toggle

AAPL Stock: 104.83 ( + 1.84 )

Printed from http://www.macnn.com

Apple provides details, fixes on in-app purchase hack

updated 09:30 pm EDT, Fri July 20, 2012

Week-old hack allows theft of 'downloadable content' for apps

In the wake of the revelation of the recent App Store in-app purchase hack, Apple has published a document for developers on how to protect applications from purchase fraud. The document addresses three common questions about the security process, as well as providing APIs to eliminate the flaws that allowed the hack to function. Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.

If a developer's application performs validation by connecting to the developer's server directly, Apple claims that as long as the developer has followed best practices and receipt validation by having the developer's server perform the validation with the App Store server, then the app isn't affected by the attack as it does not connect to the App Store server directly.

If an app connects to the App Store server directly, Apple suggests that the developer change to having the app connect to the developer's server and have that server connect to the App Store server. If code revision isn't possible, then basic security checks like verifying unique receipt IDs, the App Store SSL server certificate is an EV certificate.

Developers concerned about completed transactions are advised to revalidate receipts for consumable items, like in-game currency, assuming the developer has retained the receipts. Permanent items, known as nonconsumables, can be re-checked after a restore operation.

While non-public APIs are generally not allowed in iOS applications, Apple has made a one-time exception for fixes to prevent the hack from functioning. A four-step process including two additional files has been provided to close the back door the hackers used to allow free in-app purchases.

First publicized a week ago, the hack required that users hand over iTunes account information to the Russian hacker organization, making it a risky venture. Today's updates to the developer's community is the first fix for the problem. Prior versions of iOS 6 were susceptible to the hack, making future versions of the underway beta likely for first practical implementation on a user-level of the fix.





by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. testudo

    Forum Regular

    Joined: 08-06-01

    Originally Posted by NewsPosterView Post

    Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.



    Well that's nice. Of course, not everyone will upgrade, and so that'll leave it up to all developers to basically have to fix their software (because we can't get Apple to fix their current OS, I guess).

    If an app connects to the App Store server directly, Apple suggests that the developer change to having the app connect to the developer's server and have that server connect to the App Store server.

    Oh, this is rich. Apple first insists ALL developers use Apple's store to perform all in-app transactions. But then the developer still needs to have their own server in which all transactions are run through.

    Um, why not just let the developer handle the transaction themselves, then? Oh, right, because Apple wants their cut of the pie. Can't have people making money if Apple can't get part of the action!


    And I'm glad to see Apple following really secure principles, like making sure the connection is to their secure server, or actually encrypting credentials before transmitting them. You know, crazy stuff.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by testudoView Post

    [QUOTE=NewsPoster;4179004]Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.



    Well that's nice. Of course, not everyone will upgrade, and so that'll leave it up to all developers to basically have to fix their software (because we can't get Apple to fix their current OS, I guess).[/quote]

    iOS upgrade rates are notoriously fast.

    So whatever small percentage of users remains on previous OS versions will have to then a) WANT to cheat the system, and then b) FIND a proxy server that will still perform this hack, and then c) be prepared to send their account details through that server.

    This whole thing was more of a proof-of-concept than a real danger.

    It needs to be fixed, but I doubt developers are *really* losing sleep over it.

    Originally Posted by testudoView Post

    Um, why not just let the developer handle the transaction themselves, then? Oh, right, because Apple wants their cut of the pie. Can't have people making money if Apple can't get part of the action!


    You fail to realize that the 30% cut Apple takes in exchange for dealing with international distribution, payment, sales tax, book-keeping, and local laws and regulations, is actually a DAMN GOOD DEAL, especially for smaller developers.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fr ...

toggle

Most Commented