Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Helps Developers Address In-App Purchasing Bypass

Apple has said they’ve fixed a business logic flaw that allowed consumers to bypass In-App Purchasing (IAP) on iOS. In a developer note, Apple calls the bypass a vulnerability and offers application developers guidance on addressing the issue.

Apple has said they’ve fixed a business logic flaw that allowed consumers to bypass In-App Purchasing (IAP) on iOS. In a developer note, Apple calls the bypass a vulnerability and offers application developers guidance on addressing the issue.

Last week, SecurityWeek reported the news that Apple was investigating reports that a Russian researcher had developed a type of Man-in-the-Middle attack, which allowed users to bypass IAP on some applications. While Apple is now calling this issue a vulnerability, it is closer to a business logic flaw.

The IAP bypass does not allow consumers to download or otherwise obtain applications free of charge; rather it allows them to use the app developer’s internal purchasing routines and confirmation processing against themselves.

The app assumes that an IAP request is legit if it authenticates as an SSL certificate from the App Store, so those using the IAP bypass simply install the CA that is controlled by in-appstore.com, trust it, and then install a certificate signed by that CA – *itunes.apple.com. From there, the user will also need to alter the iDevice’s DNS settings. Once these steps are complete, the IAP bypass will work.

Apple has warned developers that if they are attempting to validate IAPs by connecting to the App Store directly from the app itself, the IAP bypass will work. The developer note explains that the issue is fixed in iOS 6, but iOS versions 5.1 and earlier are still vulnerable. In addition, Apple has also advised app developers to ensure they are using proper SSL certificates, such as EV certificates rather than DV.

Despite Apple’s fixes, Alexey Borodin, the researcher who discovered the IAP bypass in the first place, has updated the process to not only keep it alive, but has started offering an application that allows it to work on Mac OS X. Early Monday morning however, he told his followers online that the jig is up.

“By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out,” Borodin wrote.

As was the case before Apple’s mitigations – the IAP bypass doesn’t always work. However, there are dozens of success stories on the Web and within the comments on in-appstore.com.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.