Apple’s App Store bypassed by Russian hacker, leaving developers out of pocket

A Russian hacker calling himself ZonD80 has stirred a whirlwind of controversy by creating a website you can use to make fraudulent in-app purchases on your iPad or your iPhone.

An in-app purchase is a way for developers to make money beyond merely charging for their apps, and it’s a popular – and user-friendly – way of offering chargeable content.

If you’ve come up with a complex game, for example, you don’t need to charge full whack up front and hope that people will be willing to buy it before they’ve had a chance to see if they like it.

You can sell the game itself for a modest fee, or give it away for free, and then sell new levels and extensions from inside the game itself.

ZonD80 has cheekily named his site the in-appstore. His scheme exploits a cryptographic weakness in the protocol used by Apple for processing in-app payments.

The in-appstore tricks an app into conducting what it thinks is a purchase from Apple, but is, in fact, a transaction with ZonD80’s site. The bogus App Store then returns a bogus “purchase receipt” that the app accepts as genuine.

The good news – at least for law-abiding, bootleg-copy-eschewing users – is that you can’t stumble into lawless transactions on the in-appstore by mistake.

You need to reconfigure your iDevice so that it avoids the real App Store, and so that it trusts the imposter site. This involves:

  • loading and trusting a fake CA (certificate authority) SSL certificate,
  • loading a fake SSL certificate signed by the fake trusted authority,
  • changing your DNS settings so you’ll be redirected to the fake App Store.

(You read that last bit correctly: for this to work, you need to undertake voluntarily the sort of device reconfiguration that the DNS Changer malware wreaked surreptitiously to bring you under criminal control.)

Once you’ve made your crooked purchase, you reverse the changes so your iDevice performs normally once again.

We’ve written and spoken before about the importance to iOS developers of validating Apple’s so-called App Store Receipts.

Early reports on ZonD80’s exploit suggested that strict receipt checking – in particular, validating receipts with your own server, not just with Apple’s – would give programmers a sure-fire way to protect their in-app purchases.

But although self-checking your app’s receipts seems to protect your revenue for now, further digging suggests that it isn’t a permanent fix.

ZonD80 has even published a helpful diagram implying that a future enhancment to the in-appstore will let you defraud even those developers who operate their own validation servers.

This is a pretty big blow to Apple – especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.

Indeed, although the fruity company is normally silent on security matters until it has actually published a fix, it has already commented publicly on this issue. As Apple-centric news site The Loop reports:

"The security of the App Store is incredibly important to us and the developer community," Apple representative Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

That may not be much of a response, but – as John Milton famously and poetically observed on going blind – they also serve who only stand and wait.

When it comes to actually fixing the problem, however, it looks as though Apple will need a better cryptographic protocol, and as though developers will need to adapt their applications accordingly. If that’s the case, let’s hope that App Store approval for any needed code updates will be quick and easy to obtain.

By the way, reports suggest that tens of thousands of dishonest “purchases” have already been made through the in-appstore

May I suggest that you control any urge you might have to join in?

(Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead.)