Apple did not respond to multiple requests for comment.

So Borodin's hack works with purchases validated solely on iOS, because those purchases look only at the fake Apple server addresses the hack provides. Apps that instead rely on their own Web servers to validate receipts, of course, talk to the genuine Apple servers--which in turn respond that the receipts are invalid, since Apple didn't really generate them. But Borodin says that the next phase of his hack will go one step further: "The future is to cache developers' server responses," he said, which would mean that even apps that validate on the Web would be at risk.

Tabini points out, however, that if developers use their own secure measures--shared secrets, secure signing, and the like--it would be an order of magnitude more work for Borodin to hack their apps' server responses."

In short, Borodin's hack is a classic "man in the middle" attack, where the malicious code (or lucrative code, depending upon your perspective) sits between you and the real server you're meant to hit.