Follow us on RSS or Twitter for the latest updates.

July 13, 2012

Apple’s in-app purchasing process circumvented by Russian hacker


Russian developer ZonD80 has figured out how to circumvent Apple's iOS In-App Purchase program, allowing iPhone, iPad, and iPod touch users to grab digital game items, upgrade to full versions of apps, and purchase additional content for free. As first spotted by Russian blog i-ekb, the video above shows an "in-app proxy" (no jailbreak required!) that lets you make in-app purchases without actually making a purchase.

The hack reportedly works on all Apple devices running anything from iOS 3.0 to iOS 6.0 (the In-App Purchase program requires iOS 3.0 or later). That being said, certain in-app purchases do not work in specific regions around the world (possibly because the developers properly protected their apps). To use this "trick" yourself, you need to perform the following steps (for the record, I do not recommend doing this, especially given that you have to hand over your login credentials, and I do not condone it either, as it is stealing):

  • Install two certificates: CA and in-appstore.com.
  • Connect via Wi-Fi network and change the DNS to 62.76.189.117 (update: he's change it to 91.224.160.136).
  • Press the Like button, enter your Apple ID and password.

Essentially, this circumvention technique relies on installing certificates for a fake in-app purchase server as well as a custom DNS server. The latter's IP address is then mapped to the former, which in turn allows all "purchases" to go through. What's really worrying, however, is that ZonD80 could easily be gathering everyone's iTunes login credentials (as well as unique device-identifying data) in a classic man-in-the-middle attack. In other words, this is not a good hack to try.

ZonD80 runs a website called In-AppStore.com where everything is hosted for the hack to work, and he is accepting donations to support the development of the project as well as keep the servers up and running, according to 9to5Mac. The webpage does not load for me, but it does for my colleagues. Given the nature of this news, the server may be under additional stress. Either way, if you can't access the site, you can't try this hack because it requires files from the server.