Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Apple provides details, fixes on in-app purchase hack

Apple provides details, fixes on in-app purchase hack
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 20, 2012, 05:31 PM
 
In the wake of the revelation of the recent App Store in-app purchase hack, Apple has published a document for developers on how to protect applications from purchase fraud. The document addresses three common questions about the security process, as well as providing APIs to eliminate the flaws that allowed the hack to function. Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.

If a developer's application performs validation by connecting to the developer's server directly, Apple claims that as long as the developer has followed best practices and receipt validation by having the developer's server perform the validation with the App Store server, then the app isn't affected by the attack as it does not connect to the App Store server directly. If an app connects to the App Store server directly, Apple suggests that the developer change to having the app connect to the developer's server and have that server connect to the App Store server. If code revision isn't possible, then basic security checks like verifying unique receipt IDs, the App Store SSL server certificate is an EV certificate. Developers concerned about completed transactions are advised to revalidate receipts for consumable items, like in-game currency, assuming the developer has retained the receipts. Permanent items, known as nonconsumables, can be re-checked after a restore operation. While non-public APIs are generally not allowed in iOS applications, Apple has made a one-time exception for fixes to prevent the hack from functioning. A four-step process including two additional files has been provided to close the back door the hackers used to allow free in-app purchases. First publicized a week ago, the hack required that users hand over iTunes account information to the Russian hacker organization, making it a risky venture. Today's updates to the developer's community is the first fix for the problem. Prior versions of iOS 6 were susceptible to the hack, making future versions of the underway beta likely for first practical implementation on a user-level of the fix.
     
Forum Regular
Join Date: Aug 2001
Status: Offline
Reply With Quote
Jul 23, 2012, 09:52 AM
 
Originally Posted by NewsPoster View Post
Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.
Well that's nice. Of course, not everyone will upgrade, and so that'll leave it up to all developers to basically have to fix their software (because we can't get Apple to fix their current OS, I guess).

If an app connects to the App Store server directly, Apple suggests that the developer change to having the app connect to the developer's server and have that server connect to the App Store server.
Oh, this is rich. Apple first insists ALL developers use Apple's store to perform all in-app transactions. But then the developer still needs to have their own server in which all transactions are run through.

Um, why not just let the developer handle the transaction themselves, then? Oh, right, because Apple wants their cut of the pie. Can't have people making money if Apple can't get part of the action!


And I'm glad to see Apple following really secure principles, like making sure the connection is to their secure server, or actually encrypting credentials before transmitting them. You know, crazy stuff.
     
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Jul 23, 2012, 10:08 AM
 
Originally Posted by testudo View Post
Originally Posted by NewsPoster View Post
Additionally, in the same document, Apple said iOS 6 will completely rectify the issue.
Well that's nice. Of course, not everyone will upgrade, and so that'll leave it up to all developers to basically have to fix their software (because we can't get Apple to fix their current OS, I guess).
iOS upgrade rates are notoriously fast.

So whatever small percentage of users remains on previous OS versions will have to then a) WANT to cheat the system, and then b) FIND a proxy server that will still perform this hack, and then c) be prepared to send their account details through that server.

This whole thing was more of a proof-of-concept than a real danger.

It needs to be fixed, but I doubt developers are *really* losing sleep over it.

Originally Posted by testudo View Post
Um, why not just let the developer handle the transaction themselves, then? Oh, right, because Apple wants their cut of the pie. Can't have people making money if Apple can't get part of the action!
You fail to realize that the 30% cut Apple takes in exchange for dealing with international distribution, payment, sales tax, book-keeping, and local laws and regulations, is actually a DAMN GOOD DEAL, especially for smaller developers.
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 08:57 PM.
All contents of these forums © 1995-2014 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2014, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2