Apple has said they’ve fixed a business logic flaw that allowed consumers to bypass In-App Purchasing (IAP) on iOS. In a developer note, Apple calls the bypass a vulnerability and offers application developers guidance on addressing the issue.
Last week, SecurityWeek reported the news that Apple was investigating reports that a Russian researcher had developed a type of Man-in-the-Middle attack, which allowed users to bypass IAP on some applications. While Apple is now calling this issue a vulnerability, it is closer to a business logic flaw.
The IAP bypass does not allow consumers to download or otherwise obtain applications free of charge; rather it allows them to use the app developer’s internal purchasing routines and confirmation processing against themselves.
The app assumes that an IAP request is legit if it authenticates as an SSL certificate from the App Store, so those using the IAP bypass simply install the CA that is controlled by in-appstore.com, trust it, and then install a certificate signed by that CA – *itunes.apple.com. From there, the user will also need to alter the iDevice’s DNS settings. Once these steps are complete, the IAP bypass will work.
Apple has warned developers that if they are attempting to validate IAPs by connecting to the App Store directly from the app itself, the IAP bypass will work. The developer note explains that the issue is fixed in iOS 6, but iOS versions 5.1 and earlier are still vulnerable. In addition, Apple has also advised app developers to ensure they are using proper SSL certificates, such as EV certificates rather than DV.
Despite Apple’s fixes, Alexey Borodin, the researcher who discovered the IAP bypass in the first place, has updated the process to not only keep it alive, but has started offering an application that allows it to work on Mac OS X. Early Monday morning however, he told his followers online that the jig is up.
“By examining last apple’s statement about in-app purchases in iOS 6, I can say, that currently game is over. Currently we have no way to bypass updated APIs. It’s a good news for everyone, we have updated security in iOS, developers have their air-money. But, service will still remain operational until iOS 6 comes out,” Borodin wrote.
As was the case before Apple’s mitigations – the IAP bypass doesn’t always work. However, there are dozens of success stories on the Web and within the comments on in-appstore.com.