iOS in-app purchasing mechanism which lets you buy digital items in games, upgrade to full versions of apps and purchase additional content, has been cracked by a savvy Russian hacker who posted a proof of concept video, embedded below.

First noticed by Russian blog i-ekb.ru (via 9to5Mac), the hack is credited to Russian developer ZonD80 who runs the conveniently named In-AppStore.com website where he collects donations to support development of the project.

What’s special about this method – and potentially devastating to the development community – is that it doesn’t require a jailbreak and can be completed in a few simple steps by even the most inexperienced users. UPDATE: contrary to reports that Apple took the proxy site down, developer confirms it’s simply under high load and says the info site is being moved to Blogger.

This is Apple’s worst nightmare come true because, once installed, the crack basically lets anyone obtain in-app content free of charge, in most apps. The method is independent of the iOS version and works on all devices running iOS 3.x to 6.x.

Here’s a clip of the in-app proxy in action.

The published instructions are fairly simple and call for the installation of two certificates (CA and in-appstore.com) and changing a device’s DNS record in the WiFi section of Settings. This lets your device contact the Russian server to circumvent the built-in protection, producing this confirmation dialogue.

Not all apps or regions are affected, but it would appear at first glance that the hack circumvents a large enough portion of third-party apps that support in-app purchasing to be called a major issue for Apple and its developers.


The official in-app purchasing method with server product delivery.

We at iDB do not condone piracy and feel strongly against stealing other people’s work. Hopefully, Apple will pay notice and take down the Russian site because this is just way too damaging to developers who should always be entitled to getting paid for their hard work.

Do you think Apple should go after this guy immediately?

  • Let it be
    ~The Beatles

    *think I just got ninja’d by apple, the site is already down…

  • Website is already down for me!

  • Allen Dunahoo

    Apple already took the site down.

  • Definitely, this can cause a disruption in the development of new content, especially if the method is leaked to the public.

  • Russian, eh? What other information does it send to their servers? And what does that button next to the “LIKE” button say anyway?

    • i would ask those questions of any human project..lol

    • The button next to the like say “Cancel”!

  • if the site down , use

  • SimonReidy

    I’m having a moral dilemma. I’ve got a devil dude on my left shoulder saying “at least give it a go man! Imagine what you could try out!” …

    ..but not an older wiser angel dude is on my right shoulder saying “don’t be a dick. you love iOS apps. Support the industry and stay away from piracy and don’t stuff with Russian proxies!”.

    Maybe I’ll just take a quick look..

  • a “how to would be nice”…i want to know whether this works 4r amazing spiderman cause iap cracker dosent do the job

  • billypuntove

    It’s a damn shame that people can’t use their talent for good. Oh well. This will prompt Apple to patch it up.

    • ITS HUMAN NATURE TO DO SOME GOOD AND SOME BAD THE RATIO TEND TO VARY

      • billypuntove

        Agreed.

      • Outhig

        No need for caps lock man.

    • imot65
      • Uriel Albarran Oropeza

        Agree, inclusive Steve start like a pirat 😀

  • Although I don’t agree with this, I can’t help admitting that this is pretty impressive.

  • Rafael Damasceno

    Apple has done nothing. You can read at the guy’s blog:
    “Hi everyone. I moved info site go blogspot.
    Currently service is down due to high load. Currently we have VPS with 512mb memory aboard, and there is no way to satisfy everyone with such hardware.
    Apple is a big company, I am not. If you want to help me to buy really dedicated 4-quad core server with at least 4gbytes of ram – donate to paypal account zond80@me.com

    Setup of dedicated server usually took 2-3 days. Sorry, guys.”

  • since its in ios 6 beta, consider the fact that apple may patch it in the future before the actual release.

    • It’s not on iOS6B, it works on iOS 3.x-6.x

      • It’s a server patch, not a hardware or software patch.

      • Why did I get downvoted? It even says so in the article. Quote: The method is independent of the iOS version and works on all devices running iOS 3.x to 6.x.

  • NeonCoyote

    Boy, you guys are gullible. The guy is most likely jailbroken and running the iAP cracker dylib. I can fake certs and ask for donations too. You want me to post a video, place some white boxes, and post a PayPal link? I can do it all in 15 minutes.

    • You are naive and you clearly haven’t done any research before commenting.

      • The fact he says MOST LIKELY makes him naive? The fact is Neon has a point, a very valid point…and given the history of Russian and the Internet are you going to sit there and tell us that this is 100% legitimate with no repercussions? They aren’t going to take our usernames/passwords or tweak our devices in some other way?

      • What makes both of you naive is that neither of you have actually looked into how the exploit works before scaremongering.

        Also, I never said you should trust this guy with your passwords, he even states: “If in-appstore asking you for password. Try to enter something that is not your password and tap to continue.”

        Instead of threatening to spend 15mins to discredit the guy, he could have done some research and would know that he isn’t using iAP Cracker.

        Its probably worth mentioning that I don’t condone piracy before someone tries to flame me, security vulnerabilities interest me. Apple seem interested to say the least, this isnt just some cheap parlor trick.

      • So, instead of answering my question … You go ahead and attack me. I don’t have to spend 15 minutes to discredit him – I could easily do it in 2 minutes.

        In his video, he COULD have iAP Cracker hidden in a folder. You never actually see the settings to see that it’s NOT installed…….that’s all I’m saying.

