X

Apple suggests temporary fix for in-app purchase fraud

Developers can follow these steps to ensure in-app payments register.

Joe Svetlik Reporter
Joe has been writing about consumer tech for nearly seven years now, but his liking for all things shiny goes back to the Gameboy he received aged eight (and that he still plays on at family gatherings, much to the annoyance of his parents). His pride and joy is an Infocus projector, whose 80-inch picture elevates movie nights to a whole new level.
See full bio
Joe Svetlik
2 min read

Apple has confirmed exactly how people are exploiting in-app purchases to make money illegally, The Verge reports. It's also suggested some ways to stop them doing so, in a document for app developers.

So read on if you thought Android was the only mobile OS plagued by scams.

The problem concerns in-app purchases. The bad guys have found a way to pretend to be the App Store server, letting people make in-app purchases without actually paying, screwing Apple and the app makers out of their earnings.

The problem is in iOS 5.1 and earlier, but Apple has promised it'll be fixed in iOS 6.

"A vulnerability has been discovered in iOS 5.1 and earlier related to validating in-app purchase receipts by connecting to the App Store server directly from an iOS device," reads the document.

"An attacker can alter the DNS table to redirect these requests to a server controlled by the attacker. Using a certificate authority controlled by the attacker and installed on the device by the user, the attacker can issue a SSL certificate that fraudulently identifies the attacker's server as an App Store server.

"When this fraudulent server is asked to validate an invalid receipt, it responds as if the receipt were valid."

So what can developers do? Apple suggests they validate purchases from their own servers instead of from the device. It also has a few fixes for developers who don't use their own servers.

These are just temporary solutions, however. Apple says iOS 6 will right this once and for all.

Earlier this month, the usually Fort Knox-like App Store was hit by its first malware app. Called 'Find and Call', it secretly uploaded your contacts to a remote server. A rogue server also caused some bona fide apps like Instapaper to malfunction, rendering them unusable. Malware and dodgy apps are nothing new on the Google Play store, which has no verification process. But Apple prides itself on its stringent security.

Has the Cupertino company's reputation been besmirched? Let me know in the comments or on Facebook.

Services and Software Guides

VPN
Cybersecurity
Streaming Services
Web Hosting & Websites
Other Services & Software
Services and Software Coupons