Earlier this month, hacker Alexey V. Borodin discovered a method that allows some iOS app users to make "In-App Purchases" for FREE. Because Apple does not link purchases directly to individual customers or devices, a single receipt can be used for multiple transactions. Borodin's method takes advantage of this fact by fooling iOS apps into accepting fake purchase receipts and bypassing Apple’s authentication servers.
In addition to iOS apps, Alexey V. Borodin has recently extended the method so that users can gain free access to "in-app purchases" from Mac App Store apps as well. This has prompted Apple to provide a new set of instructions and best practices to follow so that iOS apps will not be affected by the "in-app purchase" exploit.
According to Apple, iOS 6 will address this vulnerability. However, older versions of iOS need to validate receipts by sending "the receipt to your server, and have your server perform the validation with the App Store server." Per Apple, if the iOS app connects to the App Store server directly from the device, then the following steps should be taken:
- Check that the SSL certificate used to connect to the App Store server is an EV certificate.
- Check that the information returned from validation matches the information in the SKPayment object.
- Check that the receipt has a valid signature.
- Check that new transactions have a unique transaction ID.
To help developers prevent the "In-App Purchase" exploit from affecting their applications, Apple has also made available two previously private APIs:
"Note: This listing uses the symbols kSecTrustInfoExtendedValidationKey and SecTrustCopyInfo, which are not public API. Your app is allowed to use them for this specific purpose."
Most app developers, particularly game developers, rely on in-app purchases as a source of income. Therefore it is very important that vulnerabilities like this one are addressed by app developers as well as in future versions of iOS.