  • Luis Finke

    thats a pretty difficult thing to patch. you would have to try to make an exception on proxies for in-app purchases, but that might cause people that are using them for other things to not be able to purchase things while on a proxy.

  • Excuse me but what’s the difference between this one and the Iap cracker that is alive for a long time now?

    • The difference is that you don’t need a jailbreak for this.

  • While I don’t condone piracy, this would be great for all those paid apps which make you pay more for “premium” content! If you needed to pay to play, don’t make it cheap or free!

    • Uriel Albarran Oropeza

      i prefer buy the app and know what i’m paying, than download a “free app” i hate the in-app buys

  • interesting

  • For the people asking whats the diff between this an IAPFree or IAPCracker, is that those cydia ones cant mess with Zynga apps or apps that have a server side checks, This one, in the video the first app he shows you cant with either, so there is NO LIMITATION to witch app it can do it to, so Zynga used to be safe, but with this…damn.

  • Uriel Albarran Oropeza

    What’s the big deal? actually is only a DLC buy, you can’t restore or buy anything that needs a server verification, like: where’s my water, Order and Chaos, Simpsons tap out, Mega jump and others, this is only useful if you want make illegal buys on a non-jailbraked iPhone

  • I like when he says “let’s like it agaain” lol

  • techismine

    this is a cool things without need to jailbreak

  • DON’T DO IT! i did it to try it out but when i wanted to delete the certificate it wasn’t possible they tricked us

  • Seriously though. If I were an developer and knew that my hard work wasn’t surely paid for, I would just stop developing for iOS. These kinds of things are ruining the App Store for us honest guys, because seriously, if you don’t get paid for your hard work, what’s the meaning of working anyway? I’m sure you guys don’t go to work for free, so why should the developers?

    • True, but that should not stop you developing! Everyone’s goal should be to make an excellent app, not some cheap looking shit that, for extra features.
      , require in-app purchases! Money should not be the priority, cause when you make something good, money comes by themselves! You just have to make it great! 🙂

    • Absolutely not. There are coding work arounds that allow for IAP and “cracked” Apps to fail on launch and when IAPs are being purchased. I don’t know what your thought process is behind the comment but please do your research before making crazy statements like this.

      • Crazy statement? Hardly. I know for a FACT that this is the way it looks. Please don’t exaggerate, my friend.

      • Firstly, I don’t know you so the concept of “friend” is clearly lost somewhere between Sweden and Australia.

        Secondly, since there are things Developers can do to prevent cracked Apps working then there is no reason why they should stop developing so I’m not sure what you’re talking about…but let’s try and stay on topic, even if it’s just for ONE ARTICLE.

        (See, I can do capital letters too!!)

  • 1337lolzorz

    In Russia, app purchase you!

    • Altaykai Yamada

      I like to Sh1t on your so-called right now…You know that?

  • TheAngryPenguin

    “I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld.

    • EpicFacepalm

      Lol it works with fake ID and passsword

  • I love that CSR racing is the first app example haha. Not saying I approve but that app abuses freemium way more than others and deserves it a little.

  • seyss

    IDb is now blocking posts they dont like?

  • If you have an prepaid credit card, with any amount of $ on it. The apple store will let you charge up to $42 on the credit card. That’s how you do it. It’s legit

  • I think Apple should offer this guy an “upper management” job to find security vulnerabilities!!!

    If he is this cleaver, it would be best to have him “playing” on their TEAM!!!

  • seyss

    Xsellize

  • Kevin Wolf

    So, does this, or does this not work for server side purchases. Because from what I’m reading looks like this is all client side IAPs. Anyone want to confirm or decline this?

  • Andy

    All developers are smart, who make the apps and who make app cracker. We should appreciate that. You want to use app and got $$$s buy it. I wanna use app don’t got $$$$s I steal it. Don’t make big mouth.

  • Kyle

    Ha, ha, ha, brilliant, finally, someone giving the greedy pigs some of their own well covered up medicine. Makes me sick these large corporations who think they own the world and one’s privacy. Hack the heck out of them. When crapple decides to let go of it’s gestapo closed system and starts using some of it’s massive profits to support developers who make their hardware enjoyable, then, my friends, we will move to a world in which freedom of knowledge outweighs greed beyond all comprehension. So, crapple takes from Samsung, they then lose in court, and then they still make it impossible for anyone to actually completely own their device. If you ask me, it is not the pirates hurting the developers, it is the massive corporations charging a million dollars for a five dollar device and O.S.

    I hope you Apple pigs catch a wake up and I hope every single hacker in every basement/office in the world tries to hack every new security feature you force on to your loyal clients. I mean, seriously, we cannot even customize the interface without jailbreaking the device. Give us freedom, give us options, pay your developers and maybe cut back on the imperialist spying and iron clad contracts. I have never before seen something that sickens me so much. You try to use fear to control. You use your mass media to demonize ordinary folk who just don’t have the cash to buy apps after they spent a fortune saving up to buy your devices. So, who is the real monsters, hurting the developers. Actually, I can’t wait until China cashes in their huge stash of U.S bonds, then you will be forced to adhere to your claims of freedom and Independence, in the markets and in the devices you spew out onto the masses.

    Anyways, that is just my view, I am sure there are many sheep willing to put up with these fat pigs blindfold of propaganda. Heck, you can probably customize a calculator more than an apple device. Freedom, Honesty, Openness, Sharing, Support, we are the people, we clean your houses, we deliver your food, we clean your streets, do not mess with us, you have been warned!

  • taher tougourti

    thes app is viry bad