Russian hacker takes iOS in-app purchasing for a ride; Apple’s response middle-of-the-road

In a feint that has galvanized the Apple community and exposed an apparent flaw in the iOS, a Russian hacker has dodged official in-app purchase procedures and conned Apple’s App Store into letting him get paid content for free, Macworld magazine reports.

Upon completing his hack last week, Alexey Borodin, the developer of the procedure, took an altruistic stance and “blessed’ all iOS users with a detailed “do-it-yourself” guide posted in his blog, In-Appstore.com, and replicated in Russian on Iguides.ru. Borodin also placed a video with exhaustive instructions on YouTube.

For the whiz kid’s followers, his modus operandi is simple. All it takes to enjoy free in-app purchases is installing two phony certificates, links to which Borodin provides in his guide, on one’s mobile device and then registering a specially-crafted DNS server in one’s Wi-Fi connection settings. The scam dupes applications into a belief they are communicating with the legitimate App Store, linking them instead to a “great pretender” — a site that passes itself off as the App Store.

The sham then “validates” a purchase by generating spoofed code receipts (which the reconfigured iOS device mistakes for authentic ones coming directly from Apple), and then signals to a respective application to give the “buyer” access to ostensibly paid content.

A user seeking free content takes certain risks, since the bogus server requires that all the same personal data be sent as would be required for a legitimate transaction. On his site, the Russian hacker claims he never steals banking card funds nor keeps users’ personal information, but verification of that appears to be impossible.

Unlike many reverse engineering products, Borodin’s hoax doesn’t call for cracking a system or installing any additional apps, nor does it alter any code. According to Macworld, the technique works with the 3.0 through 6.0 beta versions.

Beginning on July 13, Apple took action to stop the con. At least one of the servers that powered Borodin’s “philanthropy” is reportedly down, and the YouTube video has been removed. According to TNW, Alexey Borodin isn’t hiding. He claims to condemn piracy and says he is ready to cooperate as soon as Apple contacts him, which apparently it has not done. He has purportedly given up updating In-Appstore.com and hopes Apple “will hire” him for his skills.

Topics: E-Commerce, Intellectual property, International, Internet, Legal, News, Payment & banking technologies
Scroll to Top

This site is under maintenance. Sorry for the inconvenience.

This site is under maintenance. Sorry for the inconvenience.