Apple is investigating an in-app purchasing system which has bypassed Apple's own processing system allowing users to buy digital goods without paying for them.
At the end of last week, 9To5Mac reported that it had received "some disturbing tips" that a Russian developer published a method to make in-app purchases from iOS apps for free. The site claims the in-app proxy method allowed users to directly install the in-app content for free even without jail-breaking the device. The method seems to work on devices running iOS from 3.0 to 6.0.
Apple has now respoonded. "The security of the App Store is incredibly important to us and the developer community," Apple representative Natalie Harrison told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."
According to reports, the hack seems to come from Russian developer Alexey V Borodin who published a video, which is no longer available on YouTube "due to a copyright claim by Apple". The method was first noticed on Russian blog I-ekb.ru and reported by 9To5Mac.
In the video, the developer explains the technique of hacking the in-app purchasing system that involves three steps: installing the CA certificate, installing the in.appstore.com certificate, and then changing of DNS record in Wi-Fi settings.
According to The Next Web (TNW), Borodin claimed that more than 30,000 in-app purchases have been made via his service. "Affected developers as well as Apple face a loss in profits if the exploit remains in use from would-be spenders," explains CNET. "Developers get 70 percent of the revenue from purchases made inside their apps, while Apple gets the other 30 percent," it adds.
According to TNW, one solution for this could be for the tech giant to modify its API for in-app purchases. Another solution would be updating the API used for in-app purchases. "The fact is, this would be easy for Apple to solve by providing a method for developers to validate IAP receipts using what's called a "shared secret," that is, a piece of information known to both Apple and the developer that is not exchanged as part of the validation process," said developer Marco Tabini.
"Coupled with another technique called 'salting', in which each communication is digitally signed in a time-sensitive way, this would make it much harder for someone to subvert the IAP process using a man-in-the-middle attack," Tabini adds.