Apple's App Store bypassed by Russian hacker, leaving developers out of pocket

Filed Under: Apple, Featured, Vulnerability

A Russian hacker calling himself ZonD80 has stirred a whirlwind of controversy by creating a website you can use to make fraudulent in-app purchases on your iPad or your iPhone.

An in-app purchase is a way for developers to make money beyond merely charging for their apps, and it's a popular - and user-friendly - way of offering chargeable content.

If you've come up with a complex game, for example, you don't need to charge full whack up front and hope that people will be willing to buy it before they've had a chance to see if they like it.

You can sell the game itself for a modest fee, or give it away for free, and then sell new levels and extensions from inside the game itself.

ZonD80 has cheekily named his site the in-appstore. His scheme exploits a cryptographic weakness in the protocol used by Apple for processing in-app payments.

The in-appstore tricks an app into conducting what it thinks is a purchase from Apple, but is, in fact, a transaction with ZonD80's site. The bogus App Store then returns a bogus "purchase receipt" that the app accepts as genuine.

The good news - at least for law-abiding, bootleg-copy-eschewing users - is that you can't stumble into lawless transactions on the in-appstore by mistake.

You need to reconfigure your iDevice so that it avoids the real App Store, and so that it trusts the imposter site. This involves:

  • loading and trusting a fake CA (certificate authority) SSL certificate,
  • loading a fake SSL certificate signed by the fake trusted authority,
  • changing your DNS settings so you'll be redirected to the fake App Store.

(You read that last bit correctly: for this to work, you need to undertake voluntarily the sort of device reconfiguration that the DNS Changer malware wreaked surreptitiously to bring you under criminal control.)

Once you've made your crooked purchase, you reverse the changes so your iDevice performs normally once again.

We've written and spoken before about the importance to iOS developers of validating Apple's so-called App Store Receipts.

Early reports on ZonD80's exploit suggested that strict receipt checking - in particular, validating receipts with your own server, not just with Apple's - would give programmers a sure-fire way to protect their in-app purchases.

But although self-checking your app's receipts seems to protect your revenue for now, further digging suggests that it isn't a permanent fix.

ZonD80 has even published a helpful diagram implying that a future enhancment to the in-appstore will let you defraud even those developers who operate their own validation servers.

This is a pretty big blow to Apple - especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.

Indeed, although the fruity company is normally silent on security matters until it has actually published a fix, it has already commented publicly on this issue. As Apple-centric news site The Loop reports:

"The security of the App Store is incredibly important to us and the developer community," Apple representative Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

That may not be much of a response, but - as John Milton famously and poetically observed on going blind - they also serve who only stand and wait.

When it comes to actually fixing the problem, however, it looks as though Apple will need a better cryptographic protocol, and as though developers will need to adapt their applications accordingly. If that's the case, let's hope that App Store approval for any needed code updates will be quick and easy to obtain.

By the way, reports suggest that tens of thousands of dishonest "purchases" have already been made through the in-appstore

May I suggest that you control any urge you might have to join in?

(Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead.)


, , , , , , , , ,

You might like

14 Responses to Apple's App Store bypassed by Russian hacker, leaving developers out of pocket

  1. otaku2012 · 1183 days ago

    THIS IS HORRIBLE! . . .just horrible...someone tell me the name of this site so I can... investigate this ongoing crisis. :3

  2. Not to mention, your personal login details would be transmitted to the server to be validated before the phone allows you to make a "purchase".

    • Paul Ducklin · 1183 days ago need have no worries on that score. You have ZonD80's personal assurance!

      He explicitly states, on his ToS page, that he doesn't retain your password data. "Logging is total[ly] disabled," he writes. "For now."

      (It really _does_ say "for now" :-)

      • Peter M · 1181 days ago

        By far less logging compared to I-Tunes anyway. And that really IS assured ;)

  3. iOS Lover · 1183 days ago

    This has already been done MANY times before with a much lower level of sophistication. Just look at iAP Cracker or iAP Free. I have not fully checked this out yet, but I am sure it is of higher complexity and can do a bit more than iAP Free since it is actually creating actual fake receipts to Apple, but it seems like they both have the same purpose, do they not?

    • Paul Ducklin · 1183 days ago

      The big deal here - and ZonD80 seems quite proud of it, as it's mentioned in the strapline on his website - is that this method requires no jailbreak.

      That makes it at least qualitatively different - at least as far as Apple is concerned, because this is happening entirely inside its own ecosystem and on its own watch.

      It means a bit more of the magic security smoke of the locked-down-iOS-plus-App-store model has escaped.

      • iOS Lover · 1183 days ago

        Ah okay. Didn't think I read that in the article. My apologies.

  4. anon · 1183 days ago

    Is there any way to see the flow diagram bigger? It's way too small to read :(

    • Paul Ducklin · 1183 days ago

      Try clicking on the image now for a legible version. The hacker's annotations are a red box (where he is now) and a blue box (where he wants to get to).

  5. dave · 1183 days ago

    Can also get free in app purchases via jail break phones.

  6. tjraptis · 1182 days ago

    No surprise that this happened...

  7. aramis · 1181 days ago

    "... Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead."

    What's the logic behind that last statemant? I do't see any.

  8. an Old Coder · 1177 days ago

    All these "holes" are due to the quality of the code and bad software architecture. Today's programmers have FAR FAR less quality in their code output comparing with that from a generation ago. They are lack of training (a combination of themselves being less intelligent and their bad computer science instructors in the college), and companies who hire them do not impose good quality control on the products either, because those software development managers do NOT know how to do it.

    Microsoft is the #1 example. Years ago, only second class programmers worked at that company, the better ones were at Sun Microsystems. Now the "good" generation of programmers are all close to the retirement age. The new generation is far less competent and they are sloppy on their coding. Software developers at Apple Inc. are no exception. Apple should do annual re-certification on all their software developers and weed out those who failed the exam.

    Quality! Quality! Quality!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog