It was recently discovered that a Russian hacker had been hijacking Apple’s iOS in-app purchasing system to score paid upgrades for free. The trick was accomplished by bypassing Apple’s authentication servers and routing an in-app purchase through a proxy that sent back a faulty purchase receipt.
While Apple has already attempted to combat this activity, today the company outlined a solution for developers to keep their in-app purchases safe from such an exploit. Apple has also confirmed that the issue will be fixed when iOS 6 ships to the public this fall.
In a new developer support document, Apple encourages developers to use its own in-app purchasing servers to validate and encrypt receipts. A developer using a private, third-party server for transferring purchase receipts could be susceptible to the hack. Until iOS 6, Apple is temporarily allowing developers to access its private APIs to ensure that in-app purchases are verified and secure.
The document begins with this message:
A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device. An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker’s server as an App Store server. When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid.
iOS 6 will address this vulnerability. If your app follows the best practices described below then it is not affected by this attack.
Apple has also said the following in a statement to CNET:
We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases. This will also be addressed with iOS 6.