Hacker exploits iOS flaw for free in-app purchases


To understand the hack, it's important to learn a bit about how in-app purchases work. When a customer completes an in-app purchase, Apple sends the app back a bit of data. The app is then meant to ping Apple's servers directly, in real-time, to confirm the validity of that receipt.

In short: The app gets notice of a completed transaction and should immediately confirm with Apple that the receipt came from it.

Borodin's hack doesn't work for all in-app purchases. That's because there are two ways for developers to validate the receipts they receive from Apple--from the iOS device or an the app's own Web servers.

Developer Marco Tabini told that Apple's approach to receipt validation is flawed, and that thus the company itself is at fault for this exploit's existence. (Disclosure: Tabini is an occasional contributor, and developed an app with me.)

The exploit, Tabini explained, is not due to developer incompetence. "Merely validating a receipt against Apple is not enough," he said. Tabini said that processes like Apple's should use a shared secret--sort of a secret code known only to the app and to Apple: "If Apple provided a shared secret as part of the IAP process, using that secret in conjunction with a random salt would prove to developers that responses from Apple were genuine when they validated receipts."