last week to comply with a government demand to block downloads over child safety concerns, is allowed to return to the App Store, reports...
Amazon is currently discounting the latest 13-inch MacBook Pro with Touch Bar to a new all-time-low price. Specifically, this is the 2.3 GHz Quad-Core Intel Core i5 model with 8GB RAM and a 512GB...
Over four years after debuting on Android, and following a significant redesign last year, Google Fit is now available on iOS.
The fitness tracking app can track workout sessions completed...
Following a flash sale on Easter, Best Buy has returned this week with a new 4-day sale that offers discounts on the MacBook Pro with Touch Bar, iPhone X, Beats products, iPhone cases, and more. The...
iPhone XR remained the best-selling iPhone model in the United States in the first quarter of 2019, as it was in the fourth quarter of 2018, according to a survey conducted by research firm CIRP and...
