Apple’s fight against Russian hacker Alex Borodin, who took advantage of an in-app purchasing exploit to provide users with paid content for free, has paid off. The Cupertino company has developed a fix that will make its debut in iOS 6, which is almost impossible to bypass, according to Borodin.
Borodin’s exploit made it incredibly easy for anyone with an iOS device to obtain paid in-app purchases for free, simply by using his servers to bypass the receipt system Apple has in place for developers.
Apple has already taken some steps to prevent the hack, such as having Borodin’s servers shut down and banning his IP addresses. The company also gave developers access to certain parts of its APIs — which they don’t usually have access to — so that they could implement an immediate fix.
In iOS 6, however, Apple will finally put an end to this game of cat-and-mouse.
In a post on his blog, Borodin confirms there is “no way to bypass updated APIs,” and he admits that “the game is over.” He also insists that his hack has led to “updated security in iOS.”
Apple’s fix will rollout with iOS 6, so it’s up to developers to make the necessary changes to block Borodin’s hack until then. Borodin says he will keep the service going to take advantage of those apps that aren’t updated, but he will be closing it when iOS 6 is released later this year.
It’s in developers’ interests to make their own fixes as soon as possible, of course — because until they do, users are able to obtain their in-app content for free. And there are a lot of users who are willing to do this, too. According to Borodin’s stats, 8,460,017 free purchase transactions had been processed by last week.
As for his Mac OS X hack, which does almost exactly the same thing, Borodin says he will keep that going. Although he is still awaiting Apple’s reaction to this exploit, he says “we have some cards in the hand,” and that “it’s good that OS X is open.”