Hacker Exploits a Loophole to Score Free App Goodies
Jul 14, 2012 5:00 AM PT
A Russian hacker has worked out a way to make in-app purchases from iOS apps without paying.
The hacker, who goes by the handle "ZonD," has set up a website explaining the exploit and has urged Apple to contact him.
ZonD asks visitors to his site to donate money through PayPal and other means.
This "could seriously impact revenues" of app developers who offer in-app purchases if it becomes widely adopted, Chad Taylor, cofounder of Thrillcall, told MacNewsWorld. However, "the likelihood of that happening before Apple addresses it is low."
Addressing the problem "is beyond app developers' reach," Sam Abadir, appMobi's chief technology officer and chairman, told MacNewsWorld "This is inside the Apple e-commerce world." He also expects Apple to resolve the problem before it's around "long enough to cause any changes to any app developer's income."
Apple did not respond to our request for comment.
Enabling ZonD's so-called In-Appstore trick requires the user to install two security certificates and change the domain name system (DNS) record of the mobile device to WiFi settings.
In-Appstore works only when WiFi connections are used.
The certificate authority (CA) certificate must be installed first, followed by the In-Appstore.com, certificate in that order. The certificates won't have to be reinstalled the next time the user accesses the service.
The user then has to remove all data from the iDevice's DNS field and set the DNS server to this address: 126.96.36.199.
Next, the user goes to an app and "buys" items offered in it for free. If the default app store prompt asking whether the user wants to purchase the item comes up, the user has to get out and setup the In-Appstore service again.
Once the user has downloaded the item "purchased," the DNS record should be restored to its original setting.
Some of Your Data Now Belong to Us
In-Appstore retains certain data when used, including the restriction level of the app accessed, the app's ID, the app version ID, the mobile device's globally unique identifier (GUID), the number of in-app items downloaded, the offer name of the in-app purchase, the language used by the purchaser, the user's location, and the application's identifier and version.
ZonD reminds users that In-Appstore is usable only for legally purchased applications and claims his service is only offered as a demonstration.
Of Right and Wrong
ZonD is "definitely violating" Apple's terms of service, appMobi's Abadir said. Further, "you aren't allowed to muck around with certificates because they are definitely related to security and authentication." If a user violates iOS to obtain digital goods without paying for them, that would be considered theft, "although some countries have no concept of digital goods being stolen."
It's possible the digital cert could be spoofed because "all digital cert systems can be exploited given enough processing time and power," Abadir remarked.
"This is another gut check for end users," Thrillcall's Taylor stated. "Sure, it's easy to steal content, but is it the right thing to do?"
Apple apparently has not contacted app devs yet, appMobi's Abadir said. However, "it's unlikely that this exploit will be in existence long enough to cause any change to any app developer's income. Apple will plug it and we'll move on."
Apple should handle the problem itself, Thrillcall's Taylor contended. "For the sake of the community, my hope is that Apple can address this systematically without telling each developer with in-app purchases that the solution is simply to validate all receipts, because this would require new versions. [That] takes time and doesn't stop the issue for users who don't upgrade."
The flaw could point to a larger security hole in iOS that might be exploited, but it's unlikely, Abadir suggested. "Billions are being spent on the Apple App store, so it's the most appealing target for bad guys to try to exploit. It's probably surprising that there haven't been more hacks like this, and it's a credit to Apple."