Russian hacker cracks iOS in-app purchasing, no jailbreak required

By , Jul 13, 2012

iOS in-app purchasing mechanism which lets you buy digital items in games, upgrade to full versions of apps and purchase additional content, has been cracked by a savvy Russian hacker who posted a proof of concept video, embedded below.

First noticed by Russian blog i-ekb.ru (via 9to5Mac), the hack is credited to Russian developer ZonD80 who runs the conveniently named In-AppStore.com website where he collects donations to support development of the project.

What’s special about this method – and potentially devastating to the development community - is that it doesn’t require a jailbreak and can be completed in a few simple steps by even the most inexperienced users. UPDATE: contrary to reports that Apple took the proxy site down, developer confirms it’s simply under high load and says the info site is being moved to Blogger.

This is Apple’s worst nightmare come true because, once installed, the crack basically lets anyone obtain in-app content free of charge, in most apps. The method is independent of the iOS version and works on all devices running iOS 3.x to 6.x.

Here’s a clip of the in-app proxy in action.

The published instructions are fairly simple and call for the installation of two certificates (CA and in-appstore.com) and changing a device’s DNS record in the WiFi section of Settings. This lets your device contact the Russian server to circumvent the built-in protection, producing this confirmation dialogue.

Not all apps or regions are affected, but it would appear at first glance that the hack circumvents a large enough portion of third-party apps that support in-app purchasing to be called a major issue for Apple and its developers.


The official in-app purchasing method with server product delivery.

We at iDB do not condone piracy and feel strongly against stealing other people’s work. Hopefully, Apple will pay notice and take down the Russian site because this is just way too damaging to developers who should always be entitled to getting paid for their hard work.

Do you think Apple should go after this guy immediately?

  • Share:
  • Follow:

We Recommend

  • http://twitter.com/Melvin_livefree Melvin Samuelsson

    Let it be
    ~The Beatles

    *think I just got ninja’d by apple, the site is already down…

  • http://twitter.com/frebib Joe Groocock

    Website is already down for me!

  • Allen Dunahoo

    Apple already took the site down.

  • http://twitter.com/Ousstanding Oustanding

    Definitely, this can cause a disruption in the development of new content, especially if the method is leaked to the public.

  • http://www.facebook.com/profile.php?id=1384316579 Byron C Mayes

    Russian, eh? What other information does it send to their servers? And what does that button next to the “LIKE” button say anyway?

    • http://www.facebook.com/joe.jonsen Joe Jonsen

      i would ask those questions of any human project..lol

    • http://iosnmore.tumblr.com/ Allan Chitay

      The button next to the like say “Cancel”!

  • http://www.facebook.com/a7bo0k احمد الجزيري

    if the site down , use

    • http://www.facebook.com/johnbenedict.reyes John Benedict A. Reyes

      where is the instruction and certificate?

  • SimonReidy

    I’m having a moral dilemma. I’ve got a devil dude on my left shoulder saying “at least give it a go man! Imagine what you could try out!” …

    ..but not an older wiser angel dude is on my right shoulder saying “don’t be a dick. you love iOS apps. Support the industry and stay away from piracy and don’t stuff with Russian proxies!”.

    Maybe I’ll just take a quick look..

  • http://www.facebook.com/nihasnebas Nihas Nebas

    a “how to would be nice”…i want to know whether this works 4r amazing spiderman cause iap cracker dosent do the job

  • billypuntove

    It’s a damn shame that people can’t use their talent for good. Oh well. This will prompt Apple to patch it up.

    • http://www.facebook.com/joe.jonsen Joe Jonsen

      ITS HUMAN NATURE TO DO SOME GOOD AND SOME BAD THE RATIO TEND TO VARY

      • billypuntove

        Agreed.

      • Outhig

        No need for caps lock man.

    • imot65
      • Uriel Albarran Oropeza

        Agree, inclusive Steve start like a pirat :D

  • http://www.facebook.com/liamsagooch Liam Googolplex Merlyn

    Although I don’t agree with this, I can’t help admitting that this is pretty impressive.

  • Rafael Damasceno

    Apple has done nothing. You can read at the guy’s blog:
    “Hi everyone. I moved info site go blogspot.
    Currently service is down due to high load. Currently we have VPS with 512mb memory aboard, and there is no way to satisfy everyone with such hardware.
    Apple is a big company, I am not. If you want to help me to buy really dedicated 4-quad core server with at least 4gbytes of ram – donate to paypal account zond80@me.com

    Setup of dedicated server usually took 2-3 days. Sorry, guys.”

  • http://twitter.com/myorangeisstuck willie

    since its in ios 6 beta, consider the fact that apple may patch it in the future before the actual release.

    • http://twitter.com/nAcolz Acolz

      It’s not on iOS6B, it works on iOS 3.x-6.x

      • http://twitter.com/iKrill Antonio Santos

        It’s a server patch, not a hardware or software patch.

      • http://twitter.com/nAcolz Acolz

        Why did I get downvoted? It even says so in the article. Quote: The method is independent of the iOS version and works on all devices running iOS 3.x to 6.x.

  • NeonCoyote

    Boy, you guys are gullible. The guy is most likely jailbroken and running the iAP cracker dylib. I can fake certs and ask for donations too. You want me to post a video, place some white boxes, and post a PayPal link? I can do it all in 15 minutes.

    • http://twitter.com/patchcable patchcable

      You are naive and you clearly haven’t done any research before commenting.

      • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

        The fact he says MOST LIKELY makes him naive? The fact is Neon has a point, a very valid point…and given the history of Russian and the Internet are you going to sit there and tell us that this is 100% legitimate with no repercussions? They aren’t going to take our usernames/passwords or tweak our devices in some other way?

