Russian hacks Apple, invents way to get paid iOS apps and content for free without jailbreak

Pirating apps on iOS is extremely easy if you jailbreak your device. Pirating apps on iOS is extremely difficult (near impossible) without jailbreak. Or is it? A Russian hacker has devised a way for users to attain premium iOS apps and content offered via Apple’s ‘in-app purchase’ without paying a cent — or jailbreaking their devices.

Before you read on, please take note downloading paid iOS content without actually paying for the content is illegal regardless of which country you live in. dotTech is in no way encouraging people to utilize the method mentioned in this article or to pirate apps/content in any other way. Anyone long timer dotTechie knows I am strictly against pirating and will never encourage such an action. This article is for information purposes only. Ashraf and dotTech are not responsible for your actions. That being said…

A hacker by the name of Alexey V. Borodin has devised a way to trick iOS devices into providing users with in-app purchase content without actually paying for the content. That content can be in-app purchase game levels, upgrades, or money; in-app purchase books, magazines, and movies; etc. Almost any content that is purchasable from within an app using Apple’s in-app purchase API is vulnerable to this hack. There are reports of a ‘receipt system’ Apple has for developers that helps prevent this sort of hack; any apps using that receipt system likely can’t have their content stolen by this hack.

What Borodin’s hack does is run in-app purchases through a fake Apple server owned by Borodin. This server sends false payment confirmations to iOS devices telling the apps to release the paid content to the user even though the user never actually paid for it. The hack itself requires a three-part setup by the user: installations of two digital certificates and a change in WiFi domain settings. (Okay, okay — Borodin doesn’t actually hack Apple. The title of this article is a bit exaggerated.) Take note, however, there are privacy related drawbacks to this free “service”. As ArsTechnica mentions, Borodin’s server is sent users’ Apple ID, password, and other data that is normally sent only to Apple. While Borodin says he doesn’t log, use, or monitor the data, there is no way we can be sure of such a claim. Free is rarely really ever free.

For its part, Apple has issued a statement that it is looking into this matter:

“The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”

Apple has already issued a copyright claim to Youtube forcing the video demonstrating Borodin’s hack to be pulled, and Borodin reports two IP addresses used by his server have already been blocked supposedly due to something Apple did. In addition to that, Apple will likely issue some sort of iOS update or mandate developers use the receipt system to fix this loophole.

App Store may have little to no malware issues but it seems to be vulnerable to hacks. Will Google’s turn come? Let’s hope not.

[via ArsTechnica]

[viaNamely, it allows the operators of the fake server to see a user’s Apple ID, password, and possibly other data that is normally sent only to Apple. Hacker Alexey V. Borodin told Ars Technica that he doesn’t use, log, or otherwise monitor that data, but there is no way to confirm those assurances.

Related Posts