Russian hacks Apple, invents way to get paid iOS apps and content for free without jailbreak

Pirating apps on iOS is extremely easy if you jailbreak your device. Pirating apps on iOS is extremely difficult (near impossible) without jailbreak. Or is it? A Russian hacker has devised a way for users to attain premium iOS apps and content offered via Apple’s ‘in-app purchase’ without paying a cent — or jailbreaking their devices.

Before you read on, please take note downloading paid iOS content without actually paying for the content is illegal regardless of which country you live in. dotTech is in no way encouraging people to utilize the method mentioned in this article or to pirate apps/content in any other way. Anyone long timer dotTechie knows I am strictly against pirating and will never encourage such an action. This article is for information purposes only. Ashraf and dotTech are not responsible for your actions. That being said…

A hacker by the name of Alexey V. Borodin has devised a way to trick iOS devices into providing users with in-app purchase content without actually paying for the content. That content can be in-app purchase game levels, upgrades, or money; in-app purchase books, magazines, and movies; etc. Almost any content that is purchasable from within an app using Apple’s in-app purchase API is vulnerable to this hack. There are reports of a ‘receipt system’ Apple has for developers that helps prevent this sort of hack; any apps using that receipt system likely can’t have their content stolen by this hack.

What Borodin’s hack does is run in-app purchases through a fake Apple server owned by Borodin. This server sends false payment confirmations to iOS devices telling the apps to release the paid content to the user even though the user never actually paid for it. The hack itself requires a three-part setup by the user: installations of two digital certificates and a change in WiFi domain settings. (Okay, okay — Borodin doesn’t actually hack Apple. The title of this article is a bit exaggerated.) Take note, however, there are privacy related drawbacks to this free “service”. As ArsTechnica mentions, Borodin’s server is sent users’ Apple ID, password, and other data that is normally sent only to Apple. While Borodin says he doesn’t log, use, or monitor the data, there is no way we can be sure of such a claim. Free is rarely really ever free.

For its part, Apple has issued a statement that it is looking into this matter:

“The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”

Apple has already issued a copyright claim to Youtube forcing the video demonstrating Borodin’s hack to be pulled, and Borodin reports two IP addresses used by his server have already been blocked supposedly due to something Apple did. In addition to that, Apple will likely issue some sort of iOS update or mandate developers use the receipt system to fix this loophole.

App Store may have little to no malware issues but it seems to be vulnerable to hacks. Will Google’s turn come? Let’s hope not.

[via ArsTechnica]

[viaNamely, it allows the operators of the fake server to see a user’s Apple ID, password, and possibly other data that is normally sent only to Apple. Hacker Alexey V. Borodin told Ars Technica that he doesn’t use, log, or otherwise monitor that data, but there is no way to confirm those assurances.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

5 comments

  1. Rob (Down Under)

    Actually this may be poetic justice.
    If my memory serves me right, before Apple was created, the creators made their money (or got their reputation) by assisting Americans to defraud AT & T. (They did not invent the technique and whistle, but they became involved with the creator, and even employed him, when Apple was formed.)
    It was called Phone Phreaking, and allowed the public to make free (long) long distance calls.

    Perhaps now Apple “will be whistling a different tune” ?

  2. Hank

    This smells like the old dish/cable box sting they did years ago where users who had hacked their cable box cards were sent “commercials” over their connections to call a number for free T-shirts or services. When they called, their numbers were captured and many stupidly gave all their real identity info so as to make the cops jobs that much easier.

    And this paragon of saintliness swears he won’t use your data illicitly – maybe not, but I bet when the authorities come to his door with a “give us your customer list or go to jail” ultimatum he caves like a house of cards.

    No thanks, I’ll stick to jailbreaking.

  3. sl0j0n

    Hello, all.
    You know, wouldn’t be just like Apple, to setup this whole thing,
    just to force developers to use the receipt system?
    I mean, how many times have *you* heard that Apple can’t be hacked, like M$, or yahoo.com?
    But now here comes this ‘Russian’ guy, who claims that,
    “he doesn’t use, log, or otherwise monitor that [YOUR] data”!
    Does that sound reasonable to *you*?
    Maybe I’m just being too cynical.
    Yeah, that’s it; *THAT’s* the ticket!

    Have a GREAT day, neighbors!