      • http://twitter.com/patchcable patchcable

        What makes both of you naive is that neither of you have actually looked into how the exploit works before scaremongering.

        Also, I never said you should trust this guy with your passwords, he even states: “If in-appstore asking you for password. Try to enter something that is not your password and tap to continue.”

        Instead of threatening to spend 15mins to discredit the guy, he could have done some research and would know that he isn’t using iAP Cracker.

        Its probably worth mentioning that I don’t condone piracy before someone tries to flame me, security vulnerabilities interest me. Apple seem interested to say the least, this isnt just some cheap parlor trick.

      • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

        So, instead of answering my question … You go ahead and attack me. I don’t have to spend 15 minutes to discredit him – I could easily do it in 2 minutes.

        In his video, he COULD have iAP Cracker hidden in a folder. You never actually see the settings to see that it’s NOT installed…….that’s all I’m saying.

  • Luis Finke

    thats a pretty difficult thing to patch. you would have to try to make an exception on proxies for in-app purchases, but that might cause people that are using them for other things to not be able to purchase things while on a proxy.

  • http://www.facebook.com/people/Demetris-Nicolaides/100002386721184 Demetris Nicolaides

    Excuse me but what’s the difference between this one and the Iap cracker that is alive for a long time now?

    • http://twitter.com/haredx haredx

      The difference is that you don’t need a jailbreak for this.

  • http://www.facebook.com/amcolash Andrew McOlash

    While I don’t condone piracy, this would be great for all those paid apps which make you pay more for “premium” content! If you needed to pay to play, don’t make it cheap or free!

    • Uriel Albarran Oropeza

      i prefer buy the app and know what i’m paying, than download a “free app” i hate the in-app buys

  • http://twitter.com/tonyjaajaa tony jaajaa

    interesting

  • http://twitter.com/Death2Kam Kam Perez

    For the people asking whats the diff between this an IAPFree or IAPCracker, is that those cydia ones cant mess with Zynga apps or apps that have a server side checks, This one, in the video the first app he shows you cant with either, so there is NO LIMITATION to witch app it can do it to, so Zynga used to be safe, but with this…damn.

  • Uriel Albarran Oropeza

    What’s the big deal? actually is only a DLC buy, you can’t restore or buy anything that needs a server verification, like: where’s my water, Order and Chaos, Simpsons tap out, Mega jump and others, this is only useful if you want make illegal buys on a non-jailbraked iPhone

  • http://twitter.com/therealjdizzle Jason Masters

    I like when he says “let’s like it agaain” lol

  • techismine

    this is a cool things without need to jailbreak

  • http://www.facebook.com/profile.php?id=1021178743 Marnix Robyns

    DON’T DO IT! i did it to try it out but when i wanted to delete the certificate it wasn’t possible they tricked us

  • http://www.facebook.com/analogesque Micke Lundgren

    Seriously though. If I were an developer and knew that my hard work wasn’t surely paid for, I would just stop developing for iOS. These kinds of things are ruining the App Store for us honest guys, because seriously, if you don’t get paid for your hard work, what’s the meaning of working anyway? I’m sure you guys don’t go to work for free, so why should the developers?

    • http://www.facebook.com/profile.php?id=1595420643 Simche Apple Konstantinovic

      True, but that should not stop you developing! Everyone’s goal should be to make an excellent app, not some cheap looking shit that, for extra features.
      , require in-app purchases! Money should not be the priority, cause when you make something good, money comes by themselves! You just have to make it great! :)

    • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

      Absolutely not. There are coding work arounds that allow for IAP and “cracked” Apps to fail on launch and when IAPs are being purchased. I don’t know what your thought process is behind the comment but please do your research before making crazy statements like this.

      • http://www.facebook.com/analogesque Micke Lundgren

        Crazy statement? Hardly. I know for a FACT that this is the way it looks. Please don’t exaggerate, my friend.

      • http://www.facebook.com/profile.php?id=530352812 Jayar Gibson

        Firstly, I don’t know you so the concept of “friend” is clearly lost somewhere between Sweden and Australia.

        Secondly, since there are things Developers can do to prevent cracked Apps working then there is no reason why they should stop developing so I’m not sure what you’re talking about…but let’s try and stay on topic, even if it’s just for ONE ARTICLE.

        (See, I can do capital letters too!!)

  • 1337lolzorz

    In Russia, app purchase you!

    • Altaykai Yamada

      I like to Sh1t on your so-called right now…You know that?

  • TheAngryPenguin

    “I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld.

    • EpicFacepalm

      Lol it works with fake ID and passsword

  • http://twitter.com/Max_Kas Max Kaslick

    I love that CSR racing is the first app example haha. Not saying I approve but that app abuses freemium way more than others and deserves it a little.

  • seyss

    IDb is now blocking posts they dont like?

  • http://twitter.com/JaviMccoy Javi Mccoy

    If you have an prepaid credit card, with any amount of $ on it. The apple store will let you charge up to $42 on the credit card. That’s how you do it. It’s legit

  • http://www.GoldenGateDomains.com/ Golden Gate Domains

    I think Apple should offer this guy an “upper management” job to find security vulnerabilities!!!

    If he is this cleaver, it would be best to have him “playing” on their TEAM!!!

  • seyss

    Xsellize

  • Kevin Wolf

    So, does this, or does this not work for server side purchases. Because from what I’m reading looks like this is all client side IAPs. Anyone want to confirm or decline this?

  • Andy

    All developers are smart, who make the apps and who make app cracker. We should appreciate that. You want to use app and got $$$s buy it. I wanna use app don’t got $$$$s I steal it. Don’t make big mouth.