In-app purchases flaw exposes developers to costly hacks


Developers need to check their in-app purchase code.
Developers need to check their in-app purchase code.
Photo: PhotoAtelier/Flickr

Sloppy coding in some popular iOS games allows hackers to give themselves and others thousands of dollars’ worth of in-app purchases for free.

The hole was discovered by developers at DigiDNA, creator of a backup tool called iMazing that allows iPhone and iPad users to access their devices’ hidden file systems. The developers found that the app backup/restore feature in iMazing 1.3 exposes weaknesses in the way games like Angry Birds 2 and Tetris Free handle in-app purchases.

To demonstrate how easy it is to hack in-app purchases using this method, the DigiDNA team tweaked Angry Birds 2 to start the game with 999,999,999 gems — the equivalent of $10,000 of in-game credits.

Rovio’s Angry Birds 2 is free to download, but to advance, gamers have to pay-to-play using so-called “in-app purchases.” The game was downloaded more than 20 million times in the first week.

This flaw could deprive developers of the in-game upgrades that generate revenue after initial downloads. Apple paid developers more than $10 billion in 2014, making the so-called app economy bigger than Hollywood.

In-app purchases are a favored business model of app makers. Lots of apps are free to download, but require in-app purchases to unlock features, advance to the next level or remove ads. It’s especially popular in gaming. The loss of in-app purchases theoretically could cost devs tons of money if they don’t secure their code.

“Many other apps are vulnerable,” said Jérôme Bédat, co-owner of DigiDNA, which discovered the weakness.

This is what $10,000 worth of Angry Birds gems looks like
This is what $10,000 in Angry Birds 2 gems looks like.
Photo: iMazing

The hack comes on the back of the XcodeGhost revelations, which revealed that dozens of apps have been tainted with malware, including — unfortunately for Rovio — the Chinese version of Angry Birds 2.

The flaw was discovered by Gregorio Zanon, co-owner of DigiDNA, while he was testing a new version of the iMazing backup tool. He found that backups of popular games like Angry Birds 2 and Tetris Free could be transfered from one Apple ID to another, including any in-app purchases.

Zanon tested five apps which rely on IAPs (Angry Birds 2, Temple Run 2, Tetris Free, Candy Crush and Clash of Clans) and posted the results on DigiDNA’s blog.

Don’t blame Apple for this vulnerability

DigiDNA said the vulnerability isn’t Apple’s fault. The problem is what Zanon called “lazy coding” by app developers. Makers of the compromised apps simply haven’t followed Apple’s recommendation to exclude purchased items from backups. Instead, the affected apps store purchased items in the app’s sandbox, which is accessible in a backup.

The in-app purchase weakness previously could be exploited by editing and restoring an iOS backup containing the hacked data. Full restores like that are time-consuming, though, which is probably why a lot of people never took advantage of the flaws. With new backup tools like iMazing, which remove the friction of a full backup, users can export their hacked in-app purchases easily and share them.

All a user must do to get the “free” in-app purchase on his or her device is open up iMazing and restore the app file to their device, which barely takes a minute. The vulnerability doesn’t allow hackers to manipulate the app’s code itself, but it does make it very easy to get the purchases on your device from someone else.

Apps can be vulnerable in two ways: Transferable purchases and tweakable in-game currency. The latter is the worst-case scenario, allowing in-game currency to be manipulated to incredibly high levels by editing unencrypted files in a backup. Users can then create a backup of the app and share the patches online (in the form of .imazingapp files).

“One user can purchase IAPs and diffuse the app state to an infinite number of other users,” Zanon said. “One buys, many enjoy.”

An Apple representative contacted by Cult of Mac about the vulnerability declined to comment. Rovio and Electronic Arts haven’t yet responded to requests for comment.

Zanon and his colleagues only tested a handful of apps, but found that about half were vulnerable. They think the problem is widespread and that thousands of apps could potentially be vulnerable to the flaw.

“Our position is perfectly clear,” Zanon said. “We do not want our users to hack IAPs. We simply stumbled upon developer laziness, and go public mainly because we do not want iMazing to be associated with hacks. If we don’t speak out, the news may get out eventually and hurt our reputation. In short, we’re thrilled to be the first software to enable app backup/restore on iOS 9, but would hate to see this cool feature associated with pirates.”

Zanon and Bédat strongly urged developers to review their code for handling in-app purchases.

“Patching weak code should only take developers a few hours,” Bédat said.

  • Craig

    I wonder how many people are downloading iMazing right now to try and tweak their Angry Birds?

    Maybe these guys are not a nice as they seem. Would be pretty cool to get a tech blog to post a story about your app that encourages downloads.

    And maybe, just maybe, CultofMac should not publish exactly how to hack games.

    • Gregorio Zanon

      iMazing devs here.

      Please consider the dilemna we faced:

      A) Say nothing and eventually people will figure it out, and iMazing will become known as a hacking tool.

      B) Go public, and risk looking disingenuous.

      We detail our reasons quite precisely in our blog post on the subject. Now of course, we are proud of our new feature, but if devs don’t patch their faulty code, it may simply be quickly killed by Apple.

      It should also be noted that we took active steps to prevent tampering with .imazingapp files. Downloading iMazing does NOT allow hacking games out of the box.

      • nwcs

        Overall, I vote for the way you approached it. Not just for your company’s image but the programming community as a whole. Whether the Jenner/Kardashian app “hacks” which are the result of lazy API development or this there’s too much rush-rush in development without thinking through the implications of API decisions. Some of it is inexperienced developers, some are bad corporate decisions.

        Good luck on your app, guys!

  • Gregorio Zanon

    Thanks for sharing that post – very thorough and well written!

    As I’m sure you know, in iOS 8.3 and above direct access to application sandboxes has been restricted to the Documents folder of explicitly ‘File Sharing Enabled’ apps. The edits you describe in your post are simply not possible anymore.

    This may have lulled developers in a false sense of security: for example, Angry Birds 2 stores in-game currency in an unencrypted plist, much weaker protection than Angry Birds 1 which didn’t even have IAPs.

    We cannot possibly contact all affected developers – we’ve contacted Rovio, but obviously we can’t test all apps on the App Store nor contact all devs. What surprised us is that of the few apps we tested, the majority was vulnerable.

    We actually nerfed our app backup/restore feature to prevent hacks from being too easily accessible. Our .imazingapp format is encrypted: no edits are possible, but the backup from which app data is extracted could be edited beforehand with the help of quite a few 3rd party software.

    In your post, I haven’t see the keychain mentioned: it is the simplest way to store sensitive data, and does not require any infrastructure. The keychain may even be synched via iCloud without requiring any work from the developer. In my experience, it’s a day or two of work for an inexperienced developer, and a couple of hours max if you’ve ever worked with the keychain before.

    But in the end, as you mention, most users will purchase rather than go through the trouble of researching ways to game the system.