updated 09:30 pm EDT, Fri July 20, 2012
Week-old hack allows theft of 'downloadable content' for apps
In the wake of the revelation of the recent App Store in-app purchase hack, Apple has published a document for developers on how to protect applications from purchase fraud. The document addresses three common questions about the security process, as well as providing APIs to eliminate the flaws that allowed the hack to function. Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.
If a developer's application performs validation by connecting to the developer's server directly, Apple claims that as long as the developer has followed best practices and receipt validation by having the developer's server perform the validation with the App Store server, then the app isn't affected by the attack as it does not connect to the App Store server directly.
If an app connects to the App Store server directly, Apple suggests that the developer change to having the app connect to the developer's server and have that server connect to the App Store server. If code revision isn't possible, then basic security checks like verifying unique receipt IDs, the App Store SSL server certificate is an EV certificate.
Developers concerned about completed transactions are advised to revalidate receipts for consumable items, like in-game currency, assuming the developer has retained the receipts. Permanent items, known as nonconsumables, can be re-checked after a restore operation.
While non-public APIs are generally not allowed in iOS applications, Apple has made a one-time exception for fixes to prevent the hack from functioning. A four-step process including two additional files has been provided to close the back door the hackers used to allow free in-app purchases.
First publicized a week ago, the hack required that users hand over iTunes account information to the Russian hacker organization, making it a risky venture. Today's updates to the developer's community is the first fix for the problem. Prior versions of iOS 6 were susceptible to the hack, making future versions of the underway beta likely for first practical implementation on a user-level of the fix.