In-App Purchase Vulnerability to Be Fixed in iOS 6; Apple Offers Best Practices to Developers
As noticed by 9to5Mac, Apple has offered developers a series of best practices to prevent the In-App Purchase vulnerability, as well as promising a full fix in iOS 6. The advisement was sent to developers in an email today.
![NewImage.png NewImage](https://images.macrumors.com/t/mbSkmSHadO9LLOfxYqbYtLZjmfc=/400x0/article-new/2012/07/NewImage18.png?lossy)
CNET was issued this statement by Apple:
"We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases," Apple spokesperson Tom Neumayr told CNET. "This will also be addressed with iOS 6."
Apple issued this note to developers on the iOS Developer webpage, along with a series of suggestions to help verify that in-app purchases are legitimate:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
News of the in-app purchase hack broke a week ago, and Apple has made several attempts to prevent users using the hack. It allows users to avoid paying for in-app purchases by using a third-party server as a "man-in-the-middle" attack. Apple now includes the UDID identifier in in-app purchase receipts in an attempt to increase the security of purchases.
Popular Stories
Following nearly two years of rumors about a fourth-generation iPhone SE, The Information today reported that Apple suppliers are finally planning to begin ramping up mass production of the device in October of this year. If accurate, that timeframe would mean that the next iPhone SE would not be announced alongside the iPhone 16 series in September, as expected. Instead, the report...
Key details about the overall specifications of the iPhone 17 lineup have been shared by the leaker known as "Ice Universe," clarifying several important aspects of next year's devices. Reports in recent months have converged in agreement that Apple will discontinue the "Plus" iPhone model in 2025 while introducing an all-new iPhone 17 "Slim" model as an even more high-end option sitting...
Apple supply chain analyst Ming-Chi Kuo today shared alleged specifications for a new ultra-thin iPhone 17 model rumored to launch next year. Kuo expects the device to be equipped with a 6.6-inch display with a current-size Dynamic Island, a standard A19 chip rather than an A19 Pro chip, a single rear camera, and an Apple-designed 5G chip. He also expects the device to have a...
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
Apple’s iCloud Private Relay service is down for some users, according to Apple’s System Status page. Apple says that the iCloud Private Relay service may be slow or unavailable. The outage started at 2:34 p.m. Eastern Time, but it does not appear to be affecting all iCloud users. Some impacted users are unable to browse the web without turning iCloud Private Relay off, while others are...