Apple losing cat and mouse battle with hacker
A Russian programmer who released a hack allowing iOS users to steal paid app content has thwarted Apple's attempts to fix the flaw.
Australian app developers say the exploit is concerning and could limit the ability of app makers to earn money from their apps.
Alexey Borodin published a video on YouTube outlining how users could avoid paying for in-app purchases without even having to gain root access to the system. All they needed to do was install two security certificates and change the DNS settings on their device.
Many of the most successful apps on the App Store are free but offer users the ability to pay small amounts to unlock extra bells and whistles from within the app. If enough iPhone, iPad and iPod Touch users cotton on to the flaw it could result in a serious dent to app developer revenue.
Borodin has said he believes once users have an app on their device they should not be forced to pay to unlock new features.
Apple quickly mobilised to shut down the hack. It succeeded in getting the first instructional video removed from YouTube on copyright grounds but this was quickly replaced with a new version.
Apple has also blocked the IP address of the server used by Borodin to implement the hack, and convinced the host in Russia to shut down his service. It worked with PayPal to prevent him from receiving donations.
But Borodin has responded by moving the server to a new location that is harder for Apple to reach and he now accepts donations using the anonymous Bitcoin service.
The hack works by placing Borodin's server in between the device and Apple - intercepting incoming purchase requests from the iOS device. But now Borodin has tightened up the exploit to avoid interacting with the App Store, making it even harder for Apple to shut down.
It has been so popular (mediating over 30,000 "purchases" at last count) that, according to Borodin, he can't afford to pay for the bandwidth required to keep the exploit running much longer. Hence why he has been asking for donations.
Apple recently released iOS 6 beta 3 to developers, but the patch didn't block Borodin's exploit.
Australian app developer Mathew Peterson warned users not to install the hack.
"As you are using a third-party DNS server there's potential for private information, such as banking details, to be intercepted and stolen," he said.
"This Russian guy doesn't seem the most scrupulous fellow so far!"
But Borodin claims in his "terms of service" document that he collects no data and users do not have to enter their Apple ID and password to use the exploit.
"We collecting no data. Even if you requested to enter password to your account while you are using in-appstore.com, enter something that is not your password. For example, 1234'," the terms of service reads.
The exploit doesn't work with all apps, but many popular ones such as Temple Run. Developers can reportedly get around the exploit by releasing new versions of their apps that use their own web servers, not Apple, to validate receipts.
But many developers have avoided validating receipts themselves as this increases costs.
Security firm Trend Micro told The Guardian that Apple should compensate developers for costs incurred as a result of the exploit.
Robert Kawalsky, the Australian founder of the Tonight! app, which doesn't use in-app purchasing, said many developers relied on in-app purchases to make their apps financially viable and they relied on Apple for security and payment processing.
"This bug is certainly a concern for the developer community," he said.
Kawalsky compared the situation to downloading music. Consumers can choose to pay, but with a little effort and risk of being exposed to viruses, they can also download songs illegally for free.
"As with illegal music downloads, until Apple fixes this bug - which I don't doubt they will - consumers will be the final arbiters," he said.
Apple has said it is "investigating" but has so far refused to comment further.
The issue brings back memories of DVD Jon, the Norwegian hacker who released software that allows users to bypass iTunes.