Interestingly, some sites have confused the hacking of Apple’s in-app purchasing system with one that lets hackers – and those who follow their instructions - get entire apps for the iPhone or iPad free of charge.
But that’s not the case. The story is that in-app purchases, or IAP, has been hacked, with IAP allowing you to “unlock” extra levels in a game, extra capabilities or extra whatever the developer is offering – and that’s a totally different thing.
Some developers use IAP to offer an app at a low price, such as 99c or even free – and then charge you various amounts of money to purchase coins, points or whatever else, and it is this that the hackers have broken into.
They’ve done it by being a “man in the middle”, tricking apps and the iDevice into thinking they’re talking to Apple’s servers, with the Russian hacker “ZonD80” discovering how iDevices running iOS 3.x to 6.0 could be made to “think” they had successfully charged an iTunes account owner’s account (with the appropriate moneys then going to the developer after Apple’s 30% cut).
The startling thing is the ease with which ZonD80 was able to achieve his trick, and the fact it worked on non-jailbroken devices, with ZonD80’s demonstration YouTube video here and the In-AppStore site here. Apple reportedly had one of ZonD80's previous videos taken down, but he appears to have posted a "reply to Apple" with the same or a similar video.
Apple news site “9to5Mac” has more details, while Apple spokesperson Natalie Harrison told Apple news website “The Loop” that: “The security of the App Store is incredibly important to us and the developer community. We take reports of fraudulent activity very seriously and we are investigating.”
Naturally, given Apple’s investigation into the issue – and the overwhelming demand from end-users keen to bypass the IAP system – the service has reportedly been up and down like a yo-yo, with new servers reportedly being made available so that more people can be “helped” to rip-off developers.
We here at iTWire definitely do not recommend you try this out yourself, because even if you get the thrill of successfully using the system, you are stealing income from developers who rely on this income to not only feed their families, but also to create more of the apps that so many obviously love.
Kudos to the developer ZonD80 for uncovering some serious slackness on Apple’s part here in creating a system that, in retrospect, has been so “easy” to bypass – no doubt Apple will do what it can to close this loophole and make it as difficult as possible for something similar to be repeated in the future.
It just goes to show how difficult it is to stay and keep secure, how vigilance and ongoing penetration testing is of the utmost importance, how willing some people are to try and defraud others, how valuable Apple’s App Store still is and how resourceful humans truly are.
May our creativity and imagination never die, but let’s try and use these powers for good, rather than evil, eh? Evil never wins in the end, good always defeats it, but I guess evil's gotta waste everyone's time by trying. Sigh. Perhaps we've found the other reason why those angry birds are always so angry!