Apple has responded to news of the App Store in-app purchases hack, claiming that it is investigating.
Apple told The Loop: “The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”
It turns out crime doesn’t pay anyway. The Russian developer, who published the method of obtaining free in-app purchases (IAP), netted just $6.78 in PayPal donations, despite the fact that over 30,000 in-app transactions were made using his hack.
The people who really lose out are Apple's developers. The best advice to developers is to use their own mechanism to validate IAP receipts.
The hack, which lets iOS users trick the App Store into giving them in-app purchases for free, went public at the end of last week, potentially costing app makers revenue and causing Apple a major headache.
Alexey V Borodin of Russia built the in-app purchase hack, which requires several steps - including installing bogus certificates on users' devices, and using a specially-crafted DNS server. Those ingredients combine to fool apps into believing that they're communicating with the App Store, when they're actually going to a web server that pretends to the App Store instead.
The exploit works in part by faking - or "spoofing" - the code receipts that Apple issues for in-app purchases which developers use for validation, with the iOS device configured to mistakenly believe that those receipts are coming directly from Apple.