Sloppy coding in some popular iOS games allows hackers to give themselves and others thousands of dollars’ worth of in-app purchases for free.
The hole was discovered by developers at DigiDNA, creator of a backup tool called iMazing that allows iPhone and iPad users to access their devices’ hidden file systems. The developers found that the app backup/restore feature in iMazing 1.3 exposes weaknesses in the way games like Angry Birds 2 and Tetris Free handle in-app purchases.
To demonstrate how easy it is to hack in-app purchases using this method, the DigiDNA team tweaked Angry Birds 2 to start the game with 999,999,999 gems — the equivalent of $10,000 of in-game credits.
Rovio’s Angry Birds 2 is free to download, but to advance, gamers have to pay-to-play using so-called “in-app purchases.” The game was downloaded more than 20 million times in the first week.
This flaw could deprive developers of the in-game upgrades that generate revenue after initial downloads. Apple paid developers more than $10 billion in 2014, making the so-called app economy bigger than Hollywood.
In-app purchases are a favored business model of app makers. Lots of apps are free to download, but require in-app purchases to unlock features, advance to the next level or remove ads. It’s especially popular in gaming. The loss of in-app purchases theoretically could cost devs tons of money if they don’t secure their code.
“Many other apps are vulnerable,” said Jérôme Bédat, co-owner of DigiDNA, which discovered the weakness.
The hack comes on the back of the XcodeGhost revelations, which revealed that dozens of apps have been tainted with malware, including — unfortunately for Rovio — the Chinese version of Angry Birds 2.
The flaw was discovered by Gregorio Zanon, co-owner of DigiDNA, while he was testing a new version of the iMazing backup tool. He found that backups of popular games like Angry Birds 2 and Tetris Free could be transfered from one Apple ID to another, including any in-app purchases.
Zanon tested five apps which rely on IAPs (Angry Birds 2, Temple Run 2, Tetris Free, Candy Crush and Clash of Clans) and posted the results on DigiDNA’s blog.
Don’t blame Apple for this vulnerability
DigiDNA said the vulnerability isn’t Apple’s fault. The problem is what Zanon called “lazy coding” by app developers. Makers of the compromised apps simply haven’t followed Apple’s recommendation to exclude purchased items from backups. Instead, the affected apps store purchased items in the app’s sandbox, which is accessible in a backup.
The in-app purchase weakness previously could be exploited by editing and restoring an iOS backup containing the hacked data. Full restores like that are time-consuming, though, which is probably why a lot of people never took advantage of the flaws. With new backup tools like iMazing, which remove the friction of a full backup, users can export their hacked in-app purchases easily and share them.
All a user must do to get the “free” in-app purchase on his or her device is open up iMazing and restore the app file to their device, which barely takes a minute. The vulnerability doesn’t allow hackers to manipulate the app’s code itself, but it does make it very easy to get the purchases on your device from someone else.
Apps can be vulnerable in two ways: Transferable purchases and tweakable in-game currency. The latter is the worst-case scenario, allowing in-game currency to be manipulated to incredibly high levels by editing unencrypted files in a backup. Users can then create a backup of the app and share the patches online (in the form of .imazingapp files).
“One user can purchase IAPs and diffuse the app state to an infinite number of other users,” Zanon said. “One buys, many enjoy.”
An Apple representative contacted by Cult of Mac about the vulnerability declined to comment. Rovio and Electronic Arts haven’t yet responded to requests for comment.
Zanon and his colleagues only tested a handful of apps, but found that about half were vulnerable. They think the problem is widespread and that thousands of apps could potentially be vulnerable to the flaw.
“Our position is perfectly clear,” Zanon said. “We do not want our users to hack IAPs. We simply stumbled upon developer laziness, and go public mainly because we do not want iMazing to be associated with hacks. If we don’t speak out, the news may get out eventually and hurt our reputation. In short, we’re thrilled to be the first software to enable app backup/restore on iOS 9, but would hate to see this cool feature associated with pirates.”
Zanon and Bédat strongly urged developers to review their code for handling in-app purchases.
“Patching weak code should only take developers a few hours,” Bédat said.