Apple suggests temporary fix for in-app purchase fraud

Developers can follow these steps to ensure in-app payments register.

Apple has confirmed exactly how people are exploiting in-app purchases to make money illegally, The Verge reports. It's also suggested some ways to stop them doing so, in a document for app developers.

So read on if you thought Android was the only mobile OS plagued by scams.

The problem concerns in-app purchases. The bad guys have found a way to pretend to be the App Store server, letting people make in-app purchases without actually paying, screwing Apple and the app makers out of their earnings.

The problem is in iOS 5.1 and earlier, but Apple has promised it'll be fixed in iOS 6 .

"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device," reads the document.

"An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server.

"When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid."

So what can developers do? Apple suggests they validate purchases from their own servers instead of from the device. It also has a few fixes for developers who don't use their own servers.

These are just temporary solutions, however. Apple says iOS 6 will right this once and for all.

Earlier this month, the usually Fort Knox-like App Store was hit by its first malware app . Called 'Find and Call', it secretly uploaded your contacts to a remote server. A rogue server also caused some bona fide apps like Instapaper to malfunction, rendering them unusable. Malware and dodgy apps are nothing new on the Google Play store, which has no verification process. But Apple prides itself on its stringent security.

Has the Cupertino company's reputation been besmirched? Let me know in the comments or on Facebook.

Tags:
Software
About the author

    Joe has been writing about consumer tech for nearly seven years now, but his liking for all things shiny goes back to the Gameboy he received aged eight (and that he still plays on at family gatherings, much to the annoyance of his parents). His pride and joy is an Infocus projector, whose 80-inch picture elevates movie nights to a whole new level.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Need a digital detox?

    Not everything has to be shared on the Internet. Our experts at The Fix help you take control of what you share online.