Apple to close in-app purchase hack in iOS 6, offers interim fix

Apple has laid out a new support document that tells developers how to protect their apps from a hack that made in-app purchases free. The company also said it will be patched in iOS 6.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Josh Lowensohn
2 min read

Apple has outlined a way for iOS developers to protect themselves against an exploitthat lets users gain free access to paid add-on content sold within their apps.

In a new support document posted today, the company provided detailed guidelines, urging developers to use its receipt validation system that cross-checks purchases made inside applications with the company's own records. It also said that it will be taking extra precautions to keep this from happening in the next version of iOS, due out later this year.

"We recommend developers follow best practices at developer.apple.com to help ensure they are not vulnerable to fraudulent In-App purchases," Apple spokesperson Tom Neumayr told CNET. "This will also be addressed with iOS 6."

The exploit was created by Russian programmer Alexey Borodin, and appeared late last week. It uses a proxy system to send purchase requests to third-party servers where they are validated and sent back to the application as if the transaction had gone through. In order to use the trick, users needed to install special security certificates on their devices, as well as be on a Wi-Fi network.

The new support document includes details on how to set up protection through Apple's receipt validation system as well instructions for validating transactions that have already been completed. In addition to posting the information on its site, Apple sent out the following e-mail to developers urging them to set up the receipt validation:

Message sent to Apple developers on Friday.
Message sent to Apple developers on Friday. CNET

It's unclear how many developers were, and continue to be targeted by the exploit. In an interview with The Next Web last week, Borodin said that more than 30,000 in-app purchases were made using the service.