Apple suggests temporary fix for in-app purchase fraud
Developers can follow these steps to ensure in-app payments register.
Apple has confirmed exactly how people are exploiting in-app purchases to make money illegally, The Verge reports. It's also suggested some ways to stop them doing so, in a document for app developers.
So read on if you thought Android was the only mobile OS plagued by scams.
The problem concerns in-app purchases. The bad guys have found a way to pretend to be the App Store server, letting people make in-app purchases without actually paying, screwing Apple and the app makers out of their earnings.
The problem is in iOS 5.1 and earlier, but Apple has promised it'll be fixed in.
"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device," reads the document.
"An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server.
"When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid."
So what can developers do? Apple suggests they validate purchases from their own servers instead of from the device. It also has a few fixes for developers who don't use their own servers.
These are just temporary solutions, however. Apple says iOS 6 will right this once and for all.
Earlier this month, the usually Fort Knox-like App Store was hit by its. Called 'Find and Call', it secretly uploaded your contacts to a remote server. A also caused some bona fide apps like Instapaper to malfunction, rendering them unusable. Malware and dodgy apps are nothing new on the Google Play store, which has no verification process. But Apple prides itself on its stringent security.
Has the Cupertino company's reputation been besmirched? Let me know in the comments or on Facebook.