Apple has issued guidance to iOS developers wondering how to protect their App Store apps from a hack that makes it possible to get in-app purchases for free. For now there is no fix, Apple simply promises that the vulnerability will be addressed in iOS 6.
The new support document states: “A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device.” The post claims: “iOS 6 will address this vulnerability”. Apple recommends that if developers follow the best practices described in the post their apps will not be affected by this attack.
The following best practices are recommended:
- You app should perform receipt validation by sending the receipt to your server and having your server perform the validation with the App Store server. However, Apple notes that: “It may be vulnerable to similar attacks when connecting to your server”.
- Use the appropriate cryptographic techniques to ensure that your app is actually connected to your server and that your server is actually connected to the App Store server.
Apple admits: “If your app connects to the App Store server directly from the device, your app may be affected by this vulnerability.” In this case it recommends the following:
- Check that the SSL certificate used to connect to the App Store server is an EV certificate.
- Check that the information returned from validation matches the information in the SKPayment object.
- Check that the receipt has a valid signature.
- Check that new transactions have a unique transaction ID.
The App Store hack that lets iOS users trick the App Store into giving them in-app purchases for free went public almost two weeks ago. Alexey V. Borodin of Russia built the in-app purchase hack, which requires several steps–including installing bogus certificates on your device and using a specially-crafted DNS server. Those ingredients combine to fool apps into believing that they’re communicating with the App Store, when they’re actually going to a web server that pretends to the App Store instead. Borodin said that his exploit works in part by faking – or “spoofing” – the code receipts that Apple issues for in-app purchases which developers use for validation, with the iOS device configured to mistakenly believe that those receipts are coming directly from Apple.
Now, Borodin has published a hack that enables the same process through the Mac App Store.