In-app purchases flaw exposes developers to costly hacks


Developers need to check their in-app purchase code.
Developers need to check their in-app purchase code.
Photo: PhotoAtelier/Flickr

Sloppy coding in some popular iOS games allows hackers to give themselves and others thousands of dollars’ worth of in-app purchases for free.

The hole was discovered by developers at DigiDNA, creator of a backup tool called iMazing that allows iPhone and iPad users to access their devices’ hidden file systems. The developers found that the app backup/restore feature in iMazing 1.3 exposes weaknesses in the way games like Angry Birds 2 and Tetris Free handle in-app purchases.

To demonstrate how easy it is to hack in-app purchases using this method, the DigiDNA team tweaked Angry Birds 2 to start the game with 999,999,999 gems — the equivalent of $10,000 of in-game credits.

AirDrop vulnerability is the best reason yet to upgrade to iOS 9


AirDrop has a serious problem.
AirDrop has a serious problem.
Photo: Apple

Hackers have just given iPhone and iPad users a big reason to upgrade to iOS 9 due out later today: it fixes a serious AirDrop security vulnerability.

Mark Dowd, an Australian security researcher with Azimuth Security, revealed this morning that iOS 8.4.1 contains a critic security flaw in AirDrop that could allow an attacker to install malware on any device within range. Worst of all, even if a victim tried to reject the incoming AirDrop file, the bug lets attackers tweak the iOS settings so the exploit will still work.

Check out the lethal bug in action:

Apple confirms iMessage bug is crashing iPhones

Unicode of Death 2015
Evan likes to send malicious Unicode to co-workers.
Screen: Evan Killham/Cult of Mac

Apple has confirmed the existence of the “Unicode of Death” security exploit in iMessages.

“We are aware of an iMessage issue caused by a specific series of unicode characters and we will make a fix available in a software update,” an Apple rep said today in an e-mail to Reuters.

Apple is working on fix for newly discovered ‘FREAK’ security bug


This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products. Photo: Jim Merithew/Cult of Mac
The Freak bug went unnoticed for over a decade. Photo: Jim Merithew/Cult of Mac

A newly discovered security bug has secretly left Safari users on both iOS and OS X vulnerable to attacks on hundreds of thousands of websites for years.

The ‘FREAK’ security flaw was exposed today by a group of nine researchers who discovered web browsers could be forced to use an intentionally-weakened form of encryption. FREAK effects iPhones, Macs, and Android browsers, but Apple’s spokesman says the company will release a fix next week.

Crazy calendar bug in iOS 8 is driving people nuts


After four months, Apple has yet to fix a bad calendar bug in iOS 8.
After four months, Apple has yet to fix a bad calendar bug in iOS 8.

A weird bug in iOS 8’s Calendar app has been making people pull their hair out for months. When adding events using either a Google or Microsoft Exchange server, the time zone is randomly synced to Greenwich Mean Time.

Complaints started surfacing around iOS 8’s release last September, and the issue still persists.