Apple has said they’ve fixed a business logic flaw that allowed consumers to bypass In-App Purchasing (IAP) on iOS. In a developer note, Apple calls the bypass a vulnerability and offers application developers guidance on addressing the issue.
Last week, SecurityWeek reported the news that Apple was investigating reports that a Russian researcher had developed a type of Man-in-the-Middle attack, which allowed users to bypass IAP on some applications. While Apple is now calling this issue a vulnerability, it is closer to a business logic flaw.
The IAP bypass does not allow consumers to download or otherwise obtain applications free of charge; rather it allows them to use the app developer’s internal purchasing routines and confirmation processing against themselves.
The app assumes that an IAP request is legit if it authenticates as an SSL certificate from the App Store, so those using the IAP bypass simply install the CA that is controlled by in-appstore.com, trust it, and then install a certificate signed by that CA – *itunes.apple.com. From there, the user will also need to alter the iDevice’s DNS settings. Once these steps are complete, the IAP bypass will work.
Apple has warned developers that if they are attempting to validate IAPs by connecting to the App Store directly from the app itself, the IAP bypass will work. The developer note explains that the issue is fixed in iOS 6, but iOS versions 5.1 and earlier are still vulnerable. In addition, Apple has also advised app developers to ensure they are using proper SSL certificates, such as EV certificates rather than DV.
Despite Apple’s fixes, Alexey Borodin, the researcher who discovered the IAP bypass in the first place, has updated the process to not only keep it alive, but has started offering an application that allows it to work on Mac OS X. Early Monday morning however, he told his followers online that the jig is up.
“By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out,” Borodin wrote.
As was the case before Apple’s mitigations – the IAP bypass doesn’t always work. However, there are dozens of success stories on the Web and within the comments on in-appstore.com.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Chrome 114 Released With 18 Security Fixes
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Breaking Enterprise Silos and Improving Protection
